Twitter greeted its users with a confusing notification this week. “The control you have over what information Twitter shares with its business partners has changed,” it said. The changes will “help Twitter continue operating as a free service,” it assured. But at what cost?

What Changed?

Twitter has changed what happens when users opt out of the “Allow additional information sharing with business partners” setting in the “Personalization and Data” part of its site.

The privacy setting in question. For most users, the box is checked by default.

The changes affect two types of data sharing that Twitter does:

Conversion tracking for ads on Twitter. When an advertiser runs an ad for a mobile app on Twitter, Twitter collects information about who views, interacts with, and clicks on the ad. If a user who saw the ad proceeds to download and open the app, Twitter will notify the advertiser that the user’s device completed a conversion . Twitter’s use of third-party analytics libraries. Like most of the web, Twitter shares device identifiers and cookies with Facebook and Google so that it can measure the effectiveness of its own ad campaigns on those platforms.

These changes affect users differently depending on whether they are subject to GDPR. Previously, anyone in the world could opt out of Twitter’s conversion tracking (type 1), and people in GDPR-compliant regions had to opt in. Now, people outside of Europe have lost that option. Instead, users in the U.S. and most of the rest of the world can only opt out of Twitter sharing data with Google and Facebook (type 2). It’s unclear whether the “share data with business partners” setting previously affected type 2 sharing, or whether Twitter sharing this kind of data with Google and Facebook is a new phenomenon.

For people protected by GDPR, type-1 data sharing remains opt-in, and type 2—Twitter sharing their data with Google and Facebook—never happens at all.

Why Did This Happen?

To understand what’s going on, we need to look at another piece of Twitter news from last year.

On August 5, 2019, Twitter announced that it had identified and fixed a couple of bugs. As it turned out, some of its privacy settings were... not setting things correctly. Specifically, the opt-outs for device-level targeting and conversion tracking—the same conversion tracking described above—did not actually opt users out. Twitter explained at the time:

Source: “An issue with your settings choices related to ads on Twitter,” at https://help.twitter.com/en/ads-settings

Twitter fixed both bugs, and its privacy settings began working the way they were supposed to.

The next event happened months later, when Twitter announced its quarterly earnings. Apparently, advertisers had really appreciated the data they weren’t supposed to be getting. Once Twitter shut off the hose of non-consensual device information, advertisers were unhappy. And Twitter announced a substantial hit to its revenue after fixing the bugs.

That leads us to today. Twitter apparently was happy to let users opt out as long as ad spending continued to grow. But last year, the privacy bugs and subsequent fixes seem to have shown Twitter exactly how much privacy options were costing it. Now, Twitter has removed the ability to opt out of conversion tracking altogether.

Laws Matter

Today, users in Europe maintain the same agency and control over their personal data that they’ve always had. They get to decide whether advertisers can use Twitter’s ad tools to tie actions on Twitter to device identifiers. Everyone else has lost that right.

The reason is simple: European users are protected by GDPR. Users in the United States and everywhere else, who don’t have the protection of a comprehensive privacy law, are only protected by companies’ self-interest. All too often, Twitter, Google, and Facebook will give users only as much control as they think they need to in order to stave off regulation and competitors, but no more. When push comes to shove, they’ll protect their bottom line.

This is why it shouldn’t be up to tech companies to give us privacy. We need strong data privacy laws that protect users’ rights to privacy, access, and control. And we need to change a system that tempts companies to sell out their users for a few points of growth.