Legal issues in the metaverse / Part 3 - Data protection challenges, the importance of cybersecurity, advertising regulation in the metaverse


Part 3 - Data protection challenges, the importance of cybersecurity, advertising regulation in the metaverse

In our first article, we examined the nature of the metaverse, the shared virtual world. In the metaverse, creating avatars, anonymity, the nature and use of data generated when using the metaverse all raise several data protection issues. In addition, the misuse of avatars and identity theft is a serious cybersecurity risk that needs to be addressed in the metaverse. Sponsorship, sponsored content, and influencing through avatars can lead to further advertising law problems. In the third of our metaverse articles, we look at issues related to data protection, cybersecurity and advertisement law.

Data protection challenges

The privacy challenges associated with the use of the metaverse are similar to the privacy issues raised by social media platforms. However, it is important to consider the nature of the underlying technology of the metaverse. Users in the metaverse interact more deeply with their virtual environment than ever before, and thus much more personal data is generated from their activities.

From the very beginning of the data processing—creating avatars—one of the recurring dilemmas of technology law must be examined: to what extent can anonymity be allowed, whether users’ activities can be moderated, how freedom of expression and the protection of human dignity can be ensured, and whether a supervisory body, either based on law or self-regulation, is needed to identify the user and arbitrate disputes?

Another specific aspect is the nature of the data generated when using the metaverse. For example, companies operating in the metaverse can record users’ movements, bodily reactions and even brainwave patterns to ensure the most lifelike user experience. Analysing eye and facial movements not only helps to identify the user, but also to draw further conclusions about their behaviour and consumption habits. Some research suggests that the dilation of the pupil alone can be used to infer personality traits and cultural affiliations, and that eye-tracking technologies can predict the decisions of the person after three seconds. All this information should be provided to users in a clear and transparent way, in particular regarding the consequences of automated decision-making based on the data. Given the complex chain of data controller and processor companies involved in the operation of the metaverse, it is also important to establish the data protection status and responsibilities of each actor.

Subject to the technical possibilities and limitations, the data protection rights of users should also be ensured: access to data, requests for a copy of data, deletion of data, the possibility to unsubscribe from certain (mostly marketing) processing and data portability (which also poses many technical challenges outside the metaverse).

However, in the operation of the metaverse, the right to rectification and the “right to be forgotten”, which are fundamental principles of the GDPR, cannot always be fully respected, especially for NFTs. Under the GDPR, users should have the right to request the rectification of personal data concerning them. A user should also have the right to have their personal data erased when the collection or other processing of personal data is no longer necessary, or when the data subject has withdrawn their consent to the processing of the data. However, blockchain technology regarding NFCs is immutable, keeping a permanent record of ownership and transactions, and therefore does not allow for the full exercise of the right to be forgotten or the correction of inaccuracies in users' personal data.

The importance of cybersecurity

The large amount of data collected and processed in the digital space, its sensitive nature and the nature of the underlying technology (e.g. contactless payment systems integrated for virtual transactions) require specific organisational and technical measures to prevent cyber-attacks. Inadequate data security measures increase the risk of data breaches, one of the most serious consequences of which is the misuse of a user’s avatar and identity theft. Malicious attackers can also gain access to users’ digital assets or, conversely in the case of a ransomware attack, they can make access to digital assets impossible by encrypting access keys. To prevent this, it is important to properly configure basic security settings and educate users, including in particular to help them prevent social engineering in the metaverse. The same (or more stringent) cybersecurity measures should be imposed at all levels of the complex chain of companies involved in the operation of the metaverse and audited on a recurring basis.

Advertising regulation in the metaverse

In the US, the NGO Truth in Advertising recently filed a complaint with the Federal Trade Commission (FTC) over alleged deceptive advertising practices by the popular gaming platform Roblox. The platform is still primarily used in “two dimensions”, but the issues raised in the complaint show the advertising law challenges facing users in the metaverse.

The complaint alleges that Roblox fails to make a clear distinction between entertainment content and advertising content for reasonable consumers, especially children. The platform allows users to create “advergames” combining advertisements with gaming experiences. However, the complaint alleges that it is almost impossible to distinguish between (sponsored) games created by advertisers and games created by individual users (without promotional content), and that the sponsored nature of virtual events is not always clear. These concerns seem legitimate, and their prevention is also key in the metaverse.

Further legal scrutiny is required when advertiser-backed influencers appear as avatars. If the avatar is not controlled by an influencer outside the metaverse, it is important to record how far the influencer’s liability extends and where the liability of the advertiser controlling the avatar begins.

Proposed actions for companies involved in the metaverse

Based on the above, the responsibilities of companies and organisations involved in the utilisation of the metaverse are:

  • The data protection and cybersecurity risks associated with the use of the metaverse (in the form of data protection impact assessments) should be adequately assessed and users should be provided with appropriate, transparent information on how their personal data is processed.
  • Advertising in the metaverse must ensure compliance with advertising and competition law, considering the specific nature of the technology.

For more information on the metaverse in Hungary, contact your CMS client partner or local CMS experts.