Data PrivacyData Privacy in Virtual Reality

Introduction

Virtual reality (“VR”) technology is rapidly transforming the way we interact with digital information and settings as it evolves and gains popularity. VR provides consumers with an unparallel level of engagement and interactivity, such as rigorous gaming experience, virtual meetings and educational activities. Yet amidst all the interesting technological development, data privacy is a serious issue. This means that for the construction of this alluring virtual experience, the entities need to collect massive and substantial amounts of data from the users, which in turn raises important concerns regarding the handling, storage, and security of their personal data. This is an aspect that the various users do not consider.

It is in the virtual reality space that lines between the real world and the virtual one blur ever increasingly and present special challenges to protecting user privacy. There are various kinds of information that the entities collect about the users, including biometric and behavioural information, which are highly sensitive in nature.

It is rightly said that people are spending more and more time in these virtual worlds and hence it is important to analyze whether such virtual experiences are really private, and what safeguards exist to ensure the privacy of the data.

Understanding Data Privacy in VR

With the goal of delivering personalized and engaging experiences, large volumes of data must be collected for VR platforms. It ranges from relatively simple data, such as a user’s username and email address, to rather complex data, like behavioural patterns, cutting across every type of topic there is.

VR environments record gestures and motions but even emotional responses from users in order to better tailor their experience. For instance, companies tend to collect metadata that provides information on how users interact with virtual spaces, with all these raising issues related to who gets to handle this information and how to secure it.

Biometric data-acquisition, such as collecting information about hand and eye movements-comes with its own major risk in terms of privacy within virtual reality. There is also heart rate data collected by some other technologies. Such biometric markers provide a degree of insight into an individual’s physical and emotional states that has, heretofore, not been available.

Collecting this type of private information does, of course, pose a profound privacy threat due to several dangers of indiscriminate handling that could result in inappropriate access or security breaches that expose the user to identity theft or other forms of exploitation. Biometric data collection warrants strong privacy protections in addition to the advantages it promises for superior user experiences.

Emerging concerns also cover data of environmental characteristics monitored by VR devices. Most VR systems rely on using a user’s physical environment for higher levels of immersion. Such information include details about personal spaces such as living rooms and offices, and may depict in tremendous detail a user’s habits and life patterns. Further, this kind of information might also be distributed to third parties or used by malicious fraudsters.

This, therefore calls for the implementation of practices such as data minimization and purpose limitation, amongst others, in order to uphold data privacy and safeguard the personal and sensitive personal data of the data principals.

Laws Governing Data Privacy in VR Globally

Since VR technology generates and processes large amounts of user information, it comes within the scope of a vast number of data protection legislations spread over different parts of the world. However, each jurisdiction has its own framework to protect the privacy of the user ranging from broad data protection legislation to laws that have been designed specifically to be used for biometric information.

1. Digital Personal Data Protection Act, 2023 – India

The Digital Personal Data Protection Act, 2023 (‘DPDPA ’) of India has come to give a legal framework to the protection of personal data, marking the country’s big leap in its approach toward data privacy. Any organization that is active on the VR platforms of India comes under the purview of the DPDPA, along with any other business which deals with personal data of residents of the country.

There is a general requirement under Section 6 of the DPDPA that requires organizations to get explicit, informed consent from users before processing their data. To VR companies, it involves getting the user’s consent before gathering any data and therefore ensuring clear information about what the collected data entails, for instance, personal information, behavioural data, biometrics, among others.

2. General Data Protection Regulation

General Data Protection Regulation (“GDPR”)  is one of the more comprehensive data protection laws as it applies to any organization that processes individual person data in the European Union (“EU”). It controls or governs how personal data is collected, used, and shared; its principles apply directly to VR companies that interact with citizens of the EU.

In general, organizations have to obtain explicit, informed consent from the users under Articles 6 & 7 of the GDPR in order to collect or process their personal data. For example, a VR application collecting behavioural data to tailor experiences to an individual must highlight this to the user. In addition, Articles 12-23 embody Data Subject Rights through which the GDPR grants a user various rights in relation to their data, including: the right of access under Article 15, right to the rectification of inaccuracies related to one’s data, the right to be forgotten or request for the erasure of a user’s data, right to restrict processing and objection against the utilization of specific data under Articles 18 & 21.

Article 5(1)(c) entails the right to data minimization; hence, companies in the VR industry are only allowed to collect minimal amounts of data necessary for their operations. For instance, if companies are collecting eye-tracking data just to improve experiences in virtual reality, then the data collected must be minimal and utilized for no other purpose.

3. California Consumer Privacy Act

In the United States, the data protection laws are not as all-encompassing because each state is permitted to author and enforce its own legislations. The most extensive data privacy laws in the U.S. have originated from California, namely, the California Consumer Privacy Act (“CCPA”). Companies handling the personal information of California residents including such VR companies must comply with these laws.

Under Sections 1798.110 & 1798.115, the CCPA outlines that consumers shall have the right to know what personal information is being collected and the categories of information in which it may be used or shared for specified purposes. Such a request encompasses the widest range of data in a VR environment, from contact information having names and email addresses to behavioural and biometric information for adjustment in user experience.

Section 1798.120 of the California, provides consumers with opt-out provisions. Companies whose products include VR, which make third party sharing of user data for targeting or for analytics purposes, must be able to display proper ways through which users can opt-out.

It also gives users the right to request deletion of their data under section 1798.105, although this does not extend to exemptions if the data is needed for a particular legal or operational reason, as it does under the GDPR. Section 1798.125 CCPA bars businesses from discriminating against consumers exercising their privacy rights. As such, if the data-sharing option is declined by a user in a VR, no form of discrimination is practiced against the consumer whereby after declining to share their data, their access to some essential services offered by the VR is withdrawn or the quality of the service considerably degrades.

Does VR protect our privacy?

It is essential to note that because the very nature of the personal data collected and processed is very sensitive in use, several data-related issues may occur while using VR, although it could prove to be a very helpful tool for learning and entertainment. The dangers produced by VR are much more comprehensive than traditional privacy or data breaches that may lead to theft or leaking your personal information, such as names, addresses, passport numbers, financial information, etc.

Our fingerprints and facial movements may be those pieces of biometric information specific to each one of us. This means that only we can use, for instance, facial recognition to unlock our mobile devices. If our biometric data somehow ends up in the wrong hands, it might end catastrophically.

The danger to our privacy is the reason VR poses a risk. Advanced enhancements in VR and AI are actually such that the virtual film appears incredibly real and really cannot be distinguished from the real fact. Given the rising threat of cybersecurity, this is threatening.

Troublingly, as the fraudsters themselves become increasingly sophisticated in leveraging technology to their advantage, it may well be that they will leverage biometric information; for example, to impersonate people or to create deep fakes and commit crimes such as fraud.

The worst-case scenario would be hackers entering the virtual world and, through dissemination of unbalanced or discriminative information that users believe to be true, influencing people’s thought patterns or behaviours.

Hackers can manipulate users in VR into revealing sensitive financial or personal information. Therefore, we put ourselves in higher risks as we become highly dependent on VR in our daily life. Concerning this, global authorities must also strategize how they can limit VR more in protecting our secret information.

Best Practices for Ensuring Privacy in VR

Transparency, user control, and good security are combined in the best practices of ensuring privacy in VR. Additionally, the best privacy practices for VR companies would be in the transparently accessible rules about what information is gathered, how it is used, and who it is shared with.

Informed consumers can then take decision-making into their hands, based on information they have, thus increasing user-developer trust. The product developers should also build privacy, with the collection of only what is necessary, and users having control over their information through means of ‘delete my account’, ‘opt out’ and ‘withdraw consent’.

Protecting personal information in virtual environments entails employing technical measures. These include encrypting data, conducting regular security audits, and ensuring that it is stored safely on secure servers. To avoid legal issues, developers also have to realize and respect various forms of data protection legislations, such as CCPA, GDPR, and DPDPA, as they apply to the entity in question.

AMLEGALS REMARKS

Findings about privacy issues in virtual reality seem to amount to a wake-up call and evidence that technology is racing in a world where the boundaries between the real and virtual keep getting hazier. This might sound like science fiction, but the eye-popping accuracy at which VR headsets can recognize users-the perpetual threat of social engineering attempts-make them an indispensable part of modern life.

With rising multimedia exposure in the digital future, it is likely that the safety measures taken to ensure the privacy of users while using VR might turn out to be an investment in the long run and not a cost, though there may be an initial excess expenditure. In other words, we need to balance virtual world wonder with the personal protection of our privacy. Then only can we build a future in which technology and security walk hand in hand.

– Team AMLEGALS assisted by Ms. Priyanka Thiya (Intern)

For any queries or feedback, feel free to connect to mridusha.guha@amlegals.com or liza.vanjani@amlegals.com