arthead -

Companies need data privacy plan before joining metaverse

Experts speaking during ITIF's AR/VR Policy Conference pointed out that businesses need to head into the metaverse with a strong data privacy plan.

Building a metaverse experience that's safe for businesses and consumers means getting ahead of data privacy risks, which experts say companies can do by creating privacy protocols ahead of time.

Metaverses are virtual worlds where consumers can work, shop and play, with many companies already buying into it. Nike, for example, opened a virtual shoe store in metaverse platform Roblox, while financial services firm J.P. Morgan opened a virtual lounge in popular metaverse Decentraland.

The metaverse is built through a confluence of artificial intelligence and machine learning, virtual reality, IoT and blockchain technologies, among others. It shows significant promise for businesses and consumers alike, according to Dylan Gilbert, privacy policy advisor at the National Institute of Standards and Technology (NIST).

"There's an incredible amount of good things in store when it comes to the metaverse," Gilbert said during a panel session at the Information Technology and Innovation Foundation's AR/VR Policy Conference. "Accessibility for disability, a great opportunity to leverage this technology for public good."

But there are also risks associated with such technology, including discrimination and threats to bodily autonomy and safety as well as data collection and consent. Gilbert said to get ahead of data privacy issues in the metaverse, companies need to consider those risks and develop appropriate data privacy plans.

Getting ahead of data privacy risks

When considering data privacy in the metaverse, it's important for companies building and buying into the metaverse to put data privacy first instead of trying to work privacy policies in retroactively.

Gilbert said it will be key for companies to focus on disassociability policies that keep an individual's real-world identity separate from their virtual-world identity. This level of data privacy can entail anonymity and deidentification techniques, according to NIST.

"We need to be building the policy and technical controls in now that can help for disassociating between identities," Gilbert said.

We need to be building the policy and technical controls in now that can help for disassociating between identities.
Dylan Gilbert Privacy policy advisor, National Institute of Standards and Technology

Indeed, "privacy by design," is likely a buzzword that industries will lean on going forward, said Karim Mohammadali, senior analyst in government affairs and public policy at Google. Mohammadali spoke on the panel with Gilbert.

Mohammadali said when image data is collected by a device, such as a pair of smart glasses, businesses will need to answer several questions about the data collection process to ensure privacy.

He said some of those questions include where that image data is going, where it is being processed and whether consumers understand what's happening to the data that's being collected. Mohammadali said those questions must be answered in the development process.

"It will take teams of folks -- not just privacy folks, but engineers, cross-functional advisors – to be a part of that process," he said during the panel.

Gilbert said it's critical that organizations tackling data privacy issues in the metaverse take a risk-based approach and make it an interdisciplinary effort. That means data privacy teams need to work with all departments, including cybersecurity, marketing, and IT, to make sure the right policies, processes and procedures are in place.

He said risks within the metaverse need to be proactively identified, prioritized and managed, which businesses can do with the NIST privacy framework. Such risks include whether AI models are being trained on inclusive data sets and whether addressing AI bias is one risk management approach to take in that situation.

"You need to implement appropriate controls that are going to help you get to your risk responses," Gilbert said.

Regulating data privacy in the metaverse

Federal regulation will likely play a part in providing some rules of the road for data privacy in the metaverse, Gilbert said.

However, societal norms will also play a role, said Maureen Ohlhausen, chair of the antitrust and competition law division at Baker Botts and former acting chairwoman of the Federal Trade Commission. Ohlhausen also spoke on the panel with Gilbert and Mohammadali.

When consumers first began using cell phones with cameras, Ohlhausen said societal norms developed dictating areas where it was and was not appropriate for photos to be taken -- such as locker rooms -- without federal intervention.

Ohlhausen said similar societal norms will likely come up as users increasingly adopt mixed-reality hardware that enables access to the metaverse.

"I think it will be a mix of norms -- of perhaps some tweaks to regulations and the technological solutions as well," she said.

Makenzie Holland is a news writer covering big tech and federal regulation. Prior to joining TechTarget Editorial, she was a general reporter for the Wilmington StarNews and a crime and education reporter at the Wabash Plain Dealer.

Dig Deeper on CIO strategy

Cloud Computing
Mobile Computing
Data Center
and ESG