Do we need a new data regulatory regime for the Metaverse?

Open questions around data regulations in the Metaverse

11 min read

Table of Contents


In this futuristic world, people will interact in a virtual environment with digital representations of other people, places, and experiences. This could involve attending a work meeting, watching a concert, and purchasing goods from a virtual shopping mall.

Reaching its full value proposition will entail creating and mass adopting an open, interoperable Metaverse – a human/virtual reality co-existence platform with its own economy as the dominant interface through which we conduct most of our daily activities.

The Metaverse will develop iteratively over time as capabilities evolve and compelling use cases for consumer and enterprise uses drive adoption into everyday use. It’s impossible to say with any confidence how long it will take to develop, but we need to ensure that whatever it will eventually be, it will be a safe and regulated environment for users.

Regulation is not a destroyer of innovation

The Metaverse will raise novel and complex legal and regulatory issues around the rights of users and the obligations of providers, and the various other entities involved in building and maintaining the Metaverse. It goes without saying that the Metaverse needs to be developed and played out in an environment informed by and prioritizes privacy and data protection. For businesses, these regulations, the gold standard being GDPR, can sometimes feel like they inhibit creativity and innovation because of the huge compliance burden it places on them. Regulators are very aware of the need to strike a balance between the strong business pressure to allow the free flow of data, as a necessary part of the world in which economic growth is increasingly based on access to and use of consumer data, and the need to protect individuals from having their personal information misused, exploited or mishandled.

Do what is right, not what is easy

So, as businesses, and as regulators, we all we need to do what’s right, not what is easy. That leads me to the second reason why we need to address this over-riding question as to whether we need a new data regulatory regime. This is what we now know from the past 2 decades, particularly with the advent of social media platforms, the critical need for regulators to be on the front foot. What do I mean by this? Well, our data protection regime – GDPR – has its genesis in the 1995 Data Protection Directive and then the 1998 Data Protection Act. But it took another two decades before we had the General Data Protection Regulation (GDPR) in 2016, which has become the toughest privacy and security law in the world, and it still took another 2 years until 2018 for it to be implemented in the EU incl. UK, and it continues to evolve.

So, the point is it took 2 decades to adapt data protection rules that were designed for physical filing cabinets for the internet and then for social media. No one back in the 1990s could have foreseen what the internet and later social media would do to the ability of businesses and organizations to gather and process personal data. So, regulation has been really on the back foot – playing catch up over the previous 2 decades, adapting aging rules for a rapidly evolving digital world. And we know compliance is still a huge challenge and I don’t need to remind anyone of the scandalous headlines in the digital space over the past few years over the deliberate or negligent misuse of personal data.

Now we are talking about the Metaverse, and I think there is a real risk that we can be looking back 20 years from now once elements of the Metaverse have already crystalized and find ourselves once again playing catch up – adapting legal concepts and structures for a world for which they were not designed. Trying to fix something that’s turned into a dystopia because we failed to create a governance structure that ensures a safe and inclusive Metaverse. But we can avoid that by ensuring that privacy by design principles shape the evolution of the Metaverse from the very outset.

But as I’ll demonstrate in this article, that’s not going to be easy and we may need to create a new regulatory environment that is specifically designed for this new frontier in technology.

Data is the lifeline of the Metaverse

The reason it’s not going to be easy is because of the very novel features of the Metaverse. Reaching its full value proposition will entail the creation and mass adoption of an open, interoperable, synchronous virtual environment where you will be able to interact with others in real time just like you would in the physical world, so this human/virtual reality co-existence could become the dominant interface through which we conduct many aspects of our daily activities. You may not believe this will ever happen – you may not believe it should happen – but that is the promise or endgame of the Metaverse. This will, of course, have a transformative impact on human life, and whilst it feels incredibly far-fetched, some elements of the Metaverse are already here. We’re already using VR and AR like Hololens technology in engineering and medical training, and virtual platforms like Roblox have long been delivering the same types of social experiences anticipated in the Metaverse.

What’s impossible to say with any confidence is how long it will take and what the Metaverse will eventually be, but we can be confident that it is no longer just a science fiction concept and that it is conceivable that it may evolve to replace the current technology stack of the world wide web operating on top of the Internet. It is also conceivable that the Metaverse will become the source of the most valuable data about consumers available to the business world.

No alt text provided for this image

Data is the lifeline of the Metaverse – without data, it simply wouldn’t work, and a lot of that data will be personal data.

So, let’s have a look at why personal data is needed for the Metaverse and what kind of data needs to be collected.

Data needed for personalization

One reason is that a baseline level of personal detail will be read by devices to create the most accurate digital representation of individuals in the Metaverse to prevent people from pretending that they are someone else – a security need.

Data about the user is also needed so that Metaverse businesses can create personalized experiences for them, making it more likely for us to engage with and purchase their products – so the more data they have about the user, the more they can service the user in an incredibly targeted way. Arguably that’s no different from other digital services and social media platforms of today.

What’s different will be the unprecedented scale of the personal data that can be collected and the way that data is collected. Today, smartphone apps and websites allow organizations to understand how individuals move around the web or navigate an app. Tomorrow, in the Metaverse, organizations will be able to collect information about individuals passively in real-time through the devices which serve as entry points to the Metaverse – so VR and AR headgear and in the near future, with advances in sensing, display, and optic technology, we may experience the Metaverse through glasses, contact lenses, and other embedded technology.

So, lets me give you an example. Let us assume you’re hungry whilst you’re in the Metaverse. The Metaverse may observe you frequently glancing at café and restaurant windows and stopping to look at cakes in a bakery window and determine that you are hungry and serve you food adverts accordingly. Contrast this with current technology, where a website or app can only ascertain this type of information if you actively search for food outlets on that device.

Therefore, in the Metaverse, a user will no longer need to proactively provide personal data by opening up their smartphone and accessing their webpage or app of choice. Instead, their data will be gathered in the background while they go about their virtual lives. And if the Metaverse does become a space we spend a lot of time socializing, working, doing businesses, and shopping, we are likely to be logged on for extended amounts of time, which in turn allows for our behavioral patterns to be tracked for a longer and therefore more information gathered on us.

That creates the possibility that the Metaverse can gather, store, and profile personal data at an unprecedented scale. It’s been described as data collection on steroids.

But, it’s not the volume of data itself that’s concerning people, it’s the type of data that can be collected and collected in huge volumes through these devices that is worrying many.

Because we’re not just talking about contact information here. The Metaverse opens the door for the collection of all sorts of personal data incl. sensitive biometric data. This is already happening with facial recognition and fingerprint technology included in many mobile devices, but these features are currently on an opt-in basis. Some AR and VR technologies provide the tracking of bodily movements – such as eye position – as part of their general use. There are companies developing haptic technologies for the Metaverse– so other types of wearable devices, special gloves, glasses, motion sensors, earbuds, and even heart monitors that can be embedded into wearable devices. This allows the collection of data on users’ interactions – what they do, even how they feel to an even higher extent than traditional applications. Arguably, with these technologies, there are “no limits” to what can be gathered from users.

At the moment, there are very strict rules around what personal data can be collected and biometric data is a special category that has even stricter conditions for collection. Our current data protection rules are based on the principle of data minimization – you gather the least amount of personal data as possible for your business. This way, you reduce your risk. Businesses also have to make sure they have permission to collect personal data at different points during a user’s experience.

But this is highly problematic for the Metaverse because restricting access to personal data to providers goes against the idea of creating immersive, highly customized, and seamless customer experiences “Seamlessness” in the Metaverse also demands that personal data crosses ‘virtual’ boundaries at speed and without friction, that’s what makes it synchronous, enabling users to move from one platform to another, from one experience to another, and if the future Metaverse becomes a patchwork quilt of many Metaverse, then moving easily from one Metaverse to another. It’s difficult to see how you could operationalize consent management across multiple spaces and at speed if it involves having to issue privacy notices at or before the time of data collection. I’ll come back to this point later.

Seamlessness leads me to the second reason why data is so important for the Metaverse.

Data for interoperability

Data is needed for interoperability: to create a globally interconnected Metaverse system, where you can navigate freely across multiple virtual worlds. This necessitates the continuous flow of data between and amongst individuals and entities. An interoperable Metaverse would allow users to transport their avatars and other data, including digital assets, between Metaverse applications. Without data-sharing, in many cases, the Metaverse just simply will not work. I think it’s helpful to look at the building blocks of the Metaverse to appreciate how critical interoperability is.

No alt text provided for this image

The Metaverse’s technology stack has four core building blocks: content and experiences (these are the social engagements and activities users participate in), platforms (such as game engines), infrastructure and hardware (including devices and networks), and enablers (such as payment mechanisms and security). Data is needed to connect these building blocks together so that users can move freely and communicate and interact with users on other platforms.

So, an example of cross-platform capability would be enabling you to use your ‘digital’ racing car purchased on one platform to be used in a racing game on another platform, or an item of digital clothing purchased on one platform to be “worn” by your avatar and used in games, concerts, and any other virtual environments on other platforms. And given the number of users who may end up using the Metaverse and the sheer number of companies involved in making the Metaverse tick, and all these entities come from all over the world, it will require data sharing at a scale never seen before.

Red flags

The type of personal data collected and the sharing of that data are raising a number of red flags.

Currently, we have very strict rules around data collection. Any of you who have had to deal with GDPR, particularly when it comes to personal data collection and sharing across physical borders, will already appreciate the challenges businesses have to be compliant. There are different privacy rules based on the type of organization you are and different rules around the type of data collected, e.g. in some countries, it’s illegal to ask about their race or sexual orientation; and there are different rules around the purpose for collecting the data (for example, marketing or profiling). Applying this cross-section of laws is unwieldy, even in a relatively static environment like the Internet. It is unclear how organizations could navigate privacy and data protection compliance in a live, synchronous, interoperable digital environment – and one that is arguably borderless. GDPR applies to UK and EU, but it’s conceivable that you could have a situation where a vendor outside of the UK and Europe ends up targeting products or services to someone based in UK and Europe without deliberately planning too – but given the borderless nature, it happens – does it mean every vendor has to ensure they comply with the data protection rule in every single country of the world to ensure they don’t get into trouble – that doesn’t seem workable – particularly for a small business.

Non-compliance is already a big challenge. Data breaches happen very regularly as a result of both accidental and deliberate causes, and many of those breaches come from social media. The ICO (Information Commissioners Office) defines a data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes”.

The risk is we could see more non-compliance or more we’ll see more legal challenges with the Metaverse because businesses find themselves inadvertently breaching the rules.

The other concern is how our data is used. We all know that in the traditional social media model, we – or rather our data – are the product that generates value for the advertisers and the platforms themselves. So, another concern is that the Metaverse will intensify the harvesting and exploitation of our data to dominate our attention and influence our behavior.

So I’ve covered what data is needed, why it’s needed, and some of the risks attached to this data. I now return to my original question, “Do we need a new data regulatory regime for the Metaverse?” I’m going to be super difficult and say to answer that question, we need to think about 3 other questions.

Who is responsible for protecting users’ privacy and data in the Metaverse?

We don’t know what (if anything) will own or control some or all of the Metaverse – will it be centralized and run by corporations, or will it be decentralized and ‘owned’ and run by the users? Under GDPR and there are data protection responsibilities on companies that collect user data directly and who need to justify how and why personal data is collected, and companies that process the personal data on behalf of the data controlling companies. So Data controller and data processor. It’s already quite challenging demarcating the data protection roles in complex business networks. Given the sheer number of providers likely to operate in the Metaverse, we could see an even more complex web of relationships emerge, which makes this demarcation even more complicated. So let’s have a look.

No alt text provided for this image

Responsibility could be seen to sit with access point providers, i.e., individual service platforms and hardware providers that enable users to access the Metaverse. It could be the content creators responsible for creating the experiences, or it could be the providers who enable interactions to take place, like digital asset providers and cryptocurrency providers. Or does responsibility ultimately lie with us?

Much of the narrative on the Metaverse is about a corporate-controlled one – with the big tech companies taking the lion share.  But there are others who argue that the metaverse is a starting point to move control and responsibility to the data subjects – who carry their data in their wallets or through smart contracts. While this idea is appealing, the problem with distributed governance systems is that they don’t provide an obvious recourse framework when things go wrong.

How will we determine which individual rights apply?

In countries where there are data protection rules, individuals have the right to be informed about the collection and use of their personal data, they also have the right to withdraw consent and the right to have their personal data erased. And you are entitled to those rights based on the physical location of where you live. Imagine trying to operationalize that in a virtual borderless space.  We may have to consider all the laws that could attach to the user as they travel through the Metaverse and engages with different services and content, which are offered by companies in multiple jurisdictions at any one moment in time. So, you may have the “right to erase” your details as a result of your interactions with a European business, but you may not have the same right for a company operating, say, from Japan. This leads to complicated questions of what rights you have legally as a result of your physical location and what rights you have as a result of your interaction within the Metaverse –say tech allows you to ‘teleport’ your avatar to any place in the Metaverse – then what constitutes your location? As you move around the Metaverse, it’s not currently clear which privacy rules of which country will apply and, indeed, whether privacy rules based on physical jurisdiction even make sense in the Metaverse.

A central theme of most privacy laws around the world requires the use of notice and consent, which has led to lengthy privacy policies and multiple just-in-time notices. Once again, the very noble features of the Metaverse – that it’s a persistent, live, synchronous, and borderless environment could make it very difficult to operationalize our current consent management systems.

Detailed notices and consent at each interaction (given the multiplicity of these interactions – some involving just seconds of your time) won’t really be operational in the Metaverse. Imagine your journey through the Metaverse being interrupted with notices every few mins, even seconds, from the various entities that want to collect and use your data; imagine being confronted with pop-ups and clickwraps at every turn. The question then is at what point does consent and choice over data use become unworkable and no longer in the interests of those it serves to protect?

Key takeaways

  • Today’s privacy and data protection laws were built for physical filing cabinets and then updated for the Internet and social media. Applying them to tomorrow’s Metaverse could well prove to be a stretch too far.
  • Data minimization principles appear to clash with the notion that the Metaverse should be a personalized experience.
  • Operationalizing transparency and control in the Metaverse could stretch notice and consent models to their limit.
  • My conclusion is that we may need to build a new data regime that is specifically made for this new frontier.



  • Dr. Parves Khan

    With over 25 years under her belt, Dr. Parves is an insight leader with a strong track record of transforming research functions into insight powerhouses. She has been working in the field of data analytics for over two decades. Her passion is bringing data to life with powerful curation and storytelling. She has been at the helm of global insight functions across FTSE 100 businesses, drawing on her experience and skills in using insights to shape and drive business and marketing strategies and product innovations. She is also a mentor to young female researchers through Women in Research. In May 2021, Dr. Khan was awarded the accolade of being one of the UK's 20 top most inspirational women in Data & Technology by Women in Data, which is a movement and a force for change in the realm of data science and analytics. Dr. Khan is currently CEO of ESOMAR, a global professional association driving excellence in research, insight and data.