By Terry McQuay, CIPP, CIPP/C

Virtual worlds research report

The Office of the Privacy Commissioner of Canada (OPC) recently released the results of research it commissioned to examine the privacy implications of virtual worlds such as Second Life. The concluding report consists of four parts:

Part I describes Linden Lab, Second Life and activities that Second Life residents pursue in-world.

Part II discusses the privacy of Canadians who register with Second Life, examining Linden Lab’s Terms of Service and Privacy Policy.

Part III examines how residents can protect their privacy in-world, how easily avatars can be traced to the identity of the person controlling the avatar and the potential for in-world surveillance.

Part IV touches on business data practices within Second Life.

What is Second Life?

Second Life is an online community where users, via their avatars, interact with other ‘residents’ and engage in real-world activities such as purchasing land, constructing buildings, and creating objects and actions for their avatars.
Although residents interact in an online, imaginary environment, Second Life retains economic and legal connections to the real world. For example, the site recognizes residents’ intellectual property rights and allows them to generate real-world income. Just like in the real world, Second Life encompasses some of a community’s less desirable attributes, such as virtual prostitution and drug use. Residents have also introduced adult content onto Second Life, prompting the creation of a Teen Second Life for those under the age of 18. Adults are prohibited from Teen Second Life and minors are not allowed on Second Life.

Real-world institutions on Second Life

The research report notes that real-world institutions such as government organizations, businesses, educational institutions, and nonprofit organizations have also established presences on Second Life. A number of Canadian organizations are among those who use Second Life to promote their real-world brands, products, services, and activities. The Université Laval has a Second Life campus where the school’s communications faculty offers tours to Second Life residents; the president and CEO of the Northern Alberta Institute of Technology uses Second Life for meetings, instruction, and student recruitment; and law firm Davis LLP opened a Second Life office for building rapport and credibility with video-game business clientele.

Second Life and Canadian law

Linden Lab’s Terms of Service state that resident data is subject only to U.S. law, and that the relationship between the user and Linden Lab will be governed in all respects by the laws of the State of California. However, the research report concludes that although Second Life creator and operator Linden Lab is located outside of Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) is applicable to its Canadian activities, stating that PIPEDA applies “to every organization in respect of personal information that the organization collects, uses, or discloses in the course of commercial activities.”
Further, in Lawson v. Accusearch, the Federal Court determined that PIPEDA gives the Privacy Commissioner of Canada jurisdiction to investigate complaints relating to the transborder flow of personal information (PI). In addition, Second Life is conducting a commercial activity and it collects and uses PI for commercial purposes.

The report also provides a detailed overview of how Linden Lab’s Terms of Service and Privacy Policy map to the requirements of the CSA Model Code for the Protection of Personal Information, included in PIPEDA Schedule 1.

Application of PIPEDA Schedule 1 principles

Principle 4.1: Accountability
Linden Lab provides contact information for their legal department in the form of e-mail and mailing addresses.

Principle 4.2: Identifying purposes
Linden Lab states in its Privacy Policy that it collects PI and usage statistics to maintain a high-quality customer experience and deliver superior customer service. The Terms of Service state that PI is used to operate and improve Second Life and to learn what the user likes. “Personal information” is defined by Linden Lab to mean “any information that may be used to identify an individual, including, but not limited to, a first and last name, home or other physical address, an e-mail address, phone number, or other contact information, whether at work or at home.

Principle 4.3: Consent

By clicking “I agree” to the Terms of Service at the time of registration, the user agrees to its conditions. The Privacy Policy states that the use of the Linden Lab Web sites and/or any Linden Lab products or services signifies the user’s assent to the Privacy Policy. Users outside of the U.S. are also made aware that PI may be stored and processed in the U.S. or any other country in which Linden Lab maintains facilities, and by using these Web sites, the user consents to such information transfer.

Principle 4.4: Limiting collection of personal information
Signing up to Second Life requires new users to input their birthday, real first and last names, gender, country and a valid e-mail address. This information provides the user a “Basic” account. Those wanting to participate in Second Life’s economy must obtain a “Premium” account, for which they must provide a valid credit card and address.
To access adult content, users are required to prove that they are at least 18 years old and must provide their name, date of birth, and address. American residents are asked to provide the last four digits of their Social Security number. Non-U.S. residents may be required to provide other documents depending on their country of residency, such as a passport, driver’s license, or national ID number.

The report assumes that Linden Lab collects users’ IP addresses. Linden Lab does not consider IP addresses to be personally identifiable, but the federal privacy commissioner has determined that an IP address can constitute personal information under PIPEDA if it can be associated with an identifiable individual

Principle 4.5: Limiting use, disclosure, and retention of personal information
The Terms of Service lists situations in which Linden Lab will disclose PI, such as fulfilling a user’s service request, or for customer support, billing, and credit-verification services. The Terms of Service also authorize Linden Lab to disclose any information about users to private entities, law enforcement agencies, or government officials when the company feels it is “necessary or appropriate to investigate or resolve possible problems or inquiries, or as otherwise required by law.”

Principle 4.6: Accuracy of personal information
In its Privacy Policy, Linden Lab states that users will have the ability to update the personal data provided to them during registration by contacting Linden Lab via e-mail. However, it does not appear that Linden Lab allows users to update the personal information that has been collected outside of the registration process.

Principle 4.7: Safeguards
In its Privacy Policy, Linden Lab claims to comply with applicable laws and industry standards when transferring, receiving, and storing consumer data. Access to users’ PI is limited to Linden Lab employees who need the information in order to provide products or services or to perform their jobs. The Terms of Service, however, state that Linden Lab does not guarantee the security of any user’s private transmissions against unauthorized or unlawful interception or access by third parties.

Principle 4.10: Challenging compliance
Linden Lab published its legal department’s e-mail address in the Terms of Service and Privacy Policy for questions and comments surrounding privacy and provided its mailing address in San Francisco.

The avatar and the person behind the avatar

Linden Lab collects certain user information, such as the extent of play, time of play, and connection location, as well as the social and economic activities users engage in. The OPC report argues that this data classifies as “personal information” under Canadian privacy legislation. Second Life residents may feel that their online conduct is anonymous and may engage in activities on the assumption that their real-life identity would not be linked to their online identity, but Linden Lab has the ability to link both.

Business practices on Second Life

The OPC researcher notes that organizations that set up on Second Life to conduct business should comply with fair information practices if they collect PI from their employees, customers, or clients on Second Life.

The OPC report also notes that there are still many unanswered questions about privacy in online worlds such as Second Life, and that sites will likely raise new and more questions regarding the applicability of real-world law to virtual world activities. It concludes with questions:

  • How might Canadian privacy legislation apply to Canadian businesses and organizations that choose to establish a presence on Second Life?
  • PIPEDA aside, what general data practices are recommended to protect the privacy of their clients and customers in Second Life?

For the full research results visit:

Terry McQuay, CIPP, CIPP/C, is the founder of Nymity, which offers Web-based privacy support to help organizations control their privacy risks. Learn more at



If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is sold out! But you can still add your name to the wait list, and we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Call for Speakers open! Join the Forum in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

Call for Speakers open! This year, we're bringing P.S.R. to San Diego. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

Call for Speakers open! The Congress is your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Submit a proposal by March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»