Data protection and privacy in metaverse
In the previous Legal Thoughts on Metaverse I Intellectual Property Rights, we explored how issues around Intellectual Property IP could develop. Early metaverse projects have issues with data protection, and that is still largely theoretical.
We will focus on data protection and privacy in this article.
In recent months, many users have claimed their Roblox accounts were stolen from Bilibi, a Chinese youtube channel. According to RTrack, Roblox has 202 million monthly active users by April 2021 and over 65% are children under 16.
With its growing popularity, Roblox has faced a problem of hackers stealing accounts via third-party browser extensions, compromised passwords and unbound email addresses. Although Roblox has steps for retrieving stolen accounts on its official website, not every player is lucky to get their account back.
Even when players manage to retrieve accounts, their props and currency are often long gone.
The metaverse already has many privacy and data security issues, with many more likely to emerge, as illustrated by this problem in Roblox. These include complex deep forgery as metaverse service providers access more user data, including biometric, location and banking information.
Data and privacy protection are the main concerns for regulators and internet companies that are moving into the metaverse. Since advertising will likely be the main revenue source for the world's two largest Internet companies, Facebook now renamed Meta and Google, consumers personal data will be prone to misuse.
Legislations on Protection of Personal Information are included in the Overview of Legislations on the Protection of Personal Information.
The 1970 Data Protection Act of the German state of Hesse is a reference to global legislation on personal information protection. Since then personal information protection laws have been in place in Switzerland 1973, Norway 1978 Finland 1978 Iceland 1978 Iceland 1978, Iceland 1981 Ireland 1988 Portugal 1991 Belgium 1992 and other countries.
The earliest written legislation on data and privacy in the United States dates back to the Privacy Act of 1974 5 U.S. C. 552. Since then, there have been many other notable legislations.
Since the most obvious use cases of the metaverse revolve around online gaming, it makes sense to look at laws around consumer protection and minors.
The handling of personal information includes the collection, storage, use, use, processing, transmission, provision, disclosure, and deletion of personal information.
The U.S. Fair Credit Reporting Act 15 U.S. C. 1681 et seq. Consumer reporting agencies protect personal information collected by them. The Act restricts access to the information to those who can obtain it, and subsequent amendments have simplified the process for consumers to obtain and correct information about themselves.
The Personal Information Protection Law of the People's Republic of China, which came into effect on November 1, 2021, is a definition of personal information in China. Personal information refers to information related to an identifiable natural person that has been recorded electronically or by other means, and does not include anonymized information.
The Children's Online Privacy Protection Act 15 U.S.C. 6501 - 6506 allows parents to control information collected online about their children under 13 years. Parents of websites that target children are required to post privacy policies, obtain parental consent before collecting information from children, and allow parents to determine how that information is used, and provide parents with the option to opt out of having information collected from their children.
Information, whether provided directly by the user or generated indirectly, such as biometric features, location and banking information, consumption habits, and gaming habits, are all personal information.
It is reasonable for metaverse projects and players involved to consider the following.
Developers of metaverse have to create privacy protections when developing software and hardware, something that is already a requirement in virtual and augmented reality technologies.
Under the General Data Protection Regulation GDPR, Google Glass has audio and visual symbols that seem to let users know when they are being recorded. Gaming platforms need to set up game modes for minors to avoid the leakage of information privacy of minors.
There is no way that a person can't be immune to legal liability because they are on the metaverse or on the blockchain. If the smart contract code is used by Americans to violate CFTC regulations, the US Commodity Futures Trading Commission CFTC Commissioner Brian Quintenz suggested that code developers of smart contracts could be prosecuted.
The user will be responsible for the legal responsibility if there is a risk of malicious programs or security flaws in the network services or products provided by Article 22 of the Cybersecurity Law of the People s Republic of China.
Ordinary players must protect their information and privacy in order to be able to be easily stolen by creating complex passwords, performing regular antivirus cleanups on their devices, and opting into authentication systems for retrieval. They need to have their email addresses bind to prove that they are the owner of the account, as in the case of Roblox players.
Parents should allow children or minors to be in the game with explicit consent from the guardian for the disposal of the personal information of minors.
More to Consider:
We discussed the discussions on NFT ownership, IP property, and data protection on Metaverse. Rules must be established for the new form of a world to avoid conflicts, even though decentralization is the core of the new form of a world. Will there ever be a DAO running as a court dealing with similar legal issues in our real world?