IAPP-GDPR Web Banners-300x250-FINAL

By Terry McQuay, CIPP, CIPP/C

Virtual worlds research report

The Office of the Privacy Commissioner of Canada (OPC) recently released the results of research it commissioned to examine the privacy implications of virtual worlds such as Second Life. The concluding report consists of four parts:

Part I describes Linden Lab, Second Life and activities that Second Life residents pursue in-world.

Part II discusses the privacy of Canadians who register with Second Life, examining Linden Lab’s Terms of Service and Privacy Policy.

Part III examines how residents can protect their privacy in-world, how easily avatars can be traced to the identity of the person controlling the avatar and the potential for in-world surveillance.

Part IV touches on business data practices within Second Life.

What is Second Life?

Second Life is an online community where users, via their avatars, interact with other ‘residents’ and engage in real-world activities such as purchasing land, constructing buildings, and creating objects and actions for their avatars.
Although residents interact in an online, imaginary environment, Second Life retains economic and legal connections to the real world. For example, the site recognizes residents’ intellectual property rights and allows them to generate real-world income. Just like in the real world, Second Life encompasses some of a community’s less desirable attributes, such as virtual prostitution and drug use. Residents have also introduced adult content onto Second Life, prompting the creation of a Teen Second Life for those under the age of 18. Adults are prohibited from Teen Second Life and minors are not allowed on Second Life.

Real-world institutions on Second Life

The research report notes that real-world institutions such as government organizations, businesses, educational institutions, and nonprofit organizations have also established presences on Second Life. A number of Canadian organizations are among those who use Second Life to promote their real-world brands, products, services, and activities. The Université Laval has a Second Life campus where the school’s communications faculty offers tours to Second Life residents; the president and CEO of the Northern Alberta Institute of Technology uses Second Life for meetings, instruction, and student recruitment; and law firm Davis LLP opened a Second Life office for building rapport and credibility with video-game business clientele.

Second Life and Canadian law

Linden Lab’s Terms of Service state that resident data is subject only to U.S. law, and that the relationship between the user and Linden Lab will be governed in all respects by the laws of the State of California. However, the research report concludes that although Second Life creator and operator Linden Lab is located outside of Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) is applicable to its Canadian activities, stating that PIPEDA applies “to every organization in respect of personal information that the organization collects, uses, or discloses in the course of commercial activities.”
Further, in Lawson v. Accusearch, the Federal Court determined that PIPEDA gives the Privacy Commissioner of Canada jurisdiction to investigate complaints relating to the transborder flow of personal information (PI). In addition, Second Life is conducting a commercial activity and it collects and uses PI for commercial purposes.

The report also provides a detailed overview of how Linden Lab’s Terms of Service and Privacy Policy map to the requirements of the CSA Model Code for the Protection of Personal Information, included in PIPEDA Schedule 1.

Application of PIPEDA Schedule 1 principles

Principle 4.1: Accountability
Linden Lab provides contact information for their legal department in the form of e-mail and mailing addresses.

Principle 4.2: Identifying purposes
Linden Lab states in its Privacy Policy that it collects PI and usage statistics to maintain a high-quality customer experience and deliver superior customer service. The Terms of Service state that PI is used to operate and improve Second Life and to learn what the user likes. “Personal information” is defined by Linden Lab to mean “any information that may be used to identify an individual, including, but not limited to, a first and last name, home or other physical address, an e-mail address, phone number, or other contact information, whether at work or at home.

Principle 4.3: Consent

By clicking “I agree” to the Terms of Service at the time of registration, the user agrees to its conditions. The Privacy Policy states that the use of the Linden Lab Web sites and/or any Linden Lab products or services signifies the user’s assent to the Privacy Policy. Users outside of the U.S. are also made aware that PI may be stored and processed in the U.S. or any other country in which Linden Lab maintains facilities, and by using these Web sites, the user consents to such information transfer.

Principle 4.4: Limiting collection of personal information
Signing up to Second Life requires new users to input their birthday, real first and last names, gender, country and a valid e-mail address. This information provides the user a “Basic” account. Those wanting to participate in Second Life’s economy must obtain a “Premium” account, for which they must provide a valid credit card and address.
To access adult content, users are required to prove that they are at least 18 years old and must provide their name, date of birth, and address. American residents are asked to provide the last four digits of their Social Security number. Non-U.S. residents may be required to provide other documents depending on their country of residency, such as a passport, driver’s license, or national ID number.

The report assumes that Linden Lab collects users’ IP addresses. Linden Lab does not consider IP addresses to be personally identifiable, but the federal privacy commissioner has determined that an IP address can constitute personal information under PIPEDA if it can be associated with an identifiable individual

Principle 4.5: Limiting use, disclosure, and retention of personal information
The Terms of Service lists situations in which Linden Lab will disclose PI, such as fulfilling a user’s service request, or for customer support, billing, and credit-verification services. The Terms of Service also authorize Linden Lab to disclose any information about users to private entities, law enforcement agencies, or government officials when the company feels it is “necessary or appropriate to investigate or resolve possible problems or inquiries, or as otherwise required by law.”

Principle 4.6: Accuracy of personal information
In its Privacy Policy, Linden Lab states that users will have the ability to update the personal data provided to them during registration by contacting Linden Lab via e-mail. However, it does not appear that Linden Lab allows users to update the personal information that has been collected outside of the registration process.

Principle 4.7: Safeguards
In its Privacy Policy, Linden Lab claims to comply with applicable laws and industry standards when transferring, receiving, and storing consumer data. Access to users’ PI is limited to Linden Lab employees who need the information in order to provide products or services or to perform their jobs. The Terms of Service, however, state that Linden Lab does not guarantee the security of any user’s private transmissions against unauthorized or unlawful interception or access by third parties.

Principle 4.10: Challenging compliance
Linden Lab published its legal department’s e-mail address in the Terms of Service and Privacy Policy for questions and comments surrounding privacy and provided its mailing address in San Francisco.

The avatar and the person behind the avatar

Linden Lab collects certain user information, such as the extent of play, time of play, and connection location, as well as the social and economic activities users engage in. The OPC report argues that this data classifies as “personal information” under Canadian privacy legislation. Second Life residents may feel that their online conduct is anonymous and may engage in activities on the assumption that their real-life identity would not be linked to their online identity, but Linden Lab has the ability to link both.

Business practices on Second Life

The OPC researcher notes that organizations that set up on Second Life to conduct business should comply with fair information practices if they collect PI from their employees, customers, or clients on Second Life.

The OPC report also notes that there are still many unanswered questions about privacy in online worlds such as Second Life, and that sites will likely raise new and more questions regarding the applicability of real-world law to virtual world activities. It concludes with questions:

  • How might Canadian privacy legislation apply to Canadian businesses and organizations that choose to establish a presence on Second Life?
  • PIPEDA aside, what general data practices are recommended to protect the privacy of their clients and customers in Second Life?

For the full research results visit: www.privcom.gc.ca.

Terry McQuay, CIPP, CIPP/C, is the founder of Nymity, which offers Web-based privacy support to help organizations control their privacy risks. Learn more at www.nymity.com.



If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»