Someone I know had been working for twitter and they said they were blown away at the lack of internal protections built in to the system. I guess it could be a goldmine of data for spies.
Not to defend the incompetent jerks who run Twitter or anything, but only a complete idiot would have ever trusted them with private or damaging information (including metadata such as locations). Twitter never made any reliable, verifiable guarantees about security or internal controls.
What I have found, as a technical person, is that things like metadata which are obvious to me may be unknown to most regular people. A person can be very smart and yet not know about how computers work, or how silicon valley works.
To be clear, I am not thrilled with this situation. But even if social networks were legally required to protect PII they would still suffer occasional breaches by advanced persistent threats and state intelligence agencies. Don't post anything important on social media. Just pictures of family vacations and such.
While you may be correct about criminal law, I'm certain this would impact their SOX compliance (https://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act) and would put their ability to participate and operate in US securities markets in serious jeopardy.
SOX compliance has expanded in recent years to cover a gamut of Cybersecurity process and policy. Go look it up. I recently compiled all the documentation necessary for a client I am serving in order to pass. It includes handling of PII, access controls for code repositories and production environments, and tools for ensuring code quality like performing static analysis and mitigating DDOS attacks such as a decent WAF.