Data Privacy in the Metaverse: Real Questions for Unreal Worlds

What do the Pokémon Go craze of the late 2010s, an Ariana Grande concert, and Microsoft’s acquisition of a video game company all have in common? The answer is the metaverse—specifically, that they can be seen as indicia of and contributors to the recent past, buzzword present, and hazy future of the metaverse. Interest and conversation surrounding the metaverse have increased dramatically in the past year or so (understandably, as the pandemic pushed us to move numerous aspects of our lives online in unprecedented ways), entering mainstream discourse and prompting a flood of private actors to make leaps of faith that the metaverse will be the next big thing. Buying into the metaverse seems like an obvious choice for tech and gaming industry giants like Meta (previously Facebook), Apple, Roblox and Epic Games, but those who have joined them run the gamut from Louis Vuitton, Gucci, and Nike, to Tinder, Netflix, Disney, Walmart, and the Brooklyn Nets. Arent Fox just became the first law firm to buy “real property” in the metaverse, in a strategic client-oriented move after helping PricewaterhouseCoopers do the same. The list will only grow. No one wants to be left behind in what could be the next frontier for the bottom line.

Yet as with any tectonic shifts in industry and society, new legal questions are bound to arise, including the question of data protection in the metaverse, which encompasses interrelated issues like data privacy and data security. Data privacy and security have been hot and growing issues for a while now, urged along by the rise of Big Data and incidents like the Facebook-Cambridge Analytica scandal, and yielding legislation such as the European Union’s General Protection Data Regulation and equivalents elsewhere, including in the U.S. Despite the progress made, we have yet to arrive at a satisfactory legal and normative framework for data privacy and security for the technologies we have now—are we ready for the paradigm shift that the metaverse could bring?

When Facebook announced that it would change its name to Meta and that the company would be shifting its focus to the metaverse, some justifiably voiced their concerns over the privacy implications of a company with its track record of both intentional and accidental privacy violations creating a platform that could exacerbate, in scope and scale, the potential for more violations. But it’s not just Facebook (I mean, Meta); the metaverse by its very nature will open up unprecedented forms and levels of data collection. Currently, AR and VR headsets—one of the ways a user might enter the metaverse—are capable of and are capturing data such as: the user’s physical environment and movements, speech-associated facial movements, bone-borne vibrations, and airborne vibrations, in addition to the already widespread location, breathing, and heart rate measurements—all of which help construct a more detailed profile of the user than ever before, and intensify the potential costs of hacking or data leaks. And beyond this, if the metaverse does really live up to the current hype and becomes a place where people conduct various aspects of their lives, all that translates into data that may be far more personal and holistic (and valuable) than what is collected now.

My point isn’t that these forms of data collection are bad or insidious per se (they’re certainly not illegal), or that this is the first step into a dystopian era. They may even be necessary for the kinds of useful, fun, or otherwise valuable services with which they are linked (I’m sure most would appreciate a VR headset warning them not to trip over a real furry friend in their haste to save a not-as-real galaxy), or at least conducive to keeping prices down and products and services accessible. And perhaps, just as we learned to live with Alexa listening to our every word (somewhat), or Apple owning our face and finger biometrics (somewhat), or Google knowing us better than we know ourselves (somewhat), the future of privacy is something we will feel fine with adapting to. Ultimately, it’s a conversation and set of decisions that need to take place democratically (and perhaps on an international level). No matter what one’s personal feelings about the metaverse are, the future of privacy is something to keep an eye on.