Date written: June 28, 2022
As virtual reality (VR), augmented reality (AR), and artificial intelligence (AI) advance to establish the Metaverse, many privacy issues are surfacing. This blog post explores some major privacy compliance issues presented within the Metaverse and suggests privacy-preserving solutions for Metaverse products and services that are being developed.
The Metaverse refers to the convergence of digital and physical spaces, allowing for virtual experiences to be incorporated seamlessly with real life. This includes hardware components, such as headsets, phones, and tablets, and software such as AR, VR, AI, and virtual avatars. With the onset of more advanced hardware components, the organizations developing for and entering the Metaverse will collect many different types of data in huge volumes. In addition to personal information, location data, and the typical personal information expected from users, this hardware collects eye movements, gait patterns, heart rate, and other physio-behavioral information.
Biometric Data in the Metaverse
First, the collection and retention of data collected within the Metaverse must comply with biometric laws. For example, the CPRA’s proposed definition of biometric information includes much of the information collected by headsets, such as eye movements and gait patterns, increasing the legal risk for companies collecting this data. Other laws that apply to biometric information specifically, such as Texas’s Capture or Use of Biometric Information Act and Illinois Biometric Information Privacy Act, impose strict requirements for collection of biometric data.
Companies collecting biometric information should do three things: first, create biometric privacy policies that provide notice of biometric collection and the purpose of the collection. Providing this notice is a major component of biometric laws. Second, get affirmative consent from users to use such information. This not only satisfies regulatory requirements, it increases customer confidence and trust. Finally, implement reasonable security practices for the retention of biometric information to safeguard customer information and mitigate risks of data breaches.
Data of Minors in the Metaverse
Data collectors in the metaverse should take caution when collecting information on children. For example, the Children’s Online Privacy Protection Act (COPPA) heightens protections for data on children under the age of 13. The FTC signaled this year in a settlement with Weight Watchers that it takes COPPA violations seriously, imposing a $1.5 million fine and requiring them to delete personal information illegally collected from children under 13 and destroy any algorithms derived from the data. If a company is ordered to destroy algorithms from wrongfully obtained children's data, that could impact a company's product line, revenue, and customer base.
Companies collecting information about minors should include in their Privacy Notice clear and comprehensive descriptions about how the data of minors is used. Using straightforward language that is easy to understand is key to both compliance and to ensuring parents that their children’s data will be safe. Additionally, companies must notify parents of information practices before obtaining data from children under 13 and obtain verifiable parental consent to the use of such data. There are many methods by which parental consent can be obtained, such as verification questions or using an online payment system. Parents also have a right to revoke their consent to the use of data and delete their children’s data. If you process data of children under 13, maintaining data subject requests processes specific to this type of access, revocation, and deletion will prove helpful.
Other Ways to Mitigate Privacy Risks
In addition to the specific concerns above, organizations developing for the Metaverse should be proactive about privacy compliance. They should prioritize privacy-by-design principles from the early stages to increase customer confidence and stay current with privacy laws and regulations. Privacy-by-design principles focus on creating algorithms and data flows that default to data minimization, privacy protection, and user control over data flows.
Second, companies should implement and continuously improve their data retention policies. Regulators are signaling that data minimization will be a significant component of coming privacy regulations. For example, the proposed American Data Privacy and Protection Act specifically includes a provision that states companies “shall not collect, process, or transfer” data unless the collection is “limited to what is reasonably necessary and proportionate” to provide products or services or deliver communication that is “reasonably anticipated” by the user. Organizations should consider what types of information are reasonably necessary (and what types are not) for providing their products and services to their customers.
Third, companies should be transparent about their data collection practices. Many unfair or deceptive business practice suits have focused on the lack of transparency of data usage between a service provider and customers. Taking steps to educate users about their privacy choices—for example, by creating an in-game privacy tutorial—and making information on data collection, retention, and sharing easily accessible and understandable will demonstrate a commitment to privacy compliance.