Twitter said in a blog post that several privacy settings "may not have worked as intended" since 2018. By that it means technical failures led it to collect information--some of which it shared with its advertising partners--that its users explicitly told it not to via their settings.
The first setting related to information gathered when Twitter users interact with ads in the service's mobile app. The company said in its blog post that "if you clicked or viewed an advertisement for a mobile application and subsequently interacted with the mobile application since May 2018," it may have shared data with its "trusted" measurement or ad partners "even if you didn't give us permission to do so."
That data included the user's "country code, if you engaged with the ad and when,"plus "information about the ad" and more. It's collected to give Twitter more information about a "conversion event" that basically lets advertisers know their ads have proven effective. Twitter's reliance on advertising revenues makes proof of effectiveness important; companies aren't going to pay for ads nobody clicks.
The company said it also "may have shown you ads based on inferences we made about the devices you use, even if you did not give us permission to do so" as part of a process introduced in September 2018. This process was supposed to make the ads Twitter shows on its own platform, as well as other services, more relevant to their viewers. (Which, again, is meant to appease the ad companies it serves.)
Twitter said this information wasn't shared with other companies--which is a plus--and didn't include things like account credentials. More details about the inferences Twitter makes about its users can be found on the company's website. Those inferences are mostly supposed to make sure Twitter serves the same (or at least similar) advertisements to its users even if they switch between devices or browsers.
Companies that rely on ads often want to have their cake and eat it too. They introduce new tools for collecting more information that can be used to serve increasingly relevant ads but don't want people concerned about their privacy to abandon their services. So they allow users to opt out via their account settings. This is supposed to give people at least a modicum of control over their data.
But this disclosure shows that relying on settings to safeguard information requires faith in the company offering these services. Faith that privacy-related settings are working properly, faith that companies honor those settings and faith that those settings will remain available if a company struggles. There's no indication Twitter was acting in bad faith, but users might still question if their own faith was misplaced.
Twitter said that it fixed both of these problems on August 5. It said it's "still conducting our investigation to determine who may have been impacted," so it can't notify affected users or even guess how many people were affected, but it assured its users that "if we discover more information that is useful we will share it." That's a pretty big "if" when it comes to something as critical as privacy settings.