Creating a Privacy Policy for Your VR App

Creating a Privacy Policy for Your VR App

Virtual Reality games are all the rage in the software world, with no end to the enthusiasm in sight. If you own a VR platform or distribute VR applications online, you need to give special attention to your Privacy Policy.

This article addresses the unique privacy considerations for VR businesses and their users. It also offers tips for creating a compliant Privacy Policy that complies with global privacy laws.

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.
  3. Privacy Policy Generator - Select platforms - Step 1

  4. Add information about your business: your website and/or app.
  5. Privacy Policy Generator - Add your business info - Step 2

  6. Select the country:
  7. Privacy Policy Generator - Add your business info - Step 2

  8. Answer the questions from our wizard relating to what type of information you collect from your users.
  9. Privacy Policy Generator - Answer questions from our wizard - Step 3

  10. Enter your email address where you'd like your Privacy Policy sent and click "Generate". Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.

The VR Reality

An estimated 171 million people around the world are using VR hardware and software, with 250 games and over 200,000 developers registered to build for Oculus Rift, according to KZero research.

With the majority of VR users being kids, tweens and teens, and the marketplace being the entire planet, privacy laws are an important reality.

Because VR apps collect and share information about their users, it's legally mandatory that a Privacy Policy is posted within the apps and on any related websites.

Most VR apps collect three categories of user data:

  1. Personally identifiable information required for registration and delivery of an app to a device, and sometimes payment information for in-app purchases.
  2. Non-personally identifiable information used to monitor analytics, user behaviors, etc.
  3. Aggregate information about groups of users. Aggregate information is used to create a community gaming experience.

Privacy laws in the US and around the world require specific protocols for handling user data. They require disclosure of internal privacy procedures with a Privacy Policy.

Many laws even require certain formatting guidelines for the Privacy Policy and include other mandates to make it easy for users to access and understand the policy.

VR apps carry special privacy considerations that some other apps don't. VR apps often create a community gaming experience in which a user is interacting with the app and also with other users they may or may not know. Additionally, the overwhelming majority of users are minors.

Privacy laws in California (CalOPPA) and the EU (GDPR) are particularly strict in protecting the privacy rights of minors. While the age defining a "minor" varies, the concern for protecting minors is universal.

Rising online bullying, teen violence, child trafficking and identity theft are just some of the concerns lawmakers and parents have.

Pornography is another fast-growing segment of the VR world where special considerations should be made. Because VR apps collect so much information about their users and user behaviors, and because user understanding about how much of what they do is being monitored, porn apps may need to provide certain disclosures to educate and inform their users.

When drafting your Privacy Policy, you will want to give special attention to the language you use, the organization and structure of the document, and the many ways you are collecting, managing and sharing user data.

What Do You Know about Your VR Users

Your VR app might be collecting more information about your users than meets the eye. VR Heads, a leading authority on the VR industry, says all VR apps collect all of the following information about their users:

  1. Personally identifiable user data
  2. Aggregate data
  3. Location data
  4. Browser activities
  5. Device details
  6. IP addresses

Privacy laws require disclosure of every type of personally identifiable user information you are collecting. They also require you to disclose the methods you use to collect the data, and why you need it.

Privacy laws apply to information you are collecting both directly and indirectly.

Examples of direct forms of data collection include user inputs, such as on a user registration page or profile setup page.

Examples of indirect forms of data collection include the use of cookies, data exchange through social platform sign-up integrations, group interaction, etc.

Additionally, VR Heads says all VR apps are using cookies and sharing data with third parties. Privacy laws require comprehensive disclosure of these third party activities with a Privacy Policy.

User Registration Data and Collection of Personally Identifiable Information

If your VR app requires or allows user registration, you likely collect user name, phone number, date of birth and email address. Many apps also collect additional information for the user profile such as an image or social media profiles. All of these types of data are considered personal data.

Oculus provides a good example of a typical VR app sign-up form:

Oculus user sign-up form

Before submitting their sign-up details, users must click a button to create an account. They also may click to follow links to the app's Privacy Policy and Terms of Service.

Oculus user sign-up form with Create Account button and links to Privacy Policy and Terms

Oculus opens its Privacy Policy with a clause titled, "Information You Give Us." The clause provides a clear and simple explanation of the various ways they collect user information:

Oculus Privacy Policy: Information You Give Us clause

Oculus also has a clause for "Information Automatically Collected About You When You Use Our Services." This includes information such as app interactions, bodily movements, device details, IP address and location.

Oculus Privacy Policy: Information Automatically Collected clause

Separate mention is made for information third parties share with Oculus, such as vendor partners, Facebook and other affiliated companies:

Oculus Privacy Policy: Third Parties clause

San Francisco-based VR pioneer Linden Labs offers an outstanding example for structuring a sound Privacy Policy that meets and exceeds global privacy laws.

What is interesting about LL's Privacy Policy is its up-front approach to spelling out the types of information they use and how they use it in a way that speaks to their audience of high-level game developers and diverse game users.

In the clause below, "Types of Information We Collect," LL clearly defines three types of information they may use: Personal, Anonymous and Aggregate.

Linden Labs Privacy Policy: Types of Information collected and used clause

This simple, straightforward, approach meets mandates of the EU's General Data Protection Regulation (GDPR) and California's Online Privacy Protection Act (CalOPPA), both of which require plain and simple language the typical user can understand.

User Profile Data and Collection of Personally Identifiable Information

User profiles greatly benefit any app experience and VR apps are no exception. The more app users personalize their online profiles, the more invested they are in the app.

Many VR apps invite users to say something about themselves, upload an avatar or profile pic, or enter personal information not required for app registration.

Information the user provides to you through your VR app's profile fields is protected information.

Privacy laws require you to disclose the information you collect in the user profile fields in the same way you must disclose the information collected during user registration.

Additionally, you must disclose why that information is collected and how it's used by you or your third parties vendors.

The Oculus Privacy Policy plainly points this out. This is a recommended approach to ensure you are meeting legal requirements to speak to your users as if they don't know anything about privacy risks and protections.

Oculus Privacy Policy: Information You Give Us - after registration clause

The same clause goes on to acknowledge that information about a user's physical features and dimensions may be collected by their apps. This helps educate users about the many types of personally identifiable information being collected about them.

Oculus Privacy Policy: Physical Features Clause

Minors are considered particularly vulnerable to over-disclosing personal information in user profiles. Because of this, many privacy laws require app owners to make special disclosures that will aid minors in understanding their privacy risks and rights.

CalOPPA requires that you do all of the following:

  1. Allow minors to instruct you to permanently remove all information you have collected about them. This includes ceasing use of, or sharing of, their data.
  2. Provide notice to minors of their rights.
  3. Provide clear instruction to minors of the right to instruct you to remove their information, and also of their right to request an electronic copy of their information at no charge.
  4. Educate minor users that the removal of their information from your database does not provide protection of any data you have shared with third parties prior to receiving their request. You must also advise them that removal might not necessarily clear all of their data stored in your app.

  5. CalOPPA Requirements: Minors Clause

GDPR requirements are similar. The regulation defines the age of a minor as a child aged 16 or younger. However, it allows member states to independently establish age for consent to anywhere from age 13 to 16.

Because of this rule, VR apps attracting children must collect user date of birth, typically at the user registration level.

Any app user under the age of consent for the EU member state must provide parental consent to use the app.

Additionally, the app owner must make a reasonable effort to verify that the individual providing the parental consent is, in fact, a legal guardian of the minor.

User Physical Data and Collection of Personally Identifiable Information

An exciting and, to some, scary ability of VR technology is the ability to harvest information about a user's physical profile. Height, weight, girth, gait and movement patterns all are tracked by VR apps in order to personalize and improve the user's app experience.

Some VR apps also learn additional personal information about users, such as hair, skin and eye color.

While the technical benefits to an app experience are clear, the risks to privacy are a bit fuzzier.

Technologies that can essentially create a picture of a user based on their use of an app and the data collected through use of the app pose certain risks, especially to minors.

The Oculus Privacy Policy discloses their monitoring of physical movements when using their apps:

Oculus Privacy Policy: Information Automatically Collected - physical movements and dimensions clause

The LL Privacy Policy includes a clause titled "Children's Privacy" in which they guarantee they take extra steps to protect the privacy of children. Some of these steps include not knowingly collecting personally identifiable information from children and notifying parents when their minor child has registered with or used an LL app:

Linden Labs Privacy Policy: Notifications to Minors Clause

Interaction with Groups and Aggregate Data Collection

Many VR apps provide an exciting user group experience, enabling users to experience an app simultaneously with friends or even strangers around the world.

They also offer group chat threads and community forums, allowing users to interact socially but also risking the sharing of personally identifiable data.

As exciting as this technology is, it introduces a new level of potential privacy risk, particularly to minors. However, adult VR apps also carry risks of inadvertent sharing of personal information among users who are uninformed about their privacy risks.

For these reasons, privacy laws stress the importance of using your Privacy Policy to educate users about their risks and your responsibilities.

The LL Privacy Policy addresses this concern effectively with this clause:

Linden Labs Privacy Policy - Public Forums Clause

The Oculus Privacy Policy clause on the topic of group interaction and aggregate data is more succinct but equally effective:

Oculus Privacy Policy: Information You Give Us - Communications with other users clause

Location Data and Collection of Non-personally Identifiable Data

Location data is an increasingly common and highly valuable piece of data. It is readily collected from internet and app users. This data is useful to advertisers in understanding consumer behavior and conducting "push" marketing to identify users near advertising businesses.

This data is useful for VR app owners because it allows them to learn more about their users, generally and individually.

While users have the option to control whether their device will or will not allow location identification, many apps require location data in order to function.

In addition, many third-party vendors such as Google Analytics, AdSense, map apps and others require user location information to be provided before a user can interact with the app.

Because of the security concerns of knowing a user's exact location at an exact time, Privacy Policies increasingly identify this as protected personal data.

The Oculus Privacy Policy discloses the many ways their apps may collect user location data, including from cell phone towers, device IP address, GPS signal and nearby WiFi networks.

Oculus Privacy Policy: Information Automatically Collected - location information clause

The LL Privacy Policy is slightly more self-limiting, acknowledging that they will collect user location information only where they are permitted to by law:

Linden Labs Privacy Policy: Location information collected Clause

Browser Activities, Device Data and Collection of Non-personally Identifiable Information

Most if not all VR apps monitor user browser activities for many reasons. Knowing when users take certain actions, why they do, and how they navigate from one app to another is useful for improving app performance and user experience.

In the case of VR, the interaction between a user's device and the VR hardware is particularly valuable to app developers, allowing them to constantly improve the reality features of their apps.

However, many consumers are unaware of how apps, websites and third-party technologies work together to monitor online behavior and use the information collected.

Additionally, the devices a VR app uses is valuable information to app developers for many reasons. Bugs isolated to certain devices, performance of devices, consumer buying choices and user patterns all help app developers improve their products.

Because user devices contain significant data about their users including what other apps are being used on their devices, privacy laws encourage disclosure of data collected about users from those devices.

The Oculus Privacy Policy clearly explains the various ways their apps monitor user behavior and use of VR hardware such as headsets, devices, operating systems, IP addresses and device identifiers.

Oculus Privacy Policy: Information Automatically Collected - Device identifiers, other apps clause

Remember These Best Practices for VR App Privacy Policies

As discussed earlier, a key requirement of CalOPPA, GDPR and virtually every other privacy law is to clearly and simply communicate privacy policies and privacy compliance protocols to users.

When drafting your Privacy Policy for your VR app, follow these simple guidelines to ensure you meet the requirements and the spirit of all applicable laws:

  1. Draft your Privacy Policy in simple language your typical users can understand.
  2. Disclose all of the types of data you collect, both directly and indirectly.
  3. Disclose all of the reasons you collect this information.
  4. Disclose all of the ways you share the information.
  5. Explain your efforts to protect this information.
  6. Provide clear instruction for requests to retrieve, destroy or transfer user data.
  7. Post your Privacy Policy in an easy-to-find and easy-to-access location such as in the footer, as shown in the example below from the LL site.
  8. When you update your policy, use Privacy Policy Update Notices to keep your users informed of material changes.

Website Footer of Linden Labs

Finally, when developing your VR apps, be sure to deploy a strategy for Privacy by Design. This ensures you will consider privacy laws, risks, user rights and protections at all stages of your design, thus improving your outcomes and limiting your liability.

By following these guidelines, you can be assured of drafting a sound Privacy Policy that will protect you and your users around the world - both the virtual one and the real one.