Civil society groups file DSA complaint against X over use of sensitive data in targeted ads
A coalition of civil society organisations has filed a formal complaint alleging that X (formerly Twitter) breached the EU’s Digital Services Act by enabling targeted advertising based on users’ sensitive personal data.
On 14 July 2025, nine civil society organisations, including European Digital Rights (EDRi), submitted a complaint against X to national Digital Services Coordinators in France, Germany, and the Netherlands. The complaint alleges that the platform violated Article 26(3) of the Digital Services Act (DSA) by enabling advertisers to target users based on sensitive personal data, such as political views, sexual orientation, religious beliefs, and health conditions — all of which are protected under the General Data Protection Regulation (GDPR).
The complaint is grounded in research by AI Forensics (AIF), which analysed X’s Ad Repository. AIF’s findings revealed that public institutions and large companies, including Shein, Total Energies, and McDonald’s, were able to run ads on the platform that targeted or excluded users based on sensitive characteristics. For example, McDonald’s was found to have excluded users interested in trade unions, antidepressants, or suicide from its ad campaigns.
In another case, Brussels Signal — a media outlet with ties to far-right European political parties — reportedly used X’s ad system to target users interested in far-right content. These findings illustrate the potential for targeted advertising to be used in ways that could distort public discourse and infringe on individual rights.
The civil society coalition is calling on Digital Services Coordinators and the European Commission to investigate the matter and ensure that X is held accountable. The groups emphasised that the DSA’s prohibition on the use of sensitive data for targeted advertising is designed to prevent such risks. They argue that platforms with the influence of X must be held to the highest standards of compliance under EU law.
This complaint follows previous DSA-related actions, including a successful case against LinkedIn, and highlights ongoing efforts by civil society to ensure stronger enforcement of digital rights protections across Europe.
