From Facebook's recent decision to rename itself "Meta" to Epic Games' billion-dollar investment in metaverse technologies, the metaverse has dominated the news and will likely continue to do so over the next several years. To date, there is no universally accepted definition for the term "metaverse" and, for many, it suggests a new but undeveloped future of the internet. According to J.P. Morgan, the metaverse is a seamless convergence of our physical and digital lives, creating a unified, virtual community where we can work, play, relax, transact and socialize. That said, most conceptualizations of the metaverse include the use of virtual reality, augmented reality and avatars connected by a massive network. 

Another key feature is that there is actually not one virtual world but many worlds which are taking shape to enable people to deepen and extend social interactions digitally. This is done by adding an immersive, three-dimensional layer to the web, creating more authentic and natural experiences.

As a result, a likely feature of the metaverse will be interoperability. An interoperable metaverse would allow users to transport their avatars and other data, including digital assets, between metaverse applications, regardless of whether those metaverses are under common ownership or operation. Retention of a user's metaverse identity and ownership over their digital assets could be accomplished, among other ways, through blockchain technologies.  

As with any innovative technological development, the metaverse will raise novel and complex legal issues related to intellectual property rights, digital security, privacy and identity — and self-sovereignty.      

How does the metaverse affect data privacy?

Consumers typically participate in the metaverse by using one or more avatars or virtual life identities. The question arises whether virtual life activities and identities can be traced back to real individuals. Most systems allow users to create avatars without providing their personal information when creating their avatars' profile data. 

That doesn't mean users are anonymous. Metaverse platform owners know which account and user created the avatar, so the avatar is not anonymous to them. However, avatars can, at best, be pseudonymous. And the avatar's in-metaverse actions and statements will be attributed to the avatar, which weakens any protection pseudonymization offers for two reasons: First, the avatar itself develops a sub-identity, which identifies the avatar in-metaverse. Second, the sub-identity will likely leak information about the real-world identity through behavioral or knowledge-based clues. 

This sort of sub-identity offers benefits as well as anonymity costs. For instance, in a metaverse virtual meeting room, an avatar's metaverse identity might require verification for entry. Of course, that's exactly why this information is personal data.

Another issue is whether the avatar has its privacy or is just a pseudonymous, animated version of the individual behind it. Provided that privacy rights can be attributed to avatars, the follow-up question must be taken into consideration whether they or their "owners" have in-game, or, less likely, real-world, rights and remedies against other avatars or their related users/individuals for the violation of their rights. 

Which privacy rules apply?  

Users' personal data will be at particular risk of exploitation given the vulnerabilities involved when data is ported from one metaverse to another, e.g. data breaches, scams, etc. Platform operators and owners will need extensive agreements to govern data transfers, information security standards, and responsibility for compliance (as well as data breaches, which could cause even more chaos than they do today). Further, the metaverse typically includes virtual advertising, i.e., if brands use NFTs and virtual items to directly promote their products and services to metaverse users. 

Chances are that brands will employ avatar-based influencers, participate in sponsored events, or engage in other metaverse activities. All of these activities can create opportunities to collect personal data of metaverse users for advertising or communication purposes. There will be a desire to implement strict and transparent privacy standards to protect consumers' rights capitalizing on metaverse offers. 

Metaverse as a melting pot of various privacy regimes

The metaverse cannot be limited to one or a few data privacy regimes since it has a global reach and offers its features to users irrespective of where they are located. In many cases, multiple privacy regimes will apply to the same data and even the same individual. For example, the EU General Data Protection Regulation allows for any business located anywhere in the world to fall under its terms if a business offers goods or services in the European Union or monitors the behavior of EU citizens, even though it has no physical presence in Europe (Article 3 Sec. 2 GDPR). 

European users of a metaverse operated by a U.S. company may thus exercise their rights under the GDPR. In the metaverse, that EU data subject may be in a virtual nightclub with a Japanese citizen and a California resident. Physically, all can still be in their homes, each subject to a different privacy regime. Privacy law has not quite caught up to state and international boundaries yet, and it's years away from reaching a consensus on the choice of privacy law in the metaverse. 

This is likely to generate complex conflicts between the requirements of the regulations from differing jurisdictions, i.e., data breach notification requirements. Therefore, it's tempting to include a "privacy law selection clause" in terms of service of the particular metaverse. 

There's probably no penalty for including such a clause, but privacy laws tend to grant little validity to this approach. For example, the California Consumer Protection Act applies to natural persons who are California residents, as defined in Section 17014 of Title 18 of the California Code of Regulations. That's how the statute defines consumer, and that's who is protected. There is no provision that allows consumers to opt-out of coverage and no way for others to opt-in. Instead, Section 1798.192 says attempts to waive CCPA rights are against public policy and declares them "void and unenforceable."  

Whether this kind of language is included in terms of service or not, it's not a surefire success. At least, forum selection and dispute resolution clauses provide some certainty about where any litigation will be resolved and who will resolve it. Other clauses may provide guidance as to which law applies to interpreting the metaverse ToS. None of these approaches is likely to work if a regulator seeks to carry out an investigation. This kind of clause isn't universally enforced worldwide, so one may still face litigation in several forums.

It will be crucial for companies to understand which privacy rules will apply to what parties and to which data. 

Enforcing data subject rights in the metaverse

Irrespective of which data protection rules apply, the question arises against whom the individuals may exercise their rights. That is not apparent since the metaverse is a virtual world, and the operators typically acting as controllers will often not be inclined to disclose their identity voluntarily and comply with any data subject right requests. They may hide them behind email aliases or other proxies. This challenge can be magnified if another user has invaded a user's privacy — here pseudonymity is a cost instead of a benefit, an advertiser or other commercial entity. 

Data subject rights

Diverging rights and obligations depend on which privacy regime comes into play. Under the GDPR, the controller must disclose the information mentioned in Article 13(1), e.g. the identity and contact details of the controller, purposes of the processing, the legal basis for the processing, and the recipients of the personal data. Further, the individual can request access to all data collected (Article 15), its rectification (Article 16) or erasure (Article 17) under certain circumstances. 

Whenever an individual is consuming services or, for instance, buying NFTs in a metaverse, their data is collected and stored. For example, a business offering goods and services should consider it can be the addressee of various data subject right requests it has to comply with. If a well-known international brand has established a virtual store in a metaverse operated in the U.S. and the user is domiciled in Europe, the GDPR will apply pursuant to Article 3(2), and any non-compliance could spark major fines or lawsuits. Many other global privacy laws may apply based on similar factors. 

While the specific legal requirements may differ, most modern privacy laws require providing disclosure at collection (types of data, some kinds of processing activities like "sale" of data or "sharing") and many also distinguish between "ordinary" data and "sensitive" data.

As noted above, determining all of the potential privacy law requirements applicable to metaverse users will be complex, and while there are many similarities, as they say, the devil is in the details. For example, applicable privacy laws will likely include different triggers for breach notice and notification requirements, definitions of data types and categories, and variations of access rights. 

There will be no "right" way to comply. Most disclosure requirements require them to be clear, conspicuous and understandable, which will be difficult if they are as lengthy as the credits at the end of a modern console game. In addition to the usual disclosures, which will likely expand given the new types and higher volume of data involved, one may need a disclosure to explain who should read each part of each disclosure. 

Data privacy by design and default and privacy impact assessment

Failing to consider data privacy is a common potential legal pitfall when designing new technologies. Virtual or augmented reality interfaces allow for online collection and use of extensive sets of personal data, including sensitive data. Further, public blockchains can record personal data immutably to a distributed ledger accessible to virtually anyone with an internet connection. Creators of virtual worlds who leverage these technologies should design their services from the outset in ways that address applicable data privacy, security and government access laws. They may be able to track and record a user's behaviors, actions and communications in a virtual environment, and they may have legitimate reasons to do so such as to protect against objectionable content and conduct.

But how can a metaverse creator devise systems to avoid privacy violations? How can the creator ensure that it can respond to users who exercise their rights under applicable privacy laws to obtain copies of their personal data, port that data to an alternative metaverse, or delete the user's data from the virtual world? What notice and consent mechanisms should the creator implement to ensure that users understand and can control how their personal data is being processed in a metaverse? What assistance can and must the creator provide to law enforcement authorities which request or order it to produce personal data relevant to an investigation? All these issues must be considered and ironed out from the outset. 

Article 25 EU GDPR

Adherence to the principles of data protection by design and default, which are codified under Article 25 of the GDPR and ISO 27701, entails asking questions and proactively designing features to protect users' privacy rights, and, by default, only processing personal data that is necessary to fulfil the purposes of the service being offered. More specifically, Article 25 requires controllers to establish appropriate technical and organizational measures from the outset to implement data protection principles and safeguard the rights of data subjects. 

As a result, the metaverse creator must implement measures that ensure that only the data necessary to meet the purpose of the data processing operation is collected and processed. The creator must ensure the data is optimally protected through state-of-the-art encryption, particularly by using blockchain technology.

Data privacy by design from the US perspective 

The U.S. has been slower to require privacy by design explicitly, but recent laws include risk assessment requirements, and it remains to be seen how closely these risk assessments resemble Data Protection by Design. That said, enforcers such as regulatory authorities, are likely to consider whether a business's Software Development Life Cycle includes privacy by design in their enforcement decisions. Not following a privacy by design approach leaves a business blind to any possible privacy issues and increases the risk of litigation and regulatory interferences.  

Expectations of privacy and security in the metaverse

Privacy, of course, is not just about data protection. There are also potential risks relating to harassment and other cases related to intrusion upon seclusion. The conflict between the rules of the real world and those of the metaverse will need to be addressed. Do the ToS and privacy features co-extend with the reasonable expectation of privacy? 

While virtual realities have always been prone to fraud, chances are that online fraud will increase dramatically with many more metaverses being set up. Cybercriminals will continue to exploit vulnerabilities in new technologies such as blockchain technology and the metaverse. They may find new opportunities for identity theft or creating synthetic identities and "deepfakes." Metaverse designers will face challenges in protecting individuals against these new modalities of identity exploitation. For some time, the metaverse will likely need virtual bouncers and virtual cops — seen or unseen. 

Security in the metaverse

Data security is the most important thing in the data ocean embedded in the metaverse. Risks associated with data security may materialize, particularly when transmitting personal data from one metaverse to another. Personal data is exposed to risk and transactional details of items. e.g. NFTs purchased in the metaverse. 

It is worth noting regulators are aware of the metaverse and the related security issues. Some regulators are concerned about the illegal financial activities conducted in the name of developing the metaverse. On Feb. 20, 2022, the China Banking and Insurance Regulatory Commission issued a statement regarding such risks. The statement warned against the risks of illegal fundraising and fraud in the guise of metaverse investment projects, metaverse/blockchain games, and speculation in virtual real estate and virtual currencies.  

Data portability and interoperability 

Under Article 20(1) of the GDPR, data subjects have the right to receive personal data concerning them in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller. Accordingly, metaverse operators are required to allow portability and interoperability of data gathered in the metaverse. This should enable users to switch between platforms, likely leading to a loss of value between operators as interoperability erodes the value of processed data. Portability is a major risk since a huge amount of data will be transferred in the metaverse.

Identifying the accountable parties

It is crucial to determine who is responsible for data security, how data breach incidents may be prevented, and what happens in the event of such an incident.

The responsibilities of data controllers and data processors vary from one jurisdiction to another. However, in general, the concept of "data controller" is defined as a person, company, or other body that determines the purpose and means of personal data processing. In the metaverse, who is responsible depends on whether the metaverse is decentralized or centralized. There may be one main administrator acting in a centralized metaverse to process all personal data and determine how it will be processed. Or there may be multiple entities (decentralized metaverse), that process personal data through a metaverse.

When a user buys goods or services in a store in a metaverse and provides digital personal data, the store may also be considered a data controller that implements measures appropriate to the security risk. 

Conclusion 

Since the metaverse embodies a virtual world akin to the real world, the application of data privacy policy is taking on new dimensions and raising novel questions. 

The security of data in the metaverse is a significant concern. Users may see increased cyber risks correlated to increased exposure in the metaverse. However, that is certainly not an argument to challenge the evolution of the metaverse. Even blockchain tech is relatively new, and there are countless new stories of people losing money through compromises in the components of blockchain ecosystems. That issue has never been a "showstopper" for blockchain users to capitalize on that new technology. The same will apply to the metaverse.