Data privacy in the metaverse
Similar to the 2D internet, the immersive 3D internet will involve the processing of large amounts of personal data. But as the metaverse will largely be accessible via virtual reality headsets (including cameras and microphones to capture users’ facial expressions and voices) and hand controllers, the amount of data collected and processed related to a user’s body movements will go beyond what is currently collected by companies.
Home
Data privacy in the metaverse
Similar to the 2D internet, the immersive 3D internet will involve the processing of large amounts of personal data. But as the metaverse will largely be accessible via virtual reality headsets (including cameras and microphones to capture users’ facial expressions and voices) and hand controllers, the amount of data collected and processed related to a user’s body movements will go beyond what is currently collected by companies.
Organizations collecting personal data in the metaverse will need to adapt their privacy practices to meet the unique challenges presented by this environment. Some of the key privacy considerations related to the metaverse include:
Transparency
In an embodied internet where users seamlessly travel between spaces, companies must carefully consider through what methods they will inform users of data being collected and for what purposes. Providing clear and thorough disclosures to users will be of paramount importance, especially in the earlier stages of the metaverse when users are less familiar with the technology. Augmented and virtual reality will offer a variety of new user interfaces which will allow organizations to think creatively about how best to educate users.
New types of data
In the metaverse, companies will have the ability to collect an exponential amount of data including body movements, heartbeat, eye gaze, voice data, and facial expressions with new degrees of precision. Users will likely have many questions around how this type of data is being used and whether it is being shared with third-parties or used for profiling or personalization of certain services or features. Companies will need to carefully consider the extent to which they need to collect, use, and share this type of data and ensure that their practices meet users’ expectations. Depending on the purposes for which it is used, this type of data may also be considered biometric or health data. Biometric and health data are typically considered “sensitive” under privacy laws and require user consent prior to collection.
Interoperability
Interoperability will be a crucial element of the metaverse – in order for it to work, different companies’ experiences must work together. For example, people should be able to travel from space to space with their avatars and any other digital items. Companies will need to work together to achieve this; yet, working with other companies increases risk as other experiences and platforms may have security vulnerabilities that compromise users’ personal data.
“Companies will need to make important decisions around what personal data they will collect and for what purposes.”
Data minimization
A core tenant of privacy law requires organizations to only collect as much personal data as is relevant and necessary to achieve a specific purpose. Organizations should also only retain data for as long as is necessary to achieve the specified purpose. Due to the large amounts of personal data that will be available for collection in the metaverse, companies may need to implement additional technical measures and policies to ensure they are closely adhering to this principle.
Children’s data
Children’s Data: Organizations directing their metaverse offerings towards children will need to comply with applicable privacy laws governing the collection of data from children. In the United States, the federal Children’s Online Privacy Act (COPPA) requires operators of commercial websites and online services to obtain parental consent before collecting personal information from children under 13, whereas in the EU, GDPR requires parental consent for processing personal data of a child under 16 years of age for offering information society services directly to a child, but additional local data protection requirements may also apply and member states may further lower the above minimum age to 13. Organizations will therefore need to develop compliant products to ensure parental consent is obtained before a child enters a new metaverse world. In addition, companies will need to carefully consider how to ensure children’s safety in the metaverse.
Cross-border data processing
The metaverse involves users from all over the world. Companies will therefore need to comply with various privacy regimes and prepare global privacy policies which provide adequate information to users from every jurisdiction. Companies also need to draft data sharing agreements and schemes related to cross-border data transfers and data sharing with other companies providing services in the metaverse.
Impact assessment
Since vast amount of sensitive data and additional information related to the movement, location, preferences and habits of users are collected in the metaverse, companies would likely be required to undertake an impact assessment under applicable law, including a data protection impact assessment under the GDPR in which they assess the impact of their processing operations on the protection of personal data. Additional local laws, restrictions and requirements may also need to be taken into account in case of using or sharing certain types of information (e.g. data localization requirements).
As the metaverse continues to develop and grow, companies in this space will need to make important decisions around what personal data they will collect and for what purposes. Companies will also need to ensure they are providing users with sufficient notice and choice around the collection and use of their data.
Key legal risks / issues
- risk of inability to provide clear, adequate disclosures due to fluid or seamless nature of metaverse
- risk of consumer complaints and regulatory inquiries related to lack of transparency
- risk of identity theft and misidentification, including the creation of fake identities and deepfake materials
- uncertainty around sensitive and/or biometric data classification of avatar-generated data (e.g., body movements and eye gaze)
- inability to effectively minimize data collection due to volume of data generated by avatar movements
- providing adequate control to users around the use of their data including the ability to bring their data with them into different virtual worlds
- creating a standard legal framework that will support interoperability efforts between companies (e.g., drafting contract terms, including data privacy provisions, defining the relationship between interoperable worlds, data transfer schemes)
- assessing the effects of different data processing operations in the metaverse on users to prevent misuse, discrimination or negative user experience
- amending existing agreements and negotiating future agreements with data processors to account for metaverse challenges including potential collection of sensitive data
- uncertainty regarding current data privacy laws applicability to data collection and use in the metaverse
Questions to consider
- how will companies effectively present notices/disclosures to users in their metaverse offerings?
- how will companies design user interfaces to collect informed consents from users?
- what are the risks vs. the benefits of directing metaverse offerings to children?
- what choices will be offered to users regarding the use of their data? E.g., will users be able to opt-out of tracking or profiling enabled by collection of their data in the metaverse?
- what technical measures will organizations implement to ensure they only collect the data necessary to carry out stated purposes?
- how will companies guarantee multijurisdictional compliance for collecting and using data in the metaverse with regard to different data protection regulations that may apply at the residence of the user?
- how will companies assess the impact of their data processing operations in the metaverse on users?
Contact
Marie McGinley
Click on the topics of interest available below to explore the legal issues arising in the metaverse. We will be releasing further reading on a variety of topics periodically.
View our
Shaping the future
Digitalization and corporate digital responsibility (CDR)
Businesses are forecast to spend $10 trillion over a five-year period on digital transformation. Digitalization is game-changing. But it comes with numerous risks, challenges and obligations that need to be understood and navigated to stand the best chance of success.
Our global report highlights key findings on the uptake of digital technologies, future strategies and M&A activities, perceived risks, challenges and approaches to using, developing, buying or selling digital technology responsibly.