The metaverse refers to digital platforms characterised by virtual or augmented reality, decentralisation, A.I. and blockchain-based applications (sometimes also identified as ‘Web 3.0’). User activity - often effected through avatars - has the potential to generate massive amounts of data, much of which could be (highly) personal.

This raises significant questions regarding the privacy of such data and the ethics surrounding its use. We are already grappling with such challenges in today’s ‘Web 2.0’ and this will only intensify in the metaverse. Businesses need to understand how existing data regulation might apply to this new environment. Meanwhile, policymakers need to consider both adapting the existing guardrails to the metaverse and introducing new controls where necessary to deal with its increased data collection and usage possibilities.

Extensive and invasive data collection

Companies in today’s digital economy already heavily rely on personal data to gather insights on their users’ preferences and to better target their audience, including for advertising and direct marketing. Commentators are expecting the frontier technologies used to access the metaverse to have the potential to create millions of additional data points, thereby massively expanding the opportunities to collect data in relation to users’ activities. For example, Credit Suisse estimates that “even with modest metaverse assumptions data usage could easily expand more than twenty times during this decade” and, given the highly personalised experienced touted by the metaverse, a large part this data will be personal data.

The metaverse is also likely to make new and particularly invasive types of personal data available for processing. Such data has the potential to provide deep – and potentially intimate – insights into users’ behaviour. Access to the metaverse may indeed happen through some form of VR/AR headsets combined with wearable technologies (e.g. hand-held controllers) capable of registering physiological parameters, such as heartbeats, breathing rates and eye-movements. 

The information provided by such tech about an individual’s reaction when looking at a product or a person could be used to deduct his/her interests, and could even constitute “sensitive” data regarding sexual orientation, political convictions or religious beliefs under the applicable data protection regime.

Potential for abuse

The majority of the online tracking which goes on in today’s Web 2.0 is used for targeted advertising, Indeed AdTech (blanket term covering all software and services used to deliver and target digital advertisements) has been described as the “backbone” of the $438 billion internet advertising industry and is key to the business models of many platforms, particularly search engines and social media companies.

The concern in the metaverse is that participants could seek to target even more intrusively by using the wider pool of available personal data. Imagine a virtual visit to Time Square or Piccadilly Circus where the ads displayed are specifically tailored to the specific user, or where the metaverse detects when a user is losing interest and proposes new activities to keep that user connected.

Another concern relates to how, in the virtual world, the line between authentic and automatically generated content is easily blurred. It will not necessarily be obvious to a user whether he/she is interacting with a human or an A.I. powered bot, which could try to use their data in a highly personalised way to e.g. influence their purchasing decisions.

The law in the metaverse

It is important to remember that, exactly as with today's internet, the metaverse will not operate in a legal vacuum and that existing rules will apply. The question is rather whether existing ‘real world’ or even digital specific rules will be adapted to the specificities of the metaverse and, if not, what amendments or new rules will be required to address the novel challenges it raises.

Whilst the EU is already turning its regulatory eye to these issues and plans to “thrive in the metaverse”, there will still be questions to answer regarding existing and proposed new data regulation:

The GDPR - For example, when applying the GDPR in the metaverse, a first challenge will be to identify the ‘controller’, i.e. the person which determines the purposes (why) and the means (how) of the personal data use, and has primary responsibility for GDPR compliance. This identification is sometimes already difficult at present and the case law on that is still evolving, but the metaverse will add another layer of complexity to this exercise. The potential for joint controllership is high as personal data will likely be processed by a multi-party chain, e.g. the headset manufacturer, the metaverse platform operator and the other companies with which users interact in the metaverse.

How the responsible actors can comply with their GDPR obligations in the metaverse will raise other complex questions:

  • Purpose limitation/ data minimisation: Under the purpose limitation and data minimisation principles, controllers must limit their data processing to what is necessary to achieve their purposes, but what will those purposes be and what will be “necessary”?

  • Privacy: How can actors in the metaverse comply with their obligations of privacy by design/default in an environment where so much data can be collected?

  • Transparency: How will transparency be provided to users in relation to the data collected and the purposes for which it will be used, and what types of control will they be provided with?

  • Access and portability: How far will the right of access and portability of personal data stretch, in particular to enable interoperability between different virtual worlds in the metaverse?

New EU data regulations - The EU has taken the global lead in developing data related regulation for the digital economy. As the metaverse is a more virtual and immersive evolution of the digital economy, these regulations will undoubtedly be relevant. However, exactly how they will apply in the metaverse is still to be determined. By way of example:

  • Data Governance Act: The DGA envisages the creation of so-called ‘data intermediaries’, acting as an exchange through which personal data can be made more readily available. However, we do not know yet what role such intermediaries could play in the context of the metaverse or what types of data could be made available for reuse through them.

  • Data Act: The proposed DA envisages that owners of connected devices could order data holders to disclose their data to third-party data recipients, enabling secondary uses of data generated by such devices. However, it remains unclear which parts of the metaverse hardware could fall under the Data Act, as well as when and under which conditions metaverse platform operators would be required to make the data they hold available.

Digital regulation at the crossroads

Whilst the metaverse promises great opportunities as the next evolution of the internet, the huge volume of personal data it can generate will also need proper management in order to earn and maintain consumer trust.

Regulators will have an important task in fostering the responsible collection and use of data in this context. The proper handling of data in the metaverse will be key to engagement in this new digital economy, and could even determine the ultimate success of the metaverse itself.

Read the rest of the series:

#1: Why should we care about the metaverse? Because it is the next iteration of the internet 
#2: Working in the metaverse – emerging employment issues
#3: Looking at metaverse(s) with antitrust (3D) glasses
#4: IP in the Metaverse – expanding the reach of intangible rights
#5: Payments in the metaverse – what could metaverse money look like and how might it work? 
#7: DAOs – decentralisation, collaboration and risk management in the metaverse