Metaverse: The End of Privacy As We Know It?

The Metaverse aims to blur the distinction between reality and virtual worlds to create an unprecedented extended reality (XR) universe for human social interactions. A revolutionary proposal by Meta founder Mark Zuckerberg, the Metaverse consists of a network of three-dimensional virtual worlds where people can interact with others using virtual reality (VR) and augmented reality (AR) technologies to work, learn, and socialize. [1] It is undeniable that the Metaverse would require extensive personal and biometric data collection from its users, given that Metaverse users would wear AR goggles or headsets capable of detecting their eye movements, blood pressure, and other vital signs. [2] The contemporary risks of data privacy violations on the internet would be compounded in this space by interactions between human and artificial intelligence (AI) creations. [3] Without the ability to distinguish between appearance and reality, children in particular will be subject to increased risks of personal data theft. 

In the absence of regulation, valuable biometric data could be sold to third parties without the user’s knowledge or consent, in order to develop targeted advertisements. As a result, Metaverse users would inevitably be making their personal data vulnerable to exploitation. The Metaverse poses a significant threat to data privacy and raises legal questions about the collection, handling, and storage of consumers’ personal and biometric data. The Metaverse will likely necessitate revisions to the existing privacy legal framework and could significantly transform the way society views data privacy.

Under current consumer data protection laws, businesses are responsible for executing the proper usage and storage of personal data, and consumers may seek legal redress for violations of their data privacy rights. One significant precedent is District of Columbia v. Facebook, Inc. (2019), which concerns Facebook’s failure to protect consumers’ private data in the Cambridge Analytica scandal. In 2019, the Federal Trade Commission (FTC) ruled that the political consulting firm Cambridge Analytica used deceptive practices to illegally harvest and monetize data from seventy million Facebook users. [4] In May 2019, the District of Columbia Superior Court rejected Facebook’s motion to dismiss the suit, finding that 1) the federal due process clause allowed it to exercise jurisdiction over Facebook and 2) the complaint alleged statements about Facebook’s handling of personal data that could have a “tendency to mislead” consumers in a violation of the District’s Consumer Protections Procedures Act (CCPA). [5] The District of Columbia v. Facebook decision was an early indication that states’ consumer protection laws could be applied to data privacy issues. [6] It is predicted that Metaverse users will be susceptible to unauthorized transfers of personal data to third parties for advertising purposes. Existing state consumer protection and privacy legislation addresses these risks, allowing consumers to request that their data not be sold, and could be used to bring legal action against Meta for privacy violations. 

Providing consumers the false illusion of choice of whether to disclose their personal data is illegal, and companies like Meta are responsible for obtaining consent for their data collection practices. This issue was contested in District of Columbia v. Google, LLC (2022), where Google was sued for violating provisions of the CCPA through deceptive data collection practices and the failure to protect consumer location data. The suit claims that since 2014, Google has used deceptive practices to track the location of its users and falsely led users to believe that they had control over whether their location data could be accessed. [7] While the District’s Superior Court has not yet ruled on the Google lawsuit, prior decisions provide a strong indication for a ruling against Google. An important precedent is Brown v. Google, LLC (2021), a class-action suit brought against Google for allegedly obtaining data from Chrome users while in private browsing or “Incognito” mode without their consent. [8] Google’s motion to dismiss was denied due to its inability to prove that the users provided affirmative express consent to the collection of their data in “Incognito” mode. [9] Express consent is a legal standard that requires consent in writing, including conveyed via an electronic signature. [10] Since the plaintiffs in District of Columbia v. Google, LLC allege that Google utilized user location data regardless of whether they provided their affirmative express consent, the District of Columbia Superior Court will likely rule against the company for having failed to have met this clear threshold.

In a largely unprecedented dimension of privacy concerns, the AR technologies used within the Metaverse will be able to assess users’ physiological reactions and biometric information, both of which will be lucrative for developing targeted advertising. Existing litigation regarding corporate use of AI technologies reflects the gravity of this situation. For instance, ACLU v. Clearview AI (2020) is a lawsuit against facial recognition company Clearview AI that alleges violations of the Illinois Biometric Information Privacy Act (BIPA). Under BIPA, companies must inform the consumer of what data is being collected, the purpose and length of time that the data will be stored, and obtain their written consent for data collection. [11] The ACLU states that Clearview AI used face recognition technology to capture faceprints (facial biometric identifiers) without individuals’ knowledge or consent. [12] The suit pertains to Clearview’s use of “covert and remote surveillance” to collect information that could be disclosed or sold to third parties. [13] 

While BIPA has been applied to fingerprints and facial recognition, it has not yet been used against a violation of eye tracking or retinal scanning, issues that will be relevant in the Metaverse. The ruling in Rosenbach v. Six Flags (2019) established that someone who wishes to take legal action under BIPA does not need to prove actual injury or harm beyond a procedural violation. [14] If bringing legal action under BIPA, Metaverse users need only meet a relatively low legal threshold of proving that their data privacy has been violated.

As an XR universe designed to blur the lines between truth and fiction, the Metaverse will necessitate extensive data collection by various methods. It is evident that Metaverse users will face constant risks to their personal and biometric data privacy. Limited legal protections against these data security threats would vary depending on state laws, leaving a vast majority of Americans vulnerable to privacy risks. Therefore, it is not a far-fetched assumption that existing privacy laws will become obsolete if the Metaverse comes to fruition, and that this development would pave the way for new federal privacy legislation. [15] 

A potential federal privacy law should ensure that Meta, and other corporations that operate in the Metaverse, obtain consent for data collection. The Google lawsuits, which center around deceptive practices to obtain user data, carry significant implications for the Metaverse. In Matera v. Google Inc. (2016), the U.S. District Court for the Northern State of California established that the burden to prove consent rests on “the party seeking the benefit of the exception.” [16] As per the ruling in In Re Google, Inc. (2019), actual consent can be explicit or implied, but must entail disclosures that “explicitly notify” users of the relevant practices. [17] These decisions support the need for legislation to establish that Meta itself is responsible for obtaining consumers’ actual consent for these practices. It is imperative that privacy laws are updated to ensure that Meta provides users with full transparency of its data collection and monetization practices. 

The Metaverse would not only be populated with human-controlled avatars, but also with AI creations that serve to enhance user experience. AI technologies found in the Metaverse, which could range from body movement sensors to interactive AI digital humans, would increase a user’s susceptibility to data breaches. Recent FTC orders have addressed the delicate balance between the use of AI technologies and consumer data protection. In the Matter of Everalbum, Inc. (2021) depicts proper enforcement and possible remedy for privacy violations involving AI technologies. The FTC brought legal action against Everalbum, Inc. for allegedly deceiving users about their ability to control its facial recognition feature and demanded that the illegally-obtained data be deleted. [18] Future regulations of the Metaverse should hold Meta legally responsible for informing users and obtaining their consent for potential interactions with AI, especially where their personal or biometric data would be collected. 

Metaverse users, who will interact via digital three-dimensional avatars to connect with others, also face the possibility of personal data theft by other users. This anonymity will pose challenges in providing data to trusted parties, with children especially at risk for personal data exploitation. A robust policy concerning the personal data of minors is demonstrated by the California Privacy Rights Act (CPRA), which states that minors under sixteen years old must explicitly opt in for a business to sell or share their data. [19] Potential amendments to privacy laws to regulate the Metaverse should address the collection and handling of data while placing emphasis on children and other user groups particularly vulnerable to data exploitation.

With the sweeping changes that American society could encounter after the birth of the Metaverse, many policymakers and legal scholars agree that revisions to current privacy laws may not be sufficient. For decades, there have been discussions in Congress about passing a comprehensive federal privacy legislation to supersede existing state laws and provide a uniform level of legal protection against privacy violations to all Americans, regardless of state residency. It is not implausible that provisions from the BIPA and CPRA could form the basis for such a federal privacy law in the United States to regulate the Metaverse into the future. While there is a great degree of uncertainty surrounding the Metaverse, it is crucial that any such law establishes a low legal threshold to take legal action to protect against violations of their privacy. [20] A future federal privacy law should limit the collection of sensitive information to circumstances where it is absolutely necessary, while mandating that consumers provide affirmative express consent prior to the data collection and any potential transfers of data to third parties. To effectively govern the Metaverse, federal privacy law should prioritize the strict regulation of data collection practices and the promotion of individual data privacy rights. 

The Metaverse is a revolutionary proposal which would utilize cutting-edge technologies to create a network of virtual worlds and facilitate social interactions. However, data is ubiquitous in the twenty-first century, and the advent of such an expansive extended reality platform comes with massive data privacy risks. The legal implications of the Metaverse inevitably involve AI interaction and biometric information, and state privacy laws are presently unsuited to tackle such unprecedented challenges. Immediately after the Metaverse is released to consumers, Meta will likely assume responsibility to address these issues—yet previous legal action against tech giants such as Facebook (now Meta) and Google for gross privacy violations prove that self-regulation cannot guarantee protection of consumer data. The Metaverse would render existing state laws insufficient and necessitate the development of federal privacy legislation that is adapted to the novel risks created by technological advancement. It is imperative that the American public not permit the speed of technological development to outpace the evolution of the law to ensure consumer safety and uphold privacy rights.

Edited by Mariah Hesser

Sources:

[1] Katie Canales, “The Metaverse Could Let Silicon Valley Track Your Facial Expressions, Blood Pressure, and Your Breathing Rates — Showing Exactly Why Our Internet Laws Need Updating," Business Insider (December 8, 2021), https://www.businessinsider.com/metaverse-silicon-valley-tech-data-collection-regulation-laws-need-updating-2021-12. 

[2]  Id.

[3]  Artificial Intelligence in the Metaverse: Bridging the Virtual and Real, XR Today (2022), online at https://www.xrtoday.com/virtual-reality/artificial-intelligence-in-the-metaverse-bridging-the-virtual-and-real/ (visited April 22, 2022).

[4] FTC Issues Opinion and Order Against Cambridge Analytica For Deceiving Consumers About the Collection of Facebook Data, Compliance with EU-U.S. Privacy Shield, Federal Trade Commission (2022), online at https://www.ftc.gov/news-events/news/press-releases/2019/12/ftc-issues-opinion-order-against-cambridge-analytica-deceiving-consumers-about-collection-facebook (visited April 22, 2022).  

[5] Order Den. Def's Opposed Mot. to Dismiss, 12, Feb. 15, 2019, 2018 CA 8715 B. 

[6] Matthew P. Denn, “District of Columbia v. Facebook: General Consumer Protection Statute Can Serve as Vehicle for State Attorney General Seeking Redress for Data Privacy Violations,” DLA Piper (June 12, 2019), https://www.dlapiper.com/en/us/insights/publications/2019/06/district-of-columbia-v-facebook/. 

[7] AG Racine Leads Bipartisan Coalition in Suing Google Over Deceptive Location Tracking Practices That Invade Users' Privacy, Office of the Attorney General for the District of Columbia (2022), online at https://oag.dc.gov/release/ag-racine-leads-bipartisan-coalition-suing-google (visited April 22, 2022). 

[8] Brown v. Google, LLC, 525 F. Supp. 3d 1049 (N.D. Cal. 2021).

[9] Id.

[10] 18 USC § 2725(5).

[11]  Biometric Information Privacy Act (BIPA), ACLU of Illinois (2022.), online at https://www.aclu-il.org/en/campaigns/biometric-information-privacy-act-bipa (visited April 22, 2022).

[12] ACLU v. Clearview AI - Complaint, American Civil Liberties Union (2022), online at https://www.aclu.org/legal-document/aclu-v-clearview-ai-complaint (visited April 22, 2022).

[13] Id.

[14] Rosenbach v. Six Flags Entertainment Corp., 2017 IL App (2d) 170317 (Ill. App. Ct. Dec. 21, 2017).

[15]  “Reed Smith Guide to the Metaverse.” Reed Smith (May 2022), https://www.reedsmith.com/en/perspectives/metaverse. 

[16] Matera v. Google Inc., No. 5:2015cv04062 - Document 49 (N.D. Cal. 2016)

[17] In Re: Google Inc. Cookie Placement Consumer Privacy Litigation, No. 17-1480 (3d Cir. 2019) 

[18] Katharina Koerner, “Privacy and Responsible AI,” International Association of Privacy Professionals (January 20, 2022), https://iapp.org/news/a/privacy-and-responsible-ai/. 

[19] “California Voters Adopt the California Privacy Rights Act,” Jones Day (2020), online at https://www.jonesday.com/en/insights/2020/11/california-voters-approve-cpra (visited April 22, 2022).

[20] Cameron F. Kerry et al, "Bridging the Gaps: A Path Forward to Federal Privacy Legislation", Brookings Institution (June 2020), https://www.brookings.edu/wp-content/uploads/2020/06/Bridging-the-gaps_a-path-forward-to-federal-privacy-legislation.pdf.