Twitter’s new privacy policy


Twitter has a new privacy policy. It’s pretty good. Not only is it written in straightforward language, but it also makes it very clear how they’re using your data to make money.

I know most people don’t read privacy policies, so I’ve just pulled out some choice parts with a bit of commentary: 

Irrespective of which country you live in, you authorize us to transfer, store, and use your information in the United States, Ireland, and any other country where we operate. In some of these countries, the privacy and data protection laws and rules regarding when government authorities may access data may vary from those in the country where you live.

This is pretty standard stuff. Even though you’re using a service anywhere around the world, it’s still subject to the jurisdiction where the servers are. That’s why people have tried to run websites from places like Sealand.

On Twitter, your name and username are listed publicly, including on your profile page and in search results, and you can use either your real name or a pseudonym. You can create and manage multiple Twitter accounts. If you use Digits by Twitter, the contact information you provide to log in is not public. Some of our product features, such as searching and viewing public Twitter user profiles or watching a Periscope broadcast on Twitter, do not require you to create an account.

I hadn’t heard about Digits before, but it seems like it’s just the way that you do two-factor authentication on your Twitter account. They offer this as a service to other companies, which is a smart move. They’re just saying that if you use a particular phone number to do this, they won’t share this publicly. Although, I guess they would release this to the authorities. 

You may choose to provide us with additional information to help improve and personalize your experience across our Services. For example, you may choose to upload and sync your address book so that we can help you find and connect with users you know or help other users find and connect with you. We may later tailor content, such as making suggestions or showing user accounts and Tweets for you and other users, based on imported address book contacts. You can delete your imported address book contacts at any time by visiting your Contacts Dashboard in your privacy settings.

Uploading my contacts or syncing my address book isn’t something I tend to do with services, but at least you’ve got the choice with Twitter. Other companies (I’m looking at you, Path) have been found doing this automatically. Having the choice about when to upload your address book, and being able to remove it at any time, is good practice.

Twitter broadly and instantly disseminates your public information to a wide range of users, customers, and services, including search engines, developers, and publishers that integrate Twitter content into their services, and organizations such as universities, public health agencies, and market research firms that analyze the information for trends and insights. When you share information or content like photos, videos, and links via the Services, you should think carefully about what you are making public. We may use this information to make inferences, like what topics you may be interested in. Our default is almost always to make the information you provide through the Services public for as long as you do not delete it, but we generally give you settings or features, like protected Tweets, to make the information more private if you want.

Twitter is a public platform, so all of this makes sense. That’s one of the reasons I like using it instead of other social networks. You can assume that everything is public. I don’t even share anything via DM that I wouldn’t say publicly as it’s too easy to press the wrong button, etc.

We receive information when you interact with our Services, even if you have not created an account (“Log Data”). For example, when you visit our websites, sign into our Services, interact with our email notifications, use your account to authenticate to a third-party website, application, or service, or visit a third-party website, application, or service that includes a Twitter button or widget, we may receive information about you. This Log Data may include your IP address, browser type, operating system, the referring web page, pages visited, location, your mobile carrier, device information (including device and application IDs), search terms, or cookie information. We also receive Log Data when you click on, view or interact with links on our Services, including links to third-party applications, such as when you choose to install another application through Twitter. We use Log Data to make inferences, like what topics you may be interested in, and to customize the content we show you, including ads. We keep Log Data as needed for the purposes described in this Privacy Policy. We will either delete Log Data or remove any common account identifiers, such as your username, full IP address, email address, or phone number, after a maximum of 18 months, if not sooner as provided below for Widget Data.

Taken with the section below, this is the most interesting part of Twitter’s privacy policy. They’re saying that they’re building up a profile of you, but this data only lasts 18 months….

We may tailor the Services for you based on your visits to third-party websites that integrate Twitter buttons or widgets. When these websites first load our buttons or widgets for display, we receive Log Data that includes the web page you visited and a cookie that identifies your browser (“Widget Data”). After a maximum of 10 days, we start the process of deleting, de-identifying, or aggregating Widget Data, which is usually instantaneous but in some cases may take up to a week. We may use Widget Data to tailor content for you, such as suggestions for people to follow and other content you may be interested in. Tailored content is stored separately from other Widget Data such as page-visit information.

…or in the case of ‘widgets’ (i.e. when you login via Twitter somewhere else) they’ll delete that data after 10 days. That’s pretty good, and the trade-off we’re getting for having a free service. I’d like to have the option of paying for Twitter, so that they don’t hold any of this data, to be honest.

We do not use the content you share privately in Direct Messages to serve you ads. Our Twitter Ads Policy also prohibits advertisers from targeting ads based on categories we consider sensitive, such as race, religion, politics, sex life, or health. If you prefer, you can uncheck the Promoted Content setting within your Security and Privacy Settings so that your account will not be matched to information collected by ad partners, or by us directly on those partners’ websites or apps, to tailor ads to you.

This is as expected, but worth knowing. I can’t imagine Facebook doing likewise.

We may receive information about you from third parties, such as other Twitter users, partners (including ad partners), or our corporate affiliates. For example, other users may share or disclose information about you, such as when they mention you, share a photo of you, or tag you in a photo. Your privacy settings control who can tag you in a photo. Our ad partners and affiliates may share information with us such as a browser cookie ID, mobile device ID, or cryptographic hash of a common account identifier (such as an email address), as well as demographic or interest data and content viewed or actions taken on a website or app. Our ad partners, particularly our advertisers, may enable us to collect similar information directly from their website or app by integrating our advertising technology.

This uses more complex language to say that they’re hoovering up as much data as possible to get to know us better via our data. This is still subject to the deletion policy mentioned above, I guess.

Notwithstanding anything to the contrary in this Privacy Policy, we may preserve or disclose your information if we believe that it is reasonably necessary to comply with a law, regulation, legal process, or governmental request; to protect the safety of any person; to address fraud, security or technical issues; or to protect our or our users’ rights or property. However, nothing in this Privacy Policy is intended to limit any legal defenses or objections that you may have to a third party’s, including a government’s, request to disclose your information.

Nothing to see here. They’ll hand over your data to the authorities at the drop of a hat. Given you can assume everything on Twitter is public, I don’t see this as a huge deal.

In the event that we are involved in a bankruptcy, merger, acquisition, reorganization or sale of assets, your information may be sold or transferred as part of that transaction. This Privacy Policy will apply to your information as transferred to the new entity.

Good. There’s been rumours recently about Twitter being sold to Salesforce, so stating explicitly that this policy remains in force is reassuring.

You can also permanently delete your Twitter account. If you follow the instructions here, your account will be deactivated and then deleted. When deactivated, your account, including your name, username, and public profile, is not viewable on For up to 30 days after deactivation it is still possible to restore your account if it was accidentally or wrongfully deactivated. Absent a separate arrangement between you and us to extend your deactivation period, after 30 days, we begin the process of deleting your account from our systems, which can take up to a week.

I find it hilarous that it takes ‘up to a week’ to delete a Twitter account, but hey.

Privacy Shield participants are subject to the investigatory and enforcement powers of the US Federal Trade Commission and other authorized statutory bodies. Under certain circumstances, participants may be liable for the transfer of personal information from the EU to third parties outside the EU.

I need to do more research about the Privacy Shield, but I think it replaces previous SafeHarbor agreements. 

Finally, this is your regular reminder to download your Twitter archive and back it up somewhere. Happily, they provide this in a way that allows you to unzip the file and upload it to somewhere you can host it on the web. Check out my archive at!