Do Avatars Have Privacy Rights? Regulatory Uncertainty in the Metaverse

The metaverse, estimated to create a nearly $800 billion market opportunity, is poised to become one of the most disruptive technology advancements in history. Companies are clamoring to understand their role and opportunity within this new arena, but as with any disruptive technology or business model, innovation also introduces new areas of risk.

Currently, there are varying views of what the metaverse is and what it means as the next evolution of the internet. Many attempts have been made to build metaverses. Technology giants and startups alike have implemented strategies to provide the infrastructure that enables metaverses, as well as tools and products that support metaverse experiences. Likewise, consumer brands are exploring opportunities to build their presence and sell goods, services, and various digital assets within the metaverse. Exciting uses are emerging but many unknowns remain. For example, how will these new virtual worlds be connected to the physical world? That question leads to more specific risk-related considerations, particularly in a data privacy context.

Organizations building meta-verses and offering services within them have yet to establish whether the metaverse can provide a safe and secure environment, especially for children. It is unclear whether and how data privacy laws will apply to future metaverse environments, and if the technology will be able to evolve to create a single virtual universe that maintains a unifying legal framework.

These are serious questions for any organization in this space to consider. Delivering the kind of immersive experiences that the metaverse promises will require the collection and processing of personal and sensitive data. There is the possibility that illegal or illicit content may creep in. Organizations will need to establish controls to prevent, identify and control such activity and mitigate the corresponding legal, security and data protection risks.

For example, these environments rely on virtual or augmented reality technologies and artificial intelligence in order to create a truly immersive world. Yet, these technologies often utilize underlying user scoring, labeling and categorization functions that collect and store very specific information (e.g., user behavior, movements, habits and responses) about each person in the environment. Theoretically, this collection of personal and identifying information will be collected not via a form that the user fills out, but rather automatically in the background while users are interacting and transacting in the virtual space.

There is no regulatory precedent for such activities. Until regulation catches up to technological advancement, companies will be playing a guessing game. Legal and privacy teams will need to determine the extent to which privacy principles must be embedded into metaverse projects and other activities involving the use of AI to engage with users in digital environments. Questions to ask when making these decisions include:

• Based on the current regulatory landscape, how are data privacy laws expected to evolve to address the metaverse in the future?
• How will regulators and companies determine which jurisdictions and laws apply to which users?
• In an interoperable, highly connected virtual ecosystem, how will concepts of responsibility be defined? How will consent be given, recorded and revoked?
• Is data localization possible in an environment that is dispersed and distributed around the world? What implications might this have on the transfer of sensitive and personal data across borders?
• Is there a need for new laws and methods of protection to address the new categories of information (e.g., avatar identities, physical movements, health data, user behaviors) that will be created and stored as part of metaverse activities?
• What mechanisms are needed to ensure this complex scope of highly sensitive, unique data can be effectively stored, managed and protected?

Even amidst these uncertainties, there are steps companies can take to establish strong privacy standards for metaverse projects and reduce the risks associated with pursuing the many opportunities emerging in the digital sphere. The first step is to clearly define the intended business model for these projects and determine what personal data will be collected in that context — directly and via third parties.

With that baseline, legal and privacy teams can begin assessing what jurisdictions and existing regulations are likely to apply to those activities. Use cases and the organization’s technological future can then be founded on principles that limit privacy, security, and compliance risks by design, and maximize data protection. One example is the possible tokenization of sensitive data, or storage of it separate from the metaverse itself, so that it can be adequately secured and protected.

The metaverse is an exciting prospect for the future of commerce, connectivity, convenience, entertainment and more, but these virtual experiences are also likely to bring complex legal and regulatory issues in the physical world. Strong technology, organization, privacy, security and strong legal frameworks, all combined with a clear strategy, will be necessary to pursue this innovation responsibly.