Twitter has temporarily suspended tools that allow marketers to match phone number lists with Twitter users after disclosing that personal information they’d provided for account security purposes had been used for targeted advertising.
The lapse, which Twitter announced Tuesday night, meant advertisers uploading their marketing lists to Twitter’s Tailored Audiences tool were able to match customers with their email addresses and phone numbers, which they had shared to keep their accounts safe through methods like two-factor verification. Marketers had also been able to target those users through Twitter’s Partner Audiences tool, which allows advertisers to target their ads to audience lists provided by third parties.
Twitter said it didn’t know how many people were affected, but their information was not shared outside the platform. Twitter said it had conducted a one-time removal of all affected users on Sept. 17 to wipe that information from its targeting tools. Users who want to find out whether they were affected can submit a request to Twitter’s data protection office.
The disclosure prompted some deja vu in the industry, as it isn’t the first time customers have had personal information used for marketing after they had provided it for another purpose. Last year, Facebook admitted to using contact information provided for two-factor verification to target ads after Gizmodo reported on the practice.
Thomas Pasquet, the co-founder and CEO of ad-tech company Ogury, said Twitter’s apology was “absolutely necessary,” but he thinks the company didn’t go far enough.
“Retroactive transparency, and the promise to do better in the future, is not enough to build consumer trust,” Pasquet said. “Consumers need to understand exactly how Twitter will avoid it happening again in the future. We encourage Twitter, and the entire industry, to provide full clarity to consumers; outlining what consumer data they are using in their advertising solutions, and how they obtain consent to collect and use this data.’
The misstep could prompt regulatory inquiries. Celine Guillou, legal counsel at the Silicon Valley law firm Hopkins & Carley, said the use of data for purposes other than what was described to customers could prompt an inquiry under Europe’s General Data Protection Regulation, which requires companies to limit the data they collect for specific purposes.
“If you collect data for one purpose and then use it for another, then you have to notify the customer,” Guillou said.
In the U.S., the Federal Trade Commission has in place Section 5, which prohibits practices including “false and misleading statements” from companies. That could also come into play, according to Guillou, although whether the FTC will take action is unclear. (An FTC spokesperson declined to comment.) However, earlier this year, the FTC fined Facebook a record $5 billion for violating a 2012 consent decree related to the company’s handling of user privacy.
Looking ahead, the looming implementation of the California Consumer Privacy Act, which goes into effect Jan. 1, 2020, could spell more serious consequences for tech companies that collect data for one purpose and use it for another.
“While it hasn’t come into effect just yet, I think things like this are starting to make people realize the kinds of liability that lie ahead,” Guillou said.