The metaverse data privacy debate is getting feisty: here’s what you need to know

The fabrication and functionality of the metaverse is sure to rely on new kinds of potentially sensitive information like biometric data. At the same time, however, as the infrastructure of web3 shifts power away from platforms and toward creators, users could have more say over who has access to their personal information than ever before. As part of The Drum’s Metaverse Deep Dive, experts hash out how the landscape of consumer data privacy might transform in a decentralized metaverse.

With the dawn of the metaverse upon us, debates about data-driven advertising and consumer data protection are already heating up. While it’s clear that a world hinging on consumers’ use of immersive technologies will traffic in new kinds of personal information, a range of differing opinions and approaches to managing this data are emerging.

Just as consumer data has served as the feedstock of personalized experiences in the digital realm, so too will be the case in the metaverse, where information about everything from a user’s location and demographics to their browsing behaviors and friends’ characteristics can inform how brands try to reach them.

Advertisers and developers may have the opportunity to monitor how users spend their time and attention in the metaverse, much like they do in real life or in digital spaces. Are they playing games, attending virtual concerts or meeting up with others in digital conference rooms? This information could be harnessed by brands and used to inform advertising decisions.

“Consumer data is going to be at the very heart of the metaverse,” says Michael Litman, strategy lead at Media.Monks. “We’re already seeing incredible opportunities for brands to learn valuable insights.”

By capturing user data, brands can create ads that “will be immersive, personalized and value-based experiences,” says Litman. So it’s less about billboards and video and more about digital merchandise, skins, avatars and experiences.

And Litman believes that data-driven advertising can still happen in the metaverse in a privacy-centric way that offers “a meaningful, ethical value exchange for users.” For one, he says, gaming in the metaverse – though it may not be the only activity a user participates in – is fundamentally built on an opt-in ad ecosystem (a model increasingly reflected in consumer data protection regulations that aim to shift from opt-out to opt-in frameworks). He suggests that many developers and companies will be offering services that require opt-in and therefore inherently protect user choice. “People want to be engaged with something that’s fun and interesting, so they will need to opt in,” he says.

And while there is almost no question that user data will remain a coveted currency in any manifestation of the metaverse, not all experts share Litman’s convictions that most metaverse offerings will have privacy baked in.

Diverging views on privacy

Although iterations of the metaverse already exist in certain forms – think Roblox, Discord, Oculus and Fortnite – the kind of metaverse that Meta envisions is almost certainly a few years down the road. Still, Meta says it’s already thinking about user data privacy in this future state.

“The principles of privacy, safety and security need to be built in from the start,” Michelle Klein, vice-president of global consumer marketing at Meta, tells The Drum. “If we have the principles right, then as a society we will be better at tackling new challenges with these technologies as they arise.”

She stresses that “the metaverse is a collective project” and that, as such, Meta plans to work with various companies, developers and lawmakers to get privacy right in the metaverse. She says the company plans to focus these collaborations on minimizing data collection in the metaverse and to create an infrastructure that “gives people transparency and control over their data.” In Meta’s conception of the metaverse, users will have the power to decide when they want to interact with others (“or when they want to take a break and teleport to a private bubble to be alone”) and if they want to block someone from interacting with them.

Some experts agree with Meta’s assertion that the metaverse will give users greater control over their own information – but perhaps only if the metaverse in question is truly decentralized and not owned by any one actor. Andrew Douthwaite, vice-president of metaverse at gaming company Dubit, tells The Drum: “In a fully decentralized metaverse, everyone owns their own data and decides where to share it,” he says. “The issues regarding privacy and targeted ads are influenced by the builders of the services we use in the metaverse. With decentralized applications, it’s easy to fork, or start a new product or service with minor changes, and so the user can vote with their feet.”

In agreement with Dubit is Samuel Huber, the co-founder and chief executive at Admix, an in-game advertising company. Huber argues that, as it stands, major tech players such as Meta, Microsoft, Sony and Google are likely to try to heighten the walls on their gardens in an attempt to establish ownership over the metaverse, a move that will inherently limit interoperability and decentralization – and, by extension, users’ ownership over their own data. “These companies all believe that they can build the metaverse – and then involve creators to customize small elements of their world, such as avatars or rooms,” he says. “This is not the promise of the true metaverse, where a company just builds the framework – the equivalent of ‘web standards’ – and creators develop the content. We will see how it evolves, but I believe we will end up with various ‘worlds’ that collectively form the metaverse.”

Huber says that truly decentralized metaverse – a future in which different worlds owned by different people are interoperable – will give greater power to the people by supercharging the creator economy. “Decentralization shifts the power balance between platforms and creators,” he says. He points out that in the internet’s current iteration – what’s commonly called web2 – creators can monetize their content by attracting advertisers, but are essentially bound by the confines of the platforms on which they’re operating, whether it be YouTube, Instagram or another platform. In web3, a blockchain-powered internet will support the development of a decentralized metaverse.

This means creators will enjoy greater freedom because they will have new avenues of content monetization, “mainly via tokens or NFTs that give superfans access to exclusive content, among other things,” says Huber.

As a result of this shift in power, some argue that web3 could mean the death of traditional advertising since creators will not have the same incentives to attract brands. Huber and his team at Admix are of a different mindset, however. “It is true that creators won’t pull advertisers in as much, given the broader toolset they have to monetize; however, brands will push to deploy their $300bn+ marketing spend where their audience’s eyeballs are. But the only way creators will let them in their experience is if the brand contributes to it.” He predicts the existing model of interruptive advertising will be replaced by creative approaches that add value and don’t disrupt users from gameplay or other experiences.

And like Media.Monks’ Litman, Huber believes that user data will play a central role here. The metaverse of which he conceives relies on the infrastructure of web3, where all activity is logged on the blockchain – including data about “which world you visit, which experience you engage with, which NFTs you own” – and made publicly available. As such, advertisers can leverage this information to tailor their approaches to given user segments, though he believes advertisers won’t be able to gain a clear picture of who a user is “in the real world.”

The use of newer, more sensitive kinds of data

Then there is another level of consumer data that many have not considered: the collection of sensitive biometric information.

Given the potential for technology to track biometric information, John Verdi, senior vice-president of policy at the Future of Privacy Forum (a Washington, DC-based think tank and data privacy advocacy group), says there will inevitably need to be new platform policies and updated state regulations that prioritize transparency and user control and protect users against potential exploitation.

“Mobile phones today work very well and provide robust experiences without collecting much biometric information in most circumstances – and users can decide whether to use a fingerprint scanner or use a face unlock or not,” he says. “But augmented reality (AR) technologies and virtual reality (VR) technologies, in order to work properly, are going to require the collection of sensitive biometric information – about people’s eye position and head position and a bunch of other factors.”

These kinds of signals may enable advertisers to identify specific users – a potential minefield when considering the fact that certain biometric data could indicate propensities for different health issues or traits. One can easily imagine the slippery slope toward potential abuses in such a scenario. Plus, how that information might or might not be sold or shared with additional third parties remains to be seen.

As it stands, many people are wary of the possibility that platforms such as Meta might set the rules of play instead of lawmakers – especially considering the various data privacy controversies and lawsuits of which such companies have been implicated throughout the past decade or so (in one especially memorable 2019 case, Facebook settled with the US Federal Trade Commission for an estimated $5bn over privacy missteps).

A key step that would help platforms gain user trust, Verdi argues, would be to extend the conversation about interoperability in the metaverse to privacy-related concerns. “When you look at existing platforms like mobile operating systems and browsers and app stores and things like that, there’s a missed opportunity there that immersive tech platforms might be able to remedy and might be able to seize. And that is that there is not a clear, comprehensive way for consumers’ privacy preferences as they relate to things like mobile apps and browsers to be [translated across] apps and developers and experiences,” he says. “If we’re talking about interoperability for things like identity, for things like avatars, for things like payments in the metaverse, we really want to be talking about interoperability for privacy preferences too. That’s a common-sense protection that consumers would embrace and that platforms should embrace as a way to better serve individuals.”

For more on the exciting new opportunities for marketers in this rapidly evolving space, check out The Drum’s Metaverse hub.