Legal Thoughts on Metaverse (II) Data Protection and Privacy
In the previous Legal Thoughts on Metaverse (I): Intellectual Property Rights, we explored how issues around Intellectual property (IP) could develop. While that is still largely theoretical, early metaverse projects already have issues with data protection.
In this article, we will focus on data protection and privacy.
Data and Privacy Violations
In recent months, many users have claimed their Roblox accounts were stolen on Bilibi, a Chinese youtube. Estimated by RTrack, Roblox has 202 million monthly active users by April 2021 and over 65% are children under 16.
With its growing popularity, Roblox has faced the problem of hackers stealing accounts via third-party browser extensions, compromised passwords and unbound email addresses. Although Roblox has listed steps for retrieving stolen accounts on its official website; not every player is lucky to get their account back.
However, even when players manage to retrieve accounts, their props and currency are often long gone.
As this problem in Roblox illustrates, the metaverse already has many privacy and data security issues, with many more likely to emerge. These include complex deep forgery as metaverse service providers access more user data, including biometric, location and banking information.
Therefore, data and privacy protection are key concerns for regulators and internet companies that are moving into the metaverse. Since advertising will likely remain the major revenue source for the world’s two largest Internet companies, Facebook (now renamed Meta) and Google, consumers’ personal data will be prone to misuse.
Overview of Legislations on Protections of Personal Information
Global legislation on personal information protection can be traced back to the 1970 Data Protection Act of the German state of Hesse. Since then, personal information protection laws in Switzerland (1973), France (1978), Norway (1978), Finland (1978), Iceland (1978), Austria (1978), Iceland (1981), Ireland (1988), Portugal (1991), Belgium (1992) and other countries have also emerged.
The earliest written legislation on data and privacy in the United States dates back to the Privacy Act of 1974 (5 U.S.C. § 552a). Since then, there have been many other noteworthy legislations.
- Consumer Online Privacy Act
- Children’s Online Privacy Protection Act (COPPA)
- Electronic Communications Privacy Act, the Financial Services Modernization Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Fair Credit Reporting Act
Since the most obvious use cases of the metaverse revolve around online gaming, it makes sense to take a closer look at laws around consumer protection and minors.
The handling of personal information includes the collection, storage, use, processing, transmission, provision, disclosure, and deletion of personal information.
The U.S. Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.) protects personal financial information collected by consumer reporting agencies. The Act restricts access to such information to those who can obtain it, and subsequent amendments have simplified the process for consumers to obtain and correct information about themselves.
In China, the definition of personal information can be found in the Personal Information Protection Law of the People’s Republic of China, which came into effect on Nov. 1, 2021. “Personal information” refers to various information related to an identifiable natural person recorded electronically or by other means, and does not include anonymized information.
Privacy Protection Act for Children
The Children’s Online Privacy Protection Act (15 U.S.C. §§ 6501-6506) allows parents to control information collected online about their children (under age 13). Operators of websites that target children or knowingly collect personal information from children are required to post privacy policies, obtain parental consent before collecting information from children, allow parents to determine how that information is used, and provide parents with the option to opt-out of having information collected from their children.
Legal Thoughts on Metaverse Projects
In the metaverse, information data, whether provided directly by the user or generated indirectly, such as biometric features, location and banking information, consumption habits, and gaming habits, are all personal information.
Hence, it is reasonable for metaverse projects and players involved to consider the following.
Developers of metaverse must design privacy protections when developing software and hardware, something that is already a requirement in virtual and augmented reality technologies.
For example, under the General Data Protection Regulation (GDPR), Google Glass has audio and visual symbols that seem to let users know when they are being recorded. At the same time, gaming platforms need to set up game modes for minors to avoid the leakage of information privacy of minors.
Regarding legal liability, it is clear that violators will not be immune just because they are on the metaverse or on the blockchain. US Commodity Futures Trading Commission (CFTC) Commissioner Brian Quintenz suggested that code developers of smart contracts could be prosecuted if it is clearly foreseeable that the smart contract code will be used by Americans to violate CFTC regulations.
Article 22 of Cybersecurity Law of the People’s Republic of China also stipulates that if there is a risk of malicious programs or security flaws or vulnerabilities in the network services or products provided, remedial measures should be taken immediately, or else the user will be liable for the corresponding legal responsibility.
Ordinary players must protect their information and privacy to ensure that they are not easily stolen by creating complex passwords, performing regular antivirus cleanups on their devices, and opting into authentication systems for retrieval. As in the case of Roblox players, they need to bind their email addresses to prove that they are the owner of the account.
Parents should enable childrens’ or minors’ settings in the game, with explicit consent from the guardian for the disposal of the personal information data of minors.
More to Consider
About Metaverse and NFT, we have raised the discussions on IP property, NFT ownership, and data protection of Metaverse. Although decentralization is the core of blockchain, rules shall be established for the new form of a world to avoid conflicts. Will there exist a DAO running as a court dealing with similar legal issues in our real world. Still more to consider.
Back to the list