Goodwin Insights October 19, 2022

Protecting Data in the Metaverse: Do Avatars Dream of Privacy?


The metaverse will bring many benefits, but it is also likely to multiply and compound privacy issues, particularly given its global nature.

With the advent of the commercial internet in the 1990s, organizations were increasingly able to track users’ clicks and searches to gather information about their preferences, interests, and purchasing habits. Mobile technology not only added precise location tracking, it also enabled the integration of smartphones into virtually every life activity, giving organizations deeper insights into users’ identities.

The metaverse will take us much further down this path, enabling the tracking of human bodies and even thoughts, particularly as users develop deep relationships with digital avatars. Whether through virtual reality (VR) or augmented reality (AR) – which together are known as extended reality (XR) – the metaverse will increase the type and volume of data that organizations collect, as well as change how they process and share it across domains and borders. This will raise a host of privacy issues that we are only just beginning to appreciate.

Types and Volume of Data

In his recent book The Metaverse: And How it Will Revolutionize Everything, Matthew Ball defines the metaverse as:

“A massively scaled and interoperable network of real-time rendered 3D virtual worlds that can be experienced synchronously and persistently by an effectively unlimited number of users with an individual sense of presence, and with continuity of data, such as identity, history, entitlements, objects, communications, and payments.”

Much of the activity that takes place in this universe depends on XR technologies that enable 3D experiences. Researchers estimate that XR applications produce one terabyte of data per hour, which is equivalent to 200,000 songs stored in a digital playlist. To convincingly render a scene, VR headsets track a dozen different types of movements at a rate of 90 times per second.[1]

Whereas online companies currently observe browsing and search histories, operators in the metaverse will track our bodies themselves. Immersive technologies monitor human physiology, including eyeball motion and point of gaze, facial expression, voice, and heart rate. They also observe a wide range of physical actions, including head and body movements, haptics, gait, and posture. And they can track emotions through expression recognition technologies and neural activity using brain-computer interfaces.

Moreover, XR environments use audio, visual, and inertial sensors to detect the position of a user or device relative to its surroundings. This often involves collecting data about non-participants, passive bystanders who happen to be within range of a system’s sensors.

Operators that track physiological, mental, and biometric data are subject to laws governing the collection, use, and sharing of sensitive data and biometrics. That includes the General Data Protection Regulation in Europe; state privacy regulations in California, Colorado, Connecticut, Utah and Virginia; and biometric privacy laws, such as Illinois’ Biometric Information Privacy Act.

When the metaverse is used in work, education, or healthcare contexts, operators collecting data of this sort will be subject to sector-specific privacy laws, such as the Family Educational Rights and Privacy Act and the Health Insurance Portability and Accountability Act.

How Data is Processed

Organizations will process data using machine learning algorithms and artificial intelligence techniques to estimate or infer the identities, emotional states, and intentions of their users, as well as predict how they may behave in the future. Moreover, AIs and bots will actively participate in games as well as social media and other communication platforms, raising challenges related to trust. Deepfakes may raise particularly thorny issues.

In recent years, several states have advanced laws on automated decision making, and policymakers in the US, EU, and China are debating the regulation of AI. Under these laws, metaverse operators and participants will be subject to new layers of rules, including standards, trust marks, certification frameworks, and auditing schemes.

How Data is Shared Across Domains and Borders

One of the defining characteristics of the metaverse – what makes it “meta” – is interoperability. To support an environment that is persistent, live, synchronous, and interoperable, organizations need standards and frameworks for data sharing across domains and platforms.

As noted, many countries already have laws on data collection, use, and sharing, especially when it comes to personal data — and many new laws are being considered. But laws in different countries may conflict. And it can be very difficult or even impossible to determine which national laws apply when people come together from different locations around the world to interact in virtual environments.

Like the Internet, the metaverse doesn’t “reside” in a specific jurisdiction. Which country’s laws take precedence, for example, when a person who is in Japan meets another person who is in Brazil to interact in a virtual café owned by a US company that uses servers located in India?

The internet, which is a relatively static environment, already raises myriad questions on jurisdiction and choice of law. The metaverse – where avatars cruise in interconnected, always-on digital spaces without physical or logical boundaries – will multiply and compound them.

Enter the Blockchain

The hype surrounding the metaverse also relates to its technological relative, the blockchain. While conceptually separate, the metaverse and blockchain intersect where property issues arise. For example, avatars may dress up in skins that are tradeable as NFTs and portable across platforms and applications through users’ digital wallets. Moreover, Web3 champions support systems for decentralized “self-sovereign identity” in the metaverse, liberated from the control of major platforms and mediated by cryptology.

The blockchain, of course, has its own privacy frictions. For starters, it is designed to maximize transparency and actions taken on the blockchain are immutable. Anyone can see the history of every transaction that has taken place on a blockchain dating back to the chain’s launch. And individuals cannot technically enforce their right to privacy by deleting personal data stored on chain or hiding it from public view.

The metaverse presents exciting opportunities for reinvigorating online work, commerce, and play. At the same time, organizations designing products and services in this space will need to bake in laws and standards governing sensitive data and biometrics, AI and machine learning, cross platform data sharing, and blockchain applications. Whether through top-down government regulation or bottom-up privacy by design, the metaverse is an exciting new domain not just for gamers but also for lawyers and policymakers.

[1] Joseph Jerome and Jeremy Greenberg, “Augmented Reality + Virtual Reality: Privacy & Autonomy Considerations in Emerging, Immersive Digital Worlds” (Future of Privacy Forum, 2021).

Sign up for emails on new metaverse articles.