The flaws mean the social media service may have inadvertently shared your data with advertising partners even if you had explicitly not granted permission to do so. To that effect, the company said it “recently” found issues where users’ choices in the service’s settings may not have been honored, resulting in certain data like “country code, if you engaged with the ad and when, information about the ad” shared with its advertising partners. This transpired only if a Twitter user clicked or viewed an ad for a mobile application and subsequently interacted with the mobile app, it said. The company acknowledged the leak has been happening at least since May 2018 — right around the time GDPR data protection regulations went into effect in the EU.
— Twitter Support (@TwitterSupport) August 6, 2019 The disclosure comes months after the microblogging site fixed a similar bug that gave away a user’s approximate location information to an unnamed Twitter partner. It also disclosed a second bug that concerns tracking users for serving relevant ads. The issue, since September 2018, may have shown you ads based on inferences drawn from the devices you use (mobile apps and browsers), regardless of your consent. The company said it fixed both the bugs on August 5, although it didn’t explicitly state how many users were affected. “We are still conducting our investigation to determine who may have been impacted and If we discover more information that is useful we will share it,” Twitter said. The situation sounds like a violation of GDPR requirements, which mandates that companies seek users’ explicit permission before tracking them or processing their personal data. Twitter admitting it went ahead and processed them anyway — if only accidentally — raises serious questions about consent. Inadvertent or not, what this amounts to is a clear breach of users’ preferences and privacy.