Why the metaverse is challenging our notions of privacy

Current forms of the metaverse are emerging as evolving digital environments where an ever-growing share of people’s lives, labour, leisure time and relationships are spent online – in a parallel space of existence that connects our physical and digital economies and societies.

With such an advanced reality unfolding, many of the advantages of the internet will grow but the metaverse also makes learning about and tracking people through their digital activity more prevalent, to the extent that vast amounts of data are gathered and collated in the background.

This form of digitization gives rise to mounting challenges regarding data protection and privacy because today’s privacy laws were built for physical filing cabinets, brought up-to-date for the internet. Applying them to a virtual society offering users a persistent, live and synchronous experience requires a profound reconsideration of some existing theories and concepts.

Most privacy laws worldwide are built on the assumption that individuals must choose to be private or public. As a result, privacy laws require that individuals know how their data is employed, by whom and for what purposes. The past decades have seen such requirements accelerate with an increasing catalogue of details that organizations must communicate to customers. This development could lead to individuals being given scores of privacy notices explaining how users’ data is employed and discouraging even the most privacy-conscious individuals from attempting to read them in the first place.

This paradigm needs rethinking in the metaverse for various reasons. Increasingly, individuals’ identities are no longer merely offline or online – physical or virtual. Instead, they persist in both (or many) worlds, where consumers may do one thing in the physical space e.g. buy a Lionel Messi shirt, which might help them get a digital copy or the right to a virtual simulacrum e.g. non-fungible token (NFT); conversely, stumbling on a digital version of a product might prompt a customer to buy its physical counterpart.

These experiences can meld together in the metaverse and lead to new ones. For example, a tennis fan can use virtual reality to re-experience a moment from their favourite game, captured and reproduced online, to see if they can make the same shot as their favourite player.

However, where information sharing and connections in the online space may complement or supplement in-real-life encounters, and a person’s virtual identity impacts their social acceptance, users must be able to manage, not just limit, information flows based on target groups and audiences.

For instance, if someone wants to share their experience and impressions about a weekend event, such as visiting a renowned art gallery in the metaverse, they should be able to publish different content for different audiences. Some of their followers may be interested and laud their visit, while some show genuine interest in the images of sceneries and landscapes; others may scorn their attempt at attracting attention or their interest in popular culture.

In such contexts, audiences can hide while users’ shared content is in plain view. Therefore, privacy must be found within public environments rather than externally i.e. users should be able to control access to meaning and context rather than access to the content. User rights, such as the right to “opt out” or delete personal data, must be reconciled with distinct social conventions that govern information in different settings. And it must involve control over how personal information is transmitted.

Consider, for instance, that someone could be comfortable sharing personal health data with a nurse in a medical facility but would disapprove of the nurse communicating the same information to strangers over lunch. Similarly, privacy in the metaverse must include contextual integrity to the extent that users in a given setting are accountable for not spreading that information beyond that setting.

Navigating public and private spaces simultaneously requires properties represented in the metaverse to be such that users can create boundaries around these spaces to meaningfully portray the shades of who they are to different and potentially conflicting audiences.

As the metaverse gives rise to a massive body of data, which drives its critical services and experiences – consisting of user profiles, identities, transactions, health data and financial information – conceptualizing privacy can no longer involve a “reasonable expectation to be left alone.” Instead, privacy is governed by a blend of different groups, a mixture of technical processes and features, and distinct social conventions where different contexts are inseparable, unstable and shifting – because content and meaning are co-created by a host of other users simultaneously and in sequence.

The main thrust of the metaverse’s all-encompassing features, then, is that regulators should take a much more severe approach to data collection, usage, rights and remedies to put users in a position to meaningfully segment their audience, to limit flows of information and to restrict the addressees that can construe or misconstrue the information. Managing impressions, information flows and context may be at least as vital in the metaverse as limiting the stream of personal information in the physical world.

In this sense, future disputes over the scope of users’ rights to “opt out” or delete personal data will be crucial to advance privacy in the metaverse. The data that metaverse-focused platforms collect generate and process may span the dimensions of our living room, the detail of our fingerprints and retinas, our emotional expressions, our job performance and salaries, our movements and location, and what we say and do.

To centre users’ trust in the metaverse around valuable and fulfilling experiences, we are required to adopt a more capacious notion of privacy – one capable of dealing with the complex challenges of a virtual society.