Consent in the Metaverse
virtual reality

Identifying initial privacy concerns in this new era

Even though there is no clear definition yet, the Metaverse entails a future in which personal and commercial life is conducted digitally in parallel with our lives in the physical world. Imagine a lifestyle videogame but with real repercussions: you can buy and trade goods, attend concerts, engage in social events and even work. The initial focus appears to be around gaming, digital meeting spaces, digital assets, such as art, and brain-to-machine interactions. Also, as time passes and this virtual space evolves, artificial intelligence becomes increasingly used. This reality will make the Metaverse the biggest source of data about individuals in the world.

virtual reality

According to Nick Clogg, President of Global Affairs at Meta1, the main attributes of the metaverse are:

1. Ephemerality: Our daily communications in the “real” world are ephemeral. Clogg says: “we speak, people hear us, and no long-term record of what we said exists. In contrast, emails, text messages, and written posts on social media are often persistent, creating a record that lasts over time and which can be inspected, reviewed, modified or deleted. The metaverse will constitute a shift towards live, speech-based communication that will often feel as transient as face-to-face conversations. Just as in the physical world, this kind of ephemeral communication will exist alongside persistent messages and communication but is likely to be far more common.”

2. Embodiment: Communication in the Metaverse will be through physicality, since avatars will reflect real bodily movements. As Clogg explains: “This real-time, 3D synchronicity is a crucial difference with the way we interact in today’s internet.”

3. Immersion: Interactions will be held in specific spaces where social interaction feels natural, just like in the physical world (at a coffee shop, a restaurant or at home). Again, Clogg sustains that no other form of communication, like books or music, has been able to create the feeling of being in a shared space that is possible within the Metaverse.

In the Metaverse, organizations will be able to collect information about individuals’ physiological responses, their movements and even brainwave patterns, which will probably result in more accurate behavior prediction and modeling even further and more precisely that social media data mining has already achieved. In the Metaverse, users will no longer need to be proactively providing personal data because it will be gathered automatically in the background. Accordingly, it is important to establish which entity or entities have responsibility for determining how and why personal data will be processed.

Considering that most of the data gathered in the Metaverse will possibly be biometric data, considered a special category of data under the GDPR (General Data Protection Regulation) and other equivalent regulations such as the ones issued in Colombia and Brazil, users would have to give explicit consent for every purpose their data will be used. This poses a problem for the seamless immersion2 effect the Metaverse intends, since changing and moving from platform to platform would, ideally, require a data usage and processing consent every single time. That is rather impractical. One apparent solution is presenting a “catch-all” consent form from the central administrator of the Metaverse, similar to current Terms & Conditions agreements users are signing for every social media platform.

The EU has been vocal in rejecting that kind of agreement or consent. It generally lifts the burden of protection from the provider and users don’t know their rights or the information they are resigning because of how complex and intricate the “catch-all” documents are. A similar case has risen in Canada regarding companies utilizing AI technologies. Privacy commissioners from the North American country have identified unlawful mass surveillance and collection of biometric data. As a response, Quebec specifically regulates this matter through the Personal Information Protection and Electronic Documents Act (PIPE-DA). This federal law requires organizations to obtain consent and inform individuals of the purpose for collecting, using, or disclosing that information. The condition though is low compared to the EU’s General Data Protection Regulations since it only requires a “comparable level of protection when transferring data to third parties”.

Since 2019, the Industry and Commerce Superintendence in Colombia has issued multiple non-binding guides about personal data treatment and handling. This are, thus far, the only documents issued by Colombia’s privacy authority, which is certainly helpful to be able to somewhat regulate it based on precedent positions to pertaining matters after further developments of the Metaverse. The need for regulation or additional guidelines from the regulators, is essential because, as we know, the pace of internet’s innovation is unfathomable and being caught off guard might come at high costs in the long run.

1 Making the metaverse: What is it, how it will be built, and why it matters. Nick Clegg, President of Global Affairs at Meta.

2 Ibíd.