When It Comes to Data Privacy, Does the Metaverse Have Legs?

VR has potential — but without privacy protections, brands are running before they can walk

In his new role as metaverse hype-man, Meta CEO Mark Zuckerberg breathlessly showed off a pair of animated legs at his company’s Connect conference this fall. “Seriously, legs are hard,” Zuck’s avatar told virtual onlookers. Even more remarkable than Zuckerberg’s animated appendages, though, was what the Meta CEO didn’t say — because so far, he has barely said a word about data privacy in the metaverse.

That’s surprising, because it’s currently estimated that a quarter of the world’s population will use VR for at least one hour per day by 2026. Already, brands are venturing into VR. Nike has replicated its brand headquarters in the metaverse; Gucci lets shoppers deck out their avatars in high-end clothes, then strut around art installations; and Chipotle fans can strap on a headset and roll themselves a virtual burrito at a lovingly simulated restaurant. (The best part? Zero calories.)

By the end of the decade, virtual technologies could drive $5 trillion in economic value, including $2.6 trillion in ecommerce sales and $206 billion in digital ad spend. But realizing that enormous potential won’t depend on Mark Zuckerberg’s ability to have his avatar join a virtual chorus line. It’ll come down to his ability to convince brands, regulators, and — above all — consumers that it’s possible to manage data responsibly in the metaverse.

Marketing Technology News: MarTech Interview with Liviu Tanase, CEO at ZeroBounce

Digital identity

What makes the metaverse different from any other aspect of our digital existence? Well, as Meta’s “legs” announcement shows, our experience of the metaverse is fundamentally tied up in our self-presentation and our ability to project our digital identity in a simulated 3D space.

It might be true that on the internet, nobody knows you’re a dog. But the metaverse is seen not just as a place to consume content, but as a social space for meetings, hang-outs, collaborative games, and more. In the metaverse, it matters who you are — and that will significantly impact how our data is processed and used as we move through the VR world.

In the metaverse, our names, faces, voices — and yes, even our leg movements — will be fused into a far richer digital identity signal than we currently project online. Managing those signals responsibly — even as we leverage “digital twins” of customers to simulate their responses and anticipate their needs — will bring challenges for both platform orchestrators like Meta, and the brands hoping to meet their customers in a virtual world.

Biometrics

The better VR gets, the more it will depend on capturing biometric data in order to create virtualized representations of users. This goes beyond tracking arm or leg movements: already, Meta’s latest VR headset, the Quest Pro, includes eye and facial movement trackers allowing avatars to mirror users’ emotions, plus a slew of external cameras to track body language.

That’s an incredible new data source. Facebook has already toyed with the idea of tracking mouse cursors to improve online ads, and some startups use eye tracking to ensure users pay attention to the ads they’re shown. Now imagine you’ve got always-on eye tracking clamped to your face, recording exactly what you pay attention to and the emotional responses it conjures up. Then imagine what the next generation of VR devices will track, from heart rates to geolocation, to elevate these capabilities still further.

Inevitably, brands that venture into VR will want to exploit that data. But clearly, too, this is a whole new world when it comes to data privacy. If companies ignore that fact, or try to get users to sign away biometric privacy rights using cookies and banner-style notifications, the entire experiment will blow up in their face.

Getting buy-in

Clearly, regulators will need to frame rules to address data privacy in the metaverse, or to map existing rulebooks onto virtual spaces. But equally clearly, regulators won’t be able to keep up with this fast-changing, still-nascent world. There will be a lag between the (virtual) reality of the metaverse, and the regulatory frameworks and enforcement mechanisms needed to protect users.

In the face of that, companies have two options. They can treat the metaverse as the Wild West, and do whatever they want until the lawmen catch up with them. Or they can be proactive about privacy and build out reliable and transparent privacy mechanisms before the regulators come knocking. For a case study in how things can go badly, one need only look at the FTC’s recent $520M settlement against Epic Games, maker of Fortnite. The FTC alleged Epic Games committed numerous privacy violations against kids and teens, who also happen to be highly active metaverse users. In their defense, Epic Games argued that privacy laws have failed to keep pace with fast-moving and nascent industries, “statutes written decades ago don’t specify how gaming ecosystems should operate. The laws have not changed, but their application has evolved and long-standing industry practices are no longer enough.” Going forward, brands that design privacy-compliance into their metaverse environments will come out on top as taking a roll the dice or wait and see approach proves to be the risker alternative.

Taking a proactive, privacy-first approach isn’t just about anticipating regulatory requirements. It’s about giving consumers what they want and need, and establishing the trust needed to convince them to willingly and knowingly grant access to new kinds of data. The metaverse depends not just on brands’ ability to capture data, in other words, but on their ability to convince users to willingly share that data. That will only be possible if users are given meaningful agency over how their data is used, including the ability to amend or revoke consent, and to have their decisions instantly enforced across the entire metaverse.

Marketing Technology News: Five Questions Every AdTech Company Needs to Ask Before Sharing a Dataset

No margin for error

Precisely because the metaverse is new, there’s no margin for error when it comes to building meaningful privacy infrastructure. We’re already seeing users of Meta’s Horizon Worlds environment tuning out after a few weeks’ experimentation; add a high-profile data-privacy scandal or two to the mix, and the exodus could prove terminal.

The bigger problem, though, is that as users get used to the metaverse, they’ll become more discerning about how much of their data they’re willing to share, and with whom. Data shows that 83% of consumers are willing to share data under the right conditions — but to win their confidence, brands will need to prove they are taking privacy in the metaverse seriously.

Brands should start by considering what data they want to acquire in the metaverse, and how that data will provide value to both users and the organization. While it’s possible to collect data related to bodily movements or biometrically-informed data, brands who pursue a strategy of data quality over quantity will win in the long run – and avoid delving into “creep-factor” territory. Brands also need to develop a user-friendly metaverse privacy policy that can drive their data acquisition strategy while ensuring transparency around users’ rights to access, modify and delete personal data.

One of the most compelling features of the metaverse is enabling global users to freely interact and engage in new and interesting ways. These interactions have the potential to be fraught with data privacy complications as globally dispersed users will be covered under numerous privacy regulations, each with their own requirements. Imagine a US, UK and Brazilian citizen attending a concert in the metaverse hosted by a Chinese platform. To mitigate risk, brands need to build data privacy into the core of the experience. Modern privacy tools can ensure that the data captured comports with the individual privacy regulations tied to a specific user. Without transparency and meaningful privacy protections, metaverse users will start giving brands the cold shoulder, and denying them access to their data. Legs or no legs, there’s no coming back from that.