Agencies Adopt a Cautious Approach to Gathering Metaverse Data

Regulators are cracking down on biometric data collection

Introducing the Adweek Podcast Network. Access infinite inspiration in your pocket on everything from career advice and creativity to metaverse marketing and more. Browse all podcasts.

As privacy laws expand to the next iteration of the internet, or Web3, marketers need to have consumer safety top of mind, especially around immersive technology such as the metaverse.

State privacy laws will cover the metaverse to the extent that they cover personal data,” said Jameson Spivack, senior policy analyst, immersive technologies, Future of Privacy Forum. “Even if the laws don’t explicitly mention them or weren’t designed with these kinds of technologies in mind,” he added.

When people use a VR headset, biometric data is collected to create avatars. Even though that data may not be used to uniquely identify that person, the act of scanning their face may be considered the collection of personally identifiable information (PII) under certain laws, according to Spivack.

To protect themselves and consumers, some marketers pursuing more sustainable metaverse strategies are choosing not to collect personal data in the metaverse at all, while others use first-party data collected from digital campaigns to link to metaverse experiences.

Caution around data collection is especially prudent “when it comes to the child- and teen-specific laws, which may require things like age verification, or even allowing parents to access their children’s social media accounts,” said Spivack.

Avoiding data collection altogether

To comply with U.S. privacy laws such as California’s CPRA and Europe’s GDPR, agencies are taking a more cautious approach to data collection in the metaverse.

IPG agency R/GA sees the collection of PII in the metaverse as a value exchange to provide people with the right metaverse experience and enhance their interactions, said Megan Trinidad, R/GA vp and executive creative director.

Since operating in the metaverse can create a lot of data, the agency works closely with its clients to ensure any metaverse experience that leverages personal information aligns with their privacy policies and disclosures. Trinidad wasn’t able to share specific examples due to confidential client agreements.

To avoid data breaches, agency Wunderman Thompson advises some clients not to collect people’s personal information in its Web3 projects, said Emma Chiu, global director of Wunderman Thompson Intelligence.

Chiu points to the agency’s Web3 campaign with YSL Beauty to create an NFT wallet dedicated to its community as an example where it did not collect personal information.

“This is still in its early stages, but it could potentially be a game-changer,” said Chiu, “especially at a time when ownership around personal data is more sensitive and the legalities around this subject are constantly evolving.”

Linking out to digital environments

Similarly, Dentsu also avoids collecting PII in its metaverse campaigns.

However, “if there is a need to collect first-party data, we make sure we do all that due diligence and seek the proper legal counsel to do that,” said Dan Holland, executive vp and gaming lead at Dentsu.

It’s best to not view the metaverse experience itself as the best place to attempt to collect first-party data.

Dan Holland, executive vp and gaming lead, Dentsu

For example, to celebrate LGBTQIA+ Pride Month, Mastercard launched a campaign called True Name to let cardholders from the community use their true first name on their card without requiring a legal name change. As a part of this campaign, Mastercard partnered with Decentraland to launch Pride Plaza in the metaverse.

In doing so, it connected people’s Web3 wallets to Decentraland but did not collect their first-party data. And, if people wished to donate to the Gay & Lesbian Alliance Against Defamation (GLAAD), they were taken out of the metaverse experience and redirected to the GLAAD website to make donations. Similarly, if people wanted to sign up for a Mastercard, this was done outside of Decentraland.

“It’s best to not view the metaverse experience itself as the best place to attempt to collect first-party data but instead leverage more proven and secure environments, such as digital activations within the overall campaign, and link that with their metaverse experience,” Holland added.

Biometrics in the crosshairs

Currently, some statewide laws give people rights such as the ability to access, correct or delete personal data, and opt out of targeted advertising.

However, it’s unclear how the laws might apply to biometric data. There is ongoing litigation against how companies are collecting biometric data in states that have biometric privacy laws, such as Illinois.

Giving people the choice to opt out of data collection in the metaverse will pose new challenges for brands since the mechanism to provide notice is going to look different from the consent pop-ups that we’ve grown used to online, said Cobun Zweifel-Keegan, managing director, Washington, D.C., for The International Association of Privacy Professionals (IAPP).

Meanwhile, regulators are getting more muscular with players in the metaverse space. Last year, the Federal Trade Commission sued to block Meta from acquiring virtual-reality startup Within Unlimited, alleging it would lessen competition in the market. Although the FTC eventually dismissed this merger, regulators are trying to exert power against commercial surveillance within immersive technology.

“Metaverse-related technologies and AI, which is a hot topic right now, is definitely something that’s on [regulators’] minds,” said Spivack.

Enjoying Adweek's Content? Register for More Access!