Data protection in the metaverse


The metaverse offers a wealth of potential avenues for data collection and exploitation by platform providers. However, the scope and use of this data is dependent on data protection legislation and how it evolves in response to this new technology.

In the twelfth article in our series, we explore how data protection legislation will apply to the metaverse and how it may impact features of the metaverse including avatar creation, extended reality (XR) and platform interoperability.

What laws apply?

The General Data Protection Regulation (GDPR) will apply to metaverses that are controlled or processed by providers established in the UK or EU. Even for providers outside these areas, the GDPR is likely to apply if they are targeting or monitoring the behaviour of individuals in the UK or EU. The EU’s draft e-Privacy Regulation, which proposes to regulate the setting of cookies and processing of user data for online advertising purposes, will also have a significant impact. Together, these regulations will determine what data about a user’s interactions in the metaverse may be used to generate advertising revenue to fund what may be a free service. While this is by no means a novel issue, the greater volume and richness of user data in an environment where everything exists only virtually promises to make it an even more significant one.

Other current and proposed EU laws, such as the Data Act, the Data Governance Act and the Digital Services Act, could also impact the development of the metaverse, affecting both data sharing between providers (which is essential to interoperability between metaverses) and advertising in the metaverse. No doubt data protection will play a key role in shaping the future of the metaverse.


A key challenge in applying data protection in the metaverse will be identifying what constitutes personal data and special category data (SCD) in a world comprised of avatars with their own distinctive characteristics. If the avatar is a realistic representation of an individual, revealing that individual’s skin tone, body shape and clothing, then this will involve personal data and possibly even SCD under article 9 GDPR. Alternatively, an avatar with no resemblance to a real person may reveal little to no personal data. It may be difficult for platform providers to ascertain which is the case, and therefore they may need to tread with caution.

An individual creating an avatar in their own likeness could explicitly set out SCD, for example, by requesting a ‘White Caucasian’ avatar, or provide information from which the SCD could be inferred, for example by uploading a photograph of themselves. According to Information Commissioner’s Office (ICO) and European Data Protection Board (EDPB) guidance, information which is not explicitly SCD but from which SCD can be inferred will only be categorised as SCD if that inference is in fact made by the controller. For example, the photograph uploaded by the user in the scenario above would only comprise SCD if the platform provider made an inference as to the user’s race (or other SCD) in respect of it.

However, the CJEU has recently suggested that the term SCD is much broader, encapsulating any personal data that is “liable indirectly to reveal sensitive information concerning a natural person”. If this is the case, platform providers will need to consider article 9 conditions in addition to article 6 lawful bases for processing when generating and hosting avatars. Controllers could rely on the explicit consent of their users for processing SCD under article 9(a), however, this is difficult to achieve in practice. Instead, the condition under article 9(e) may provide an attractive alternative, enabling the controller to process SCD where that data has been manifestly made public by the data subject. This may be the case where a user creates an avatar in their own likeness in a “public” metaverse.

XR technology

In launching Meta’s vision of the metaverse, Mark Zuckerberg described the metaverse as a form of “embodied internet” characterized by a “deep feeling of presence”. To bring this vision to life, new XR technologies ranging from virtual reality (VR) headsets to haptic bodysuits will be required, each processing a wealth of biometric data in order to function. For example, the new Teslasuit includes a biometry system aimed at understanding the physical state of the user including their heartbeat, pulse rate, and oxygen saturation. This sort of data will engage the additional SCD article 9 requirements mapped out above. It may also present novel challenges where, for example, controllers can accurately predict the user’s anxiety levels and emotional state from the physical data collected.

Beyond biometric SCD, XR technologies may require the processing of private information which engages the general right to privacy under article 8 of the European Convention of Human Rights. For example, a VR headset requires external cameras as well as other motion sensors which may result in the processing of data regarding private spaces like users’ homes. In this scenario, it is likely that non-user data may also be captured if, for example, the user lives with other individuals who are captured in the background. This can create further challenges around transparency and data subject rights, since such individuals may not be aware that their data is even being processed and therefore cannot object or exercise their rights. The EDPB addressed this challenge in relation to virtual voice assistants, providing guidance on how to provide notice to non-users when this technology is in use so that they can exercise their data subject rights.

Moreover, XR technology provides significant opportunities to advertisers both in terms of the data collected and the means by which they serve consumers their advertising. A personalised advert in the metaverse may include seeing virtual billboards specifically tailored to the user. In order to facilitate this form of advertising, however, advertisers will need to obtain the necessary consents under ePrivacy laws, establish a lawful basis under the GDPR and comply with the GDPR transparency requirements. This may present a challenge given that users are unlikely to welcome legal notices and consent requests which interrupt their seamless metaverse experience. Furthermore, advertisers may be able to more accurately assess the impact of their advertising on individuals using data collected by XR technology, such as eye movement, pupil dilation and heartbeat.


While the metaverse is often described as a unitary concept, it is in fact likely to be made up of multiple virtual worlds created by different platform providers. Interoperability between these platforms will be key to ensuring that users can use their avatars and digital goods across platforms. For interoperability to work, however, platform providers will need to share data such as the user’s avatar, their digital ownership and certain user preferences. Platform operators will need to agree the obligations they take on in relation to that data. This may present a significant challenge, especially as metaverse platforms are likely to host various virtual worlds operated by different entities and numerous service providers. The result is likely to be a complicated matrix of controllers, joint controllers and processors, each needing to comply with overlapping regulatory requirements.

The extraterritorial reach of the GDPR through Article 3 also creates interoperability challenges between EU and non-EU platform providers. Non-EU platforms will be subject to a higher regulatory burden if they allow EU avatars within their virtual worlds and may come to question whether GDPR compliance is too high a price to pay for access to the EU market. This may be the case if, for example, platforms find it impossible to silo the data of EU users from local users. However, even if it were possible to ring-fence EU data, regulators are unlikely to be satisfied with a situation where different regulations apply to different data subjects interacting with each other in the same digital environment.


The skyrocketing popularity of the internet (and social media in particular) has led to an exponential growth in the generation and collection of data, and the metaverse promises to accelerate this trend further. The wealth and richness of the types of personal data collected in the metaverse, both offline through XR technology and online in relation to user interactions and behaviours, presents a significant privacy risk. It is no surprise, therefore, that a myriad of data protection issues crop up in relation to the metaverse. The above analysis provides a mere snapshot of what some of these issues may look like. It will be interesting to see how data protection authorities respond to the data privacy challenges presented by the metaverse and the extent to which they adapt current data protection legislation to accommodate this shift in technology use.

Still have questions? Be sure to read our metaverse articles below:

Bristows Tech Summit 2022

What should innovative technology companies be looking out for over the next year? Our team of leading experts tackled the most important legal and commercial issues facing the technology industry.

Watch the full recordings here.