United States:

Heavy Meta: Privacy And Cybersecurity In The Metaverse

To print this article, all you need is to be registered or login on Mondaq.com.

The metaverse is poised to become the biggest technological
revolution of the 21st century. It is likely to change the way
humans engage with each other, revolutionizing social interaction,
building whole new economies, and ushering in a host of privacy and
cybersecurity issues. Emerging technologies companies should be
aware of these issues and take the necessary steps to mitigate risk
as these markets enter gray or wholly unexplored legal territories.
In this article, we examine some of the issues related to the areas
of privacy and cybersecurity in the metaverse.


The interconnected universe can be expected to collect, store,
and rely on more personal data than ever before by unifying
currently disparate personalized digital experiences that range
from shopping to virtual travel, to entertainment, and information
gathering. Metaverse providers will have access to even more
personal data, including biometric responses, physical location,
financial records, and even the appearance of users’ homes.
FurtherMetaverse companies such as Mark Zuckerberg’s Meta are likely to
collect personal information for individual
identification, advertisement targeting, tracking through multiple
channels, health monitoring (such as heart and respiratory rates),
and others to optimize the virtual experience. Metaverse companies
will combine and aggregate vast quantities of data that influence
every aspect of our lives. 

Protecting user privacy presents a serious hurdle for metaverse,
XR, and video gaming platforms, both from a practical and a legal
standpoint. And the meta environment magnifies the cost of getting
it wrong. 

  • Device and Headset Proliferation –
    According to Facebook whistleblower Frances Haugen, the
    metaverse will require people to put “many, many more sensors
    in our homes and our workplaces in addition to those attached to
    our bodies to generate fully interactive virtual reality
    experiences. A metaverse setup is likely to include added gear such
    as headsets and AR glasses which could present major privacy
    threats by bringing live cameras and microphones inside homes and
    offices. This poses challenges from a privacy point of view as it
    would give these sensors unprecedented real-time insight into the
    everyday lives of individuals. International Data Corp reports that shipments of AR and VR
    headsets more than doubled in the second quarter of 2021 to 2.2
    million compared with the same period last year. The consultancy
    expects total headset sales to reach 9.7 million in 2021 and nearly
    triple again by 2025. Much of the growth is driven both by more
    sophisticated gaming systems and the use of VR in events,
    conferences, education, fitness, and the metaverse.

  • Collaboration and
     – The primary purpose of the
    metaverse is to allow people to interact in a digital world, which
    means that each metaverse should be accessible from all devices and
    headsets. This has ramifications from a privacy standpoint since
    user data will be accessible across devices and platforms. To
    mitigate the privacy challenges arising as a result of universal
    interoperability, experts have proposed that technology companies
    agree to certain standards for a connected metaverse that can
    integrate among different creators. In the absence of such
    standards, technology companies will have to license the rights to
    use another company’s underlying technology to build its own

The metaverse poses significant privacy-related challenges. In
the absence of specific laws to protect data privacy over the
metaverse, emerging technologies companies should undertake
specific legal measures to minimize the risk of privacy-related
issues in the metaverse.  


The metaverse’s cybersecurity legal challenges are similar
to those posed by the internet which, in turn, reflect those of
society in general. According to experts, the metaverse is likely
to give rise to entirely new cybercrimes due to its unique
infrastructure. For example, a metaverse, which is heavily centered
on the use of cryptocurrencies and non-fungible tokens (NFTs) can
be a hotbed for financial cybercrimes such as fraud, theft, and
money laundering, as well as “old-school” digital
malfeasance such as phishing, ransomware, and hacking.

  •  Cheating and duping – There
    is a high likelihood of cheating and duping on the metaverse
    primarily due to the ease by which attackers can conceal their true
    identities behind multiple layers, screens, and avatars. Famous art
    dealer Sotheby’s has recently introduced Sotheby’s Metaverse which is aimed at
    digital art collectors. It offers a curated selection of NFTs
    chosen by the auction house’s specialists. The NFTs available
    on Sotheby’s Metaverse are verified and digitally tracked
    through a public ledger of the blockchain via Ethereum. However,
    just like in the real art world, collectors can easily be fooled by
    counterfeits, replicas, and prints that are minted by
    cybercriminals poised as legitimate authenticators.

  • Cybersquatting – The ease of
    obscuring one’s identity also enables would-be cybersquatters.
    Fraudsters can take advantage of squatting on .eth websites that
    use a legitimate company’s name. In this case, the
    cybercriminals leverage the goodwill or reputation of established
    businesses by creating Ethereum domain names and smart contracts
    that ostensibly belong to the victim organizations. Hence,
    transactions on the metaverse may not be safe as it is difficult to
    ascertain a user’s identity.  

In addition to the above, other questions must be answered
before users can truly feel comfortable spending time in the
metaverse and platform holders feel reassured that they will not be
held liable for enabling security breaches or harboring

  • How will metaverse cybersecurity be managed?

  • What requirements will apply with respect to keeping data

  • How will regulation or site policies evolve to address deep
    fakes, avatar impersonation, trolling, and other cyber

  • What laws will apply and how will the various players
    collaborate in addressing this issue?

The metaverse poses complex questions that most likely require
the amending of existing laws and regulations. Until then, having
appropriate legal and technological measures in place can help
mitigate risk and provide some degree of protection for metaverse

Recently, Facebook’s metaverse has come under scrutiny for
potentially violating users’ privacy. Haugen has argued that  Facebook’s
metaverse (and the virtual reality world in general) could be
addictive and lead to the stealing of personal information. To
prevent similar allegations, Emerging technologies companies
working in the metaverse space should be fully aware of the privacy
law-related implications of the metaverse. These companies should
consider developing their own metaverse (or virtual platform)
privacy policies, personal data protection policy, data retention
policy, data subject consent form, licensing agreements, and other
legal documents in place. A law firm specializing in emerging
technologies can help you in drafting these legal documents and
provide you with guidance on the privacy and cybersecurity-related
regulatory challenges posed by the metaverse. 

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from United States

The Top 5 Privacy Issues To Watch For In 2022

Global Advertising Lawyers Alliance (GALA)

While we could have listed a dozen or more issues from new laws to regulatory actions to changes by major platforms, below are the top five privacy issues to look out for this year.

Comprehensive State Consumer Data Protection Acts

Levine, Blaszak, Block & Boothby

We reported to you last year on the new California Consumer Privacy Act, as updated by the 2020 California Privacy Rights Act (collectively as amended, the CCPA) and foresaw a trend of state legislation in this area.

Proposed State Privacy Law Update: Jan. 18, 2022

Husch Blackwell LLP

2022 is off to a fast start with proposed state privacy laws filed in Alaska, Florida, Indiana, Kentucky, New Jersey, Pennsylvania and Vermont, joining the long list of bills already filed.