X changes its privacy policy: it can now collect your biometric data

X changes its privacy policy: it can now collect your biometric data

The platform that aims to be the “app for everything”, X, has updated its privacy policy to collect, store and manage biometric information, as well as the employment details and academic history of its users. The changes in the new policy, which came into force on 29 September 2023, seek support for user consent.

The well-known old Twitter has just updated its privacy policy, with which it will be able to collect biometric information about the user, as well as their employment record or educational history. These three categories have been broken down in the text that constitutes the new privacy policy, which is integrated into its website.

X’s new privacy policy

Already in the English version of the document, X can take biometric information “based on consent” from the user, to use it for security and identification-related purposes. Specifically, the update on X’s privacy page states that “Based on your consent, we may collect and use your biometric information for security, safety and identification purposes”.

The Elon Musk-owned social network does not specify the type of biometric information it expects to collect, nor does it even define what is considered biometric. Nor does it explain how it will collect this data, which typically involves fingerprint scans, parameters about your physical traits, such as face, fingerprint, or iris patterns. For its part, X says it will use this data to improve the platform’s security and add a facial recognition system to its paying members.

When it comes to the use of this information, there are some suspicions. Steve Moser, a well-known app developer, revealed that X plans to implement support for fingerprint-based passkeys, facial recognition, and device PINs to log in to its service.

X’s privacy policy update also explains that by agreeing to the terms of use, users give the social network the power to “collect their work history, educational history, work preferences, skills and abilities, and job search activity”.

How Data Protection is affected

As pointed out by the Spanish Data Protection Agency (AEPD), biometric data processing techniques are based on collecting and processing physical, behavioural, physiological or neuronal traits of individuals by means of devices or sensors, creating signatures or patterns that enable the identification, tracking or profiling of individuals.

In accordance with the provisions of article 9.1 of the GDPR, it is understood that biometric information is sensitive data, and consequently, must be treated as such; this does not mean that it cannot be collected or processed, but rather that a series of requirements must be met in order to do so.

In the framework of a processing operation, any of the various biometric techniques involved have to be assessed according to their appropriateness, proportionality and necessity, their purpose, their impact on the rights and freedoms of natural persons and the risks they entail, both for the individual and for society.

Last month, Twitter’s successor entity was already involved in a class action lawsuit for violating the Illinois Biometric Information Privacy Act by failing to adequately inform users.

More than 10 months after the purchase of Twitter, the entrepreneur’s intentions are beginning to take shape, although it is far from materialising. The change in its privacy policy is a slight step towards the application that Musk wants to create.

However, it will have to ensure clear and meticulous compliance with the rules and regain the trust of users and advertisers who have abandoned Twitter since the blue bird disappeared.

At Letslaw by RSM, we have Data Protection lawyers who will help you with any advice that you may need. Do not hesitate to contact us.