Introduction

User Information Collected in AR/VR

Unique User Privacy Considerations for AR/VR

The Regulatory Landscape for AR/VR User Privacy

Recommendations

Conclusion

Endnotes

Introduction

In an increasingly digital world, the old saying that “your reputation precedes you” may or may not hold true—but some sort of information about you usually does. User data enables dynamic, personalized experiences with Technologies from digital communications platforms to smart devices. But without necessary safeguards, widespread collection and processing of this information, especially by less careful or scrupulous organizations, can expose individuals to privacy risks. Devices and applications for augmented and virtual reality (AR/VR)—immersive technologies that enable users to experience digitally rendered content in both physical and virtual space—are a growing part of this ecosystem.

AR/VR includes applications on mobile devices that combine digital elements with images from external-facing cameras; heads-up displays that overlay digital elements on a user’s view of the physical world; and headsets that allow users to navigate fully virtual spaces. In order to deliver these experiences, AR/VR devices and applications gather significant amounts of personal data, including information provided by users, information generated by users, and information inferred about users.

AR/VR raises new user privacy considerations for three reasons:

1. AR/VR devices are composed of a number of different information-gathering technologies, each presenting unique privacy risks and mitigation approaches;
2. Much of the information AR/VR devices collect is sensitive data not used in most other consumer technology devices; and
3. This comprehensive information gathering is critical to the core functions of AR/VR devices.^[1]

When broken down, AR/VR technologies are essentially a collection of sensors and displays that work in concert to create an immersive experience for the user. To create the illusion of virtual elements in three-dimensional physical space, or even entirely virtual worlds, these technologies require certain basic user-provided information as a starting point, and then a constant stream of new feedback data that users generate while interacting with their virtual environments. This baseline and ongoing feedback information could include biographical and demographic details, location and movement, and biometrics. Advanced functions, such as gaze-tracking and even brain-computer interface (BCI) technologies that interpret neural signals, continue to introduce new consumer data collection practices largely unique to AR/VR devices and applications. Not only might these data streams contain multiple forms of personal, identifying, or otherwise sensitive information, AR/VR devices also might combine this information to reveal or infer additional details about individual users.

Policymakers should address privacy in AR/VR by considering the different types of information these devices collect and establishing appropriate safeguards to protect users against actual harms that may arise from this data collection.

Taken together, the scope and scale of the user data collection necessary to the core functions of AR/VR distinguish these technologies from other consumer devices and applications. Even so, the types of information collected, the privacy risks, and the potential for direct harms in the absence of safeguards mirror those of other digital technologies and connected devices—many of which have already gained widespread consumer adoption. The unique challenges AR/VR technologies present, therefore, arise from the risks of aggregating sensitive information and the challenge of adapting mitigation measures that were designed for other consumer technologies into immersive, three-dimensional environments.

Because of the wide range of information AR/VR devices collect, policy responses that approach AR/VR as a monolith will almost certainly result in overregulation of certain types of data collection, while also leaving critical gaps in protections for others. At the same time, regulating the individual technologies that are used to deliver immersive experiences will leave policy a step behind innovation as new capabilities and use cases continue to emerge. Instead, policymakers should address privacy in AR/VR by considering the different types of information these devices collect and establishing appropriate safeguards to protect users against actual harms that may arise from this data collection. The goal should be to ensure a comprehensive and technology-neutral regulatory framework that allows space for companies building AR/VR devices to continue to innovate, while mitigating harms. Specifically, this report proposes:

• Relevant federal regulatory bodies should provide guidance and clarification on the ways existing laws, such as the Health Information Portability and Accountability Act (HIPAA) and the Children’s Online Privacy Protection Act (COPPA), apply to AR/VR devices and applications;
• Congress should reform privacy laws, such as COPPA and HIPAA, that would unnecessarily limit the use of AR/VR technologies in certain sectors or by certain users;
• Congress and relevant rulemaking bodies should create rules to safeguard against the potential for harm that arises from new forms of data collection, such as biometric identification and personal information inferred from biometric data, through transparency and choice requirements;
• Lawmakers should enact federal privacy legislation to harmonize compliance requirements at the national level rather than rely on state-by-state and sector-specific regulations; and
• Government agencies and industry should develop voluntary guidelines for AR/VR developers to secure users’ privacy through transparency and disclosure practices, user privacy controls (including opt-out mechanics), information security standards, and considerations for the unique risks presented by biometric identifying and biometrically derived data.

This report provides a foundational overview of user data collection in AR/VR as it relates to the broader landscape of information-gathering and privacy protections in digital technologies. It reviews the four types of personal data these technologies gather (observable, observed, computed, and associated), the AR/VR data collection practices that fall within these categories, and the privacy concerns and established mitigation approaches for each data type. It then considers the unique challenges immersive technologies present to user privacy protections beyond those present in more established digital technologies, including the role of biometric data, limits to established mitigation approaches, and the potential for vulnerable users to experience exacerbated harms. Finally, it examines the existing regulatory framework for user privacy, identifying laws and regulations that apply to AR/VR as well as policy gaps, and it concludes with recommendations to address the unique challenges AR/VR technologies present to user privacy.

User Information Collected in AR/VR

AR/VR devices rely on information from multiple sources to deliver an optimal user experience and achieve functions other consumer devices cannot. In AR/VR and other information-driven technologies, user information collection can be broadly categorized as one of four types of data:

• Observable: information about an individual that AR/VR technologies as well as other third parties can both observe and replicate, such as digital media the individual produces or their digital communications;
• Observed: information an individual provides or generates, which third parties can observe but not replicate, such as biographical information or location data;
• Computed: new information AR/VR technologies infer by manipulating observable and observed data, such as biometric identification or advertising profiles; and
• Associated: information that, on its own, does not provide descriptive details about an individual, such as a username or IP address.[2]

In some instances, particularly in complex technologies such as AR/VR, certain information could contribute to multiple data types depending on how it is collected and processed. For example, baseline health and fitness measurements (e.g., heart rate) are observed data, but calculated health information (e.g., estimated calories burned during an activity) is computed.

Each type of data contributes to the construction of immersive, interactive virtual spaces and objects in different ways, presenting unique privacy considerations and thus a need for best practices to mitigate new and exacerbated privacy concerns. (See table 1.)

Observable Data

Some information can be consistently and directly observed by third parties. With this observable data, other individuals can perceive the same information about the user firsthand. When considering digital privacy concerns, this could include personal correspondence, media shared by the user, or media recorded by third parties.[3] AR/VR devices use observable data to enable users to construct a virtual presence, whether in fully virtual spaces created in VR or physical spaces enhanced with virtual elements through AR.

Observable Data in AR/VR

A user’s avatar, or virtual representation of themselves, may be considered observable personal information, particularly if that avatar is a hyper-realistic representation. Even less-realistic avatars a user creates to reflect their physical appearance can reveal certain information such as race and gender. Unlike two-dimensional images, such as profile pictures or digital photographs, three-dimensional avatars such as those in fully immersive VR experiences are a digital embodiment of an individual, including their physical appearance, gestures, and mannerisms.[4] Users experience these virtual bodies as they would their own in physical space—making this particular form of observable data more intimate than similar two-dimensional information.[5]

Table 1: Types of data that AR/VR technologies rely on to create user experiences