As reported by The Verge, Twitter started sending emails to the holders of accounts who had not signed in for six months or more:
Fortunately (for some), Twitter is limiting this to EU accounts at the moment:
This impacts accounts in the EU only, for now. We’ve always had an inactive account policy but we haven’t enforced it consistently. We’re starting with the EU in part due to local privacy regulations (eg, GDPR).— Twitter Support (@TwitterSupport) November 27, 2019
However, the "EU only" policy does raise the question of "what determines that an account is an EU account?" Naturally, if someone puts an EU address in the Location field of their profile, then that is probably a good indicator but what if that field is empty, which is not uncommon?
Is "EU only" determined by the top-level-domain of the email address used by the account holder? Many international corporate email addresses use a global TLD, like .com, so that's not necessarily a good indicator. On top of that Twitter's "one Twitter account per email address" policy means that many users often use third-party email services like Gmail. Some employees actually use their personal email while others use one created just for that Twitter account. The lucky ones have a more general email address and use Gmail's alias feature so one Gmail account can support multiple Twitter addresses: e.g. myco_twitter+brand1@gmail,com, myco_twitter+brand2@gmail,com, etc.
There are other possible ways to determine if an account may be an "EU only" account. For example, if all of the logins come from IPs known to reside in the EU, but this also has its drawbacks. The gist is we don't know exactly how Twitter is making this "EU only" determination and if you're a global company, this action is likely to affect you.
Regardless of how Twitter determines if an account is EU only, there is a more fundamental problem that is going to create headaches for a lot of companies out there. The answers to the following questions will determine how much of a headache this may be for you and your enterprise:
- Has anyone in your organization registered and "parked" Twitter accounts to protect your brand? e.g. derogatory names, misspellings, alternate spellings, deceptive names, syntactical variations, or even (sub)brands where marketing is done through some parent brand or umbrella name?
- Do you know who registered each Twitter account and who currently has access to the credentials for those accounts? This is especially important for those brand-protection accounts, which are most likely not connected to a social media publishing platform.
- Do you know which email address is currently associated with each Twitter account and if anyone is actually monitoring that email account?
- If you have a central password manager for your credential-based social media accounts, are the email addresses and passwords for these accounts in that system?
It is not uncommon for an enterprise to have tens or even a hundred or more Twitter accounts for a single global brand, when one considers the number of countries to be reached and the even more numerous languages in which to communicate. Given the proliferation of email accounts used to create Twitter accounts for a large organization, this can mean your enterprise has hundreds of email addresses to monitor to ensure you don't have an account that is targeted for deletion.
Considering that many Twitter accounts have been around for years, you now need to factor in employee turnover. It is very likely that the person who created (and knows) the email account associated with a Twitter account, especially a brand-protection account, is no longer with the company.
It is for social media governance issues like the ones outlined here that we created the Brandle Presence Manager. Using this SaaS platform, enterprises have a single source of knowledge regarding every place it is represented beyond the corporate firewall. With it, an employee can answer:
- Which points-of-presence (POPs) do we have on a particular platform, e.g. Twitter accounts?
- To which division, region, brand, etc. does it belong?
- Who is associated with each point-of-presence and what is that person's role?
- Are the credentials stored in a password manager, e.g. CyberArk?
- Is the account linked to a publishing platform, e.g. Khoros Marketing?
- What email address is associated with a credential-based account, e.g. Twitter?
- Who is associated with a particular email address?
- Is that email address associated with a division, region, brand, etc?
- When was the last attempt to contact someone at that email address and what was the result?
- What is our historical record and notes about a particular point-of-presence or contact/email?
Without the ability to answer those questions, proactively, it is likely that when Twitter implements this policy, your enterprise is going to find that accounts you thought were safely protected are once again up for grabs for anyone to exploit. If you've ever tried to regain control of an account, you know that an ounce of prevention is worth a pound of cure.