Today’s privacy and data protection laws were built for physical filing cabinets and then updated for the Internet. Applying them to tomorrow’s metaverse, an alternate digital real-time existence offering a persistent, live, synchronous, and interoperable experience, could well prove to be a stretch too far.
The following sections describe some of the ways in which current privacy and data protection laws could potentially be applied to, or end up becoming obsolete in, the metaverse.
Determining who is responsible and which laws apply to the metaverse will be challenging
The metaverse will connect the person to their “avatar” (or other digital representation(s)). Therefore, regulators around the world would likely consider information collected about a metaverse user’s activities to be personal data, subject to existing privacy and data protection laws.
As those who have practiced privacy and data protection law know, the cross-section of applicable laws, especially in the United States, is a constant challenge. Regulation of a digital interaction may involve the engagement of privacy rules in some countries based on physical location of the organization or the individual; the type of organization or individual (say, a health care organization or a child); the type of data collected (say, race or sexual orientation); and the purpose for collecting the data (for example, marketing or profiling). Applying this cross-section of laws is unwieldy even in a relatively static environment like the Internet. It is unclear how organizations could navigate legal compliance in a persistent, live, synchronous, interoperable digital environment. Organizations operating within the “one- stop-shop” privacy rules of the EU General Data Protection Regulation (GDPR) may fare better here, but this raises another issue – which privacy rules of which country apply in the metaverse? Does it still make sense to have privacy laws such as the California Consumer Privacy Act (CCPA), which focuses on Californian residents, and won’t the metaverse make it even harder for organizations outside of the UK and Europe to know when they are targeting products or services to or monitoring those in the UK and Europe and therefore caught by the GDPR?
Further, who will be held responsible for privacy in the metaverse? We don’t know what (if anything) will own or control some or all of it. Possibly, it will operate with single-organization ecosystems (similar to today’s social media platforms), centrally operated platforms hosting different organizations offering their goods and services, but alternatively, it will be characterized by interacting access points and multiple controllers. If governments hold organizations responsible for others’ activities in the metaverse, it is difficult to envision organizations building anything but a collection of proverbial “walled gardens” that will not fulfill the promise of the metaverse.
Operationalizing transparency and control in the metaverse could stretch notice and consent models to their limit
Most privacy laws around the world have as a central component the principle that individuals should know how their personal data is being used, by whom, and for what purposes. The last few years have seen an acceleration in such requirements with an ever-growing list of details that organizations need to tell their customers. With complex technical use cases for data on the rise, this can lead to a situation in which individuals are confronted with pages and pages of privacy notices seeking to explain how their data is used and thereby put off even attempting to read them in the first place. Imagine trying to write a privacy notice for the metaverse – let alone then keeping it up-to-date!
Then imagine that one’s journey through the metaverse isn’t just an engagement with one organization and controller but more akin to a trip to a mall with the possibility to seamlessly move from one store to another with advertising and offers from others along the way. How to operationalize privacy laws obsessed with transparency, tracking, and controls in such a world? With cookie pop-up mechanisms already the bane of many an Internet surfer’s life, will users be confronted with pop-ups and clickwraps before their eyes at every turn? At what point does visibility, consent, and choice over data use become unworkable and no longer in the interests of those it serves to protect?
- Privacy and data protection laws designed for bygone days are probably ill-suited for tomorrow’s metaverse
- The metaverse could stretch notice and consent models to their limit
- Determining which individual rights apply will be a difficult undertaking