In the previous opinion piece, I discussed the glimpse of the new virtual universe known as the metaverse and what it will mean for businesses and individuals. One of the points of concern was the extensive collection of user data. There is a risk that these user data will become the primary asset of Big Tech in the race to the top, putting users’ privacy at risk.
But what exactly are the privacy implications? Before we dive deeper into that, it is important to understand the infrastructure required to build this parallel digital world.
The infrastructure behind the metaverse
In the metaverse, a user can interact with several other people at the same time. Imagine yourself face-timing the entire population of Amsterdam all at once for example. To achieve that scale, a different infrastructure [from the traditional internet] is required, which is more decentralised. Think of it as an extension of what we already know from decentralised or distributed internet infrastructure like cloud computing and distributed ledger.
With such a decentralized infrastructure, things like being teleported (virtually) to, say, the imaginary world in the movie Avatar, whilst physically staying in the same place, can suddenly become a reality.
Although the concept of the metaverse is fascinating, many people are concerned about the outcome of this new paradigm, mainly because the metaverse was coined by Meta. With Facebook’s recent infamous lawsuit concerning data privacy, the publicity around Meta has not been the most positive.
Smartphones and websites allow collect an extensive amount of personal data, yet the kind of interaction the metaverse enables would go far beyond that. As the platform evolves, it would help companies to access new types of personal data available for processing such as their physiological responses, their facial movements, gestures, and even their brain wave patterns. This enables companies to have a much deeper understanding of their customers' behaviour and thought processes.
As users will be logged in for extended periods, their behavioural patterns can be continuously monitored. Also, users will no longer require opening their smartphones to provide their personal data as the metaverse will gather their personal data in the background. As a result, user targeting in metaverse can be more specific than the existing targeting with browser data through a smartphone.
As the platform evolves, companies will also be able to access new types of personal data known as biometric data, which enables companies to have a much deeper understanding of their customers' behaviour and thought processes. So, what is this biometric data? Biometric data is the data collected through virtual reality (VR) glasses and headsets for example. These devices have the potential to gather extensive amounts of sensitive data like facial movements, body movements, physiological responses, and even brain wave patterns in some cases.
This nature of “no limits”, raises several questions about data protection responsibilities. Should this data be considered a special category under the General Data Protection Regulation (GDPR) for instance?
I believe that data regulation should be stringent worldwide considering the wide range of data collected in the metaverse. The EU is already looking at stricter GDPR measures, especially regarding user data consent for marketing purposes. The companies that build the devices like VR glasses and headsets should be transparent to their users about potential privacy issues and these issues should be voiced for each new data type that comes around.
In addition, the devices gathering biometric data should be built following data security and compliance norms. To mitigate this, the developers must use extreme caution and adhere to strict coding guidelines. Even the governments should be stricter with hefty penalties if there is any data breach. Another challenging aspect of the metaverse that needs to be addressed is that it will be populated with both humans and bots, and it might become difficult to distinguish them over time. Companies can tackle this by producing a digital label of some sort that should make users aware with whom they are interacting.
Aside from regulatory challenges around data privacy, the metaverse also raises the question of how to achieve data interoperability in practice, i.e. how to allow the seamless flow of data between different operators and platforms.
To start using metaverse, users must create an avatar to increase their digital footprint. Metaverse is not a single platform, and the users are allowed to move their avatars and digital assets across multiple platforms. To achieve this seamless user experience, data interoperability must be achieved. That is, data collected by one entity in metaverse should be able to move across platforms and operators. Yet this raises several questions such as:
- If the entire metaverse is decentralised, who manages the data shared between operators for a seamless user experience?
- Will there be a central administration body?
- How should different companies display their privacy policies to the users? Will there be a general policy?
- Who is responsible in case of a data breach or theft?
- How and when should the users' consent be collected?
In conclusion, companies must be transparent with their users and get their consent. Users should also have a freely available option of opting out and erasing their data. With the advent of the metaverse, users can, and need, to get serious about how their data is being used by tech companies.
The metaverse: the evolution of a universal digital platform, published by Norton Rose Fulbright
Data privacy and the metaverse, published by Apex Privacy
Metaverse and its data privacy issues, by Tsaaro