The Metaverse And Data Privacy Issues

The Metaverse and Data Privacy Issues

In October 2021, Mark Zuckerberg announced that Facebook was rebranding as “Meta,” and that Meta was working on creating the “metaverse as the successor to the mobile internet— a set of interconnected digital spaces that lets you do things you can’t do in the physical world.”

According to the announcement, the metaverse will offer a virtual reality (VR) experience in which a person’s digital avatar can establish a “home base in the metaverse,” make messenger calls in VR, play games, exercise their physical body through VR, and, at some point, go to work at VR-based businesses.

How Businesses Can Use the Metaverse

The firm J.P. Morgan has described the metaverse as “a seamless convergence of our physical and digital lives, creating a unified, virtual community where we can work, play, relax, transact and socialize.” J.P. Morgan has highlighted the benefits to businesses and consumers, predicting that “[t]he metaverse will likely infiltrate every sector in some way in the coming years, with the market opportunity estimated at over $1 trillion in yearly revenues.”

Some businesses, such as Binance and FTX, have indicated that they will be establishing a virtual presence in the metaverse to engage virtual persons and their avatars in their business operations. One example of this engagement is provided by J.P. Morgan, which provided that RTFKT— “a virtual shoe designer that has recently been acquired by Nike,” recently sold their virtual shoe designs for up to $10,000 a pair.

Regulatory Implications of the Metaverse

Although the metaverse creates and expands upon the opportunities available in the physical world, which many see as a great benefit to the consumer, there are also many regulatory implications that businesses and consumers must consider before engaging.

According to a report released by Digital Information World, the biggest “hurdles” that the metaverse will have to overcome—according to surveyed software developers—include:

  • Data Privacy and Security (33%);
  • Ecosystem Interoperability (12%);
  • Disinformation and Hate Speech (10%);
  • Community Building (10%);
  • Accessible Tools for Developers (9%);
  • Monetization (8%);
  • Creating a Currency and Payments Ecosystem (7%);
  • Identifying Users (5%); and
  • Lackluster Hardware (5%).

Beyond complying with copyright and digital media rights laws, businesses and content creators should consider the potential application of data privacy regulations, including the European General Data Protection Regulations (GDPR) and the U.S.’s various state-level privacy laws that have been enacted in the last several years.

Businesses will also need to contend with a projected rise in phishing attacks, along with the vulnerabilities and privacy implications associated with VR devices, and the increased attack surface created by more devices and digital users. As this article points out, if a business is engaged in its traditional business practices throughout standard hours of operation in the metaverse, this “will produce a substantial amount of data related to employment but also relating to the individual user.”

Beyond regulatory implications, businesses need to give consumers a sense of security when engaging with them in the metaverse. According to this survey, 87 percent of respondents were “concerned about how the metaverse could affect their privacy.” This survey further notes 50 percent of respondents were concerned about user identity, 47 percent were concerned with involuntary surveillance, and 45 percent were concerned about abuse of their personal information.

How to Protect your Organization

As of now, Meta has not provided any official guidance around privacy guidelines or policies that might be maintained in the metaverse. But according to Zuckerberg, privacy considerations will be “built-in” to the metaverse.

Until legislative or developer guidance is provided, organizations can implement initial protective efforts aligned with the way they protect their customers’ privacy rights currently. These efforts should include:

  • Utilizing security tools such as antivirus software, especially if your business intends to utilize VR to provide your goods or service;
  • Providing privacy notices;
  • Obtaining consent for data tracking and collection practices;
  • Ensuring that data collected in a fair and transparent manner;
  • Ensuring that data is retained only when necessary for a valid business purpose, and that all other data is properly disposed of; and
  • Complying with all applicable privacy regulations.


In addition to data management and privacy concerns, businesses should consider the increased risk of cybersecurity threats that stem from establishing a digital presence for their organization in the metaverse. As this article puts it, “the metaverse can take infiltration to an entirely new level, one where the hacker uses an avatar to social engineer an attack against a user; causing real life impact.”

As with data privacy, your organization should implement standard cybersecurity practices in order to protect their organization’s operations in the metaverse. See our guide to the latest tools here.


* * * * * * *


To read our coverage on the latest cybersecurity threat, “data poisoning” and how organizations can protect against it, click here.

For ADCG’s Breach Report and more news updates discussing: Connecticut Legislators Pass Data Privacy Bill; FFIEC Releases 2022 HMDA Reporting Guide; India’s National Health Authority (NHA) Releases Data Management Guide; Facebook Unable to Comply With GDPR; and the EU Data Privacy Authorities Vow to Work Together Against Big Tech, click here.

To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.

Leave a Reply

Back To Top