Twitter has changed what happens when users opt out of the “Allow additional information sharing with business partners” setting in the “Personalization and Data” part of its site.
The privacy setting in question. For most users, the box is checked by default.
The changes affect two types of data sharing that Twitter does:
- Conversion tracking for ads on Twitter. When an advertiser runs an ad for a mobile app on Twitter, Twitter collects information about who views, interacts with, and clicks on the ad. If a user who saw the ad proceeds to download and open the app, Twitter will notify the advertiser that the user’s device completed a conversion.
- Twitter’s use of third-party analytics libraries. Like most of the web, Twitter shares device identifiers and cookies with Facebook and Google so that it can measure the effectiveness of its own ad campaigns on those platforms.
For people protected by GDPR, type-1 data sharing remains opt-in, and type 2—Twitter sharing their data with Google and Facebook—never happens at all.
Why Did This Happen?
To understand what’s going on, we need to look at another piece of Twitter news from last year.
On August 5, 2019, Twitter announced that it had identified and fixed a couple of bugs. As it turned out, some of its privacy settings were... not setting things correctly. Specifically, the opt-outs for device-level targeting and conversion tracking—the same conversion tracking described above—did not actually opt users out. Twitter explained at the time:
Source: “An issue with your settings choices related to ads on Twitter,” at https://help.twitter.com/en/ads-settings
Twitter fixed both bugs, and its privacy settings began working the way they were supposed to.
The next event happened months later, when Twitter announced its quarterly earnings. Apparently, advertisers had really appreciated the data they weren’t supposed to be getting. Once Twitter shut off the hose of non-consensual device information, advertisers were unhappy. And Twitter announced a substantial hit to its revenue after fixing the bugs.
That leads us to today. Twitter apparently was happy to let users opt out as long as ad spending continued to grow. But last year, the privacy bugs and subsequent fixes seem to have shown Twitter exactly how much privacy options were costing it. Now, Twitter has removed the ability to opt out of conversion tracking altogether.
Laws MatterToday, users in Europe maintain the same agency and control over their personal data that they’ve always had. They get to decide whether advertisers can use Twitter’s ad tools to tie actions on Twitter to device identifiers. Everyone else has lost that right. The reason is simple: European users are protected by GDPR. Users in the United States and everywhere else, who don’t have the protection of a comprehensive privacy law, are only protected by companies’ self-interest. All too often, Twitter, Google, and Facebook will give users only as much control as they think they need to in order to stave off regulation and competitors, but no more. When push comes to shove, they’ll protect their bottom line.
“By stating that it does ‘not control the use of these tracking technologies’, and by asking users to read the privacy policies of any third-party companies that may receive personal data, Grindr is attempting to shift accountability for the advertising technologies that it is using away from itself,” the report concluded.
This is why it shouldn’t be up to tech companies to give us privacy. We need strong data privacy laws that protect users’ rights to privacy, access, and control. And we need to change a system that tempts companies to sell out their users for a few points of growth.