Twitter and GDPR
It's a very interesting month. Everyone from the social media giants down to medium sized online shops are emailing me - and doubtless you - to either inform you about changes due to GDPR, or asking you to opt-in in some way.
Until someone comes up with a better metaphor for what the GDPR changes actually mean, mine is:
GDPR means that individuals lend, rather than give, their data to organisations.
In my work with charities I've previously described the flow of data like a stream that runs through your organisation. Service users and clients flow through your services carrying their data with them. If you can capture it on the way, excellent. You can do good things with the data, and capturing it is as easy as dipping your hand in the stream. (disclaimer: this whole premise is based on the assumption that the organisation isn't going to do anything immoral/dishonest/dodgy with the data. Small-to-medium charities are usually in the position of not capturing anywhere enough data, whilst still being viewed with suspicion by some service users ("why should I give you my postcode? I just want some help with my benefits" etc).)
GDPR changes this. The data isn't like a stream any more - that is, you can't just dip your hand in and take what you want. The individuals now retain ownership of their data. They're just lending it to us for a certain amount of time, during which time we can only do what they let us do with it.
Looking at the big organisations will be illuminating because a) they don't have an excuse for not following GDPR to the letter, they've got big legal teams; and b) we might see GDPR conflict with what they really want to do with our data. Looking for conflicts will show us the GDPR pitfalls that we might encounter as organisations. (Plus, for those of us that use the services as individuals, it'll let us see what's going on with our data - which we own, don't forget. We're just lending it to them.)
Let's look at Twitter. On Twitter's mobile app you may have been seeing this screen. On the desktop version, there has been no such notification (I think).
Question: is an opt-in needed?
Here we must refer to the Guide To GDPR on the ICO website. It says:
Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent. (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/)
You could argue that the "Got it" button constitutes consent, but I disagree. The changes are not outlined on the same page as the button; they're hidden behind a "learn more" link. Clicking the "learn more" link takes you to this page - only a section shown...
...but the key point is;
"By continuing to use our services after May 25th, you agree to the new Privacy Policy."
It also - rather limp-wristedly - says "you should read the documents in full", which to me sounds rather like "there, we've told you to read the documents; if you choose not to that's your fault".
Overall, at this point, I give Twitter a big GDPR FAIL.
That's the consent - or lack of. But what about what they're actually going to do with the data once they've got it?
The top section of their privacy policy can be summarised thus;
"When you give us any information about yourself using any Twitter service, you authorize us to transfer, store, and use your information in the United States, Ireland, and any other country where we operate. "Services" means any Twitter product or linked third party service - Twitter, Tweetdeck, Periscope, Vine, Niche, SnappyTV, MoPub.
We collect your name, email address, phone number, a short biography, your location, your website, date of birth, a picture, the messages you Tweet, the metadata provided with Tweets (such as when you Tweeted and the client application you used to Tweet), creation time, language, country, and time zone, the lists you create, people you follow, and Tweets you Like or Retweet.
Our default is almost always to make the information you provide through the Services public for as long as you do not delete it."
Remember, they can and will cross-reference any and all of this to create a profile of you, in order to show you adverts and to enable other organisations to show you adverts. Also, here's an interesting bit hidden away at the bottom;
"Non-Personal, Aggregated, or Device-Level Information: We may share or disclose non-personal, aggregated, or device-level information such as the total number of times people engaged with a Tweet, the number of users who clicked on a particular link or voted on a poll in a Tweet (even if only one did), the characteristics of a device or its user when it is available to receive an ad, the topics that people are Tweeting about in a particular location, or aggregated or device-level reports to advertisers about users who saw or clicked on their ads. This information does not include your name, email address, phone number, or Twitter handle. We may, however, share non-personal, aggregated, or device-level information through partnerships with entities that may use data in their possession (including data you may have given them) to link your name, email address, or other personal information to the information we provide them."
So you are definitely at risk of other data processors putting together a profile of you which includes the things you tweet about. Say you've shared lots of personal information with your energy company, and hidden in the consent you've permitted a marketing arm of that company to use your data (your billing address, name and your energy consumption). That marketing arm could buy aggregated data from Twitter, disentangle your location from your Tweets, and link the two.
At this point it all gets a bit tinfoil-hat-brigade, or so it seems until something like the Ars Technica scandal comes along. If you're trying to sell avocado lattes, knowing someone's energy use profile plus their Tweets is probably useless. But if you're trying to influence the outcome of an election, it's gold.
I'm going to leave it there with Twitter; I'm aware I've probably raised as many questions as I've answered, but the only way to answer the majority of those questions is to read all the privacy notices.
However, I'll finish with this: https://twitter.com/en/privacy is actually pretty good. It has a lot of useful information grouped together, in an easy-to-read style. It contains links to places you can opt out of certain bits of data processing. For these reasons, Twitter gets a cautious GDPR thumbs-up. But you should read the page.
Until next time!
