Elon Musk’s X, formerly known as Twitter, has announced a new policy which allows it to collect biometric data from users. The move has led experts to question whether it will comply with data protection laws, as regulators continue scruitnise the platform’s data collection processes.

The new policy reads: “Based on your consent, we may collect and use your biometric information for safety, security, and identification purposes.”

The update comes just months after the social media platform was alleged to have illegally captured biometric data from Illinois residents without consent. 

Biometric data, defined by most companies, covers data captured from a users’ eyes, fingerprint and face. X has not specified what they deem biometric data, nor how they plan to use it. 

However, after the policy announcement, the social media platform unveiled that users will soon be able to make video and audio calls on the site without a phone number.

Musk’s social media platform also announced it would be collecting information on users’ job and education history. According to X, this will help the platform recommend potential jobs to users and share their skills with potential employers. 

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Tracy Pez, data protection consultant at Data Protection People, believes that X’s updated policy to collect biometric and employment data will not comply with the UK’s General Data Protection Regulation (GDPR).

“I assume that while X is branching out in every direction to attempt to increase usage and profits it is perhaps aiming to be the next LinkedIn by aiming to process this information,” Pez told Verdict.

“Time will tell, but unless there is a clear purpose for collecting this data, processing will not comply with the data minimisation principle of the UK GDPR,” Pez said.

Pez believes that the claim in X’s privacy policy that states users are consenting to the collection of their information by just using its services is not GDPR compliant.

“This is not valid consent under the UK GDPR as the users are not given a genuine choice of control over how their data is used,” Pez told Verdict.

Javvad Malik, lead security awareness advocate at KnowBe4, believes that X collecting this amount of data “raises concerns from a privacy and security standpoint.”

“Storing such personal and sensitive information comes with great responsibility and increases the potential impact should any security incident occur,” Malik told Verdict.

“Given the potential risks and the principle of privacy and data minimisation, X’s approach doesn’t seem like a well-advised decision,” he added.

The move comes as regulators across the world continue to criticise social media platforms for the amount of data they collect on its users.

“Social media platforms do tend to store a lot of user data, and there’s rightly been increasing scrutiny since this creates more risks for users if their data is breached,” Jessica Figueras, member of International Cyber Expo’s Advisory Council and chief executive at Pionen told Verdict.

Adding: “In the case of X, I would be particularly concerned about its overall levels of cybersecurity capability given significant staff cutbacks in its technical teams, and the reported instability in cybersecurity leadership.”