Twitter Accused of Data Violation in Ad 'Mix Up'

John Lister's picture

Twitter has apologized for using customer security contact details for advertising purposes. Its underwhelming announcing has gone down badly with privacy groups and could have legal consequences.

The blunder involved Twitter's advertising services, specifically tools called "Tailored Audiences" and "Partner Audiences."

It works like this: advertisers upload their own marketing lists of email addresses and phone numbers to Twitter, along with an ad. Twitter then compares the marketing list to its own database of customers. It then shows the ad only to people who appear on both lists.

The idea is that the advertisers can create an ad that appeals specifically to people they've already dealt with. That's a valuable proposition to advertisers as they know there's already a level of interest among viewers.

Contacts Lists Mixed Up

The problem was that Twitter says it "may" have screwed up. Instead of comparing the advertiser list to its own list of customer account details, it seems it instead compared the data with its two-factor authentication and security databases.

Both databases are used in case users forget their password. For example, they can get a reset link sent by email or text message. They can also set their account to require a security code when they log in from a new location, with the code sent by text or email.

Using these databases would certainly net a much larger audience, considering the sheer number of users using Twitter.

Twitter says it can't be certain how many people were affected by the mix up, but says it didn't pass on the contact details to any advertisers. It also says the problem causing the mistake was fixed by September 17, 2019. It's also raised serious questions about why it took so long after the mix up to go public. (Source:

Consent Breach Could Be Costly

The company could be in legal hot water because of privacy and data consent laws around the world. Users who provide an email address or phone number for their Twitter account must also agree to the address being used for advertising, per its terms and conditions. That said, there's also a user setting that lets them opt out of the advertising.

Contrastingly, when a user provides an email address or phone number for security and two factor authentication, they are only giving consent for it to be used for those security purposes.

Breaching similar consent has previously earned Facebook a $5 billion fine from the Federal Trade Commission (FTC). Twitter could now face action both from the FTC and from European data regulators. (Source:

What's Your Opinion?

Do you believe this was a genuine mistake? Should companies be clearer about how they use contact details? Is this a fuss over nothing or should Twitter face penalties?

Rate this article: 
Average: 5 (5 votes)