- 1. The VR Reality
- 2. What Do You Know about Your VR Users
- 2.1. User Registration Data and Collection of Personally Identifiable Information
- 2.2. User Profile Data and Collection of Personally Identifiable Information
- 2.3. User Physical Data and Collection of Personally Identifiable Information
- 2.4. Interaction with Groups and Aggregate Data Collection
- 2.5. Location Data and Collection of Non-personally Identifiable Data
- 2.6. Browser Activities, Device Data and Collection of Non-personally Identifiable Information
- 2.7. Remember These Best Practices for VR App Privacy Policies
The VR Reality
An estimated 171 million people around the world are using VR hardware and software, with 250 games and over 200,000 developers registered to build for Oculus Rift, according to KZero research.
With the majority of VR users being kids, tweens and teens, and the marketplace being the entire planet, privacy laws are an important reality.
Most VR apps collect three categories of user data:
- Personally identifiable information required for registration and delivery of an app to a device, and sometimes payment information for in-app purchases.
- Non-personally identifiable information used to monitor analytics, user behaviors, etc.
- Aggregate information about groups of users. Aggregate information is used to create a community gaming experience.
VR apps carry special privacy considerations that some other apps don't. VR apps often create a community gaming experience in which a user is interacting with the app and also with other users they may or may not know. Additionally, the overwhelming majority of users are minors.
Privacy laws in California (CalOPPA) and the EU (GDPR) are particularly strict in protecting the privacy rights of minors. While the age defining a "minor" varies, the concern for protecting minors is universal.
Rising online bullying, teen violence, child trafficking and identity theft are just some of the concerns lawmakers and parents have.
Pornography is another fast-growing segment of the VR world where special considerations should be made. Because VR apps collect so much information about their users and user behaviors, and because user understanding about how much of what they do is being monitored, porn apps may need to provide certain disclosures to educate and inform their users.
- Answer the questions related to your entity type and location.
- Answer the questions relating to what type of information you collect from your users.
What Do You Know about Your VR Users
Your VR app might be collecting more information about your users than meets the eye. VR Heads, a leading authority on the VR industry, says all VR apps collect all of the following information about their users:
- Personally identifiable user data
- Aggregate data
- Location data
- Browser activities
- Device details
- IP addresses
Privacy laws require disclosure of every type of personally identifiable user information you are collecting. They also require you to disclose the methods you use to collect the data, and why you need it.
Privacy laws apply to information you are collecting both directly and indirectly.
Examples of direct forms of data collection include user inputs, such as on a user registration page or profile setup page.
User Registration Data and Collection of Personally Identifiable Information
If your VR app requires or allows user registration, you likely collect user name, phone number, date of birth and email address. Many apps also collect additional information for the user profile such as an image or social media profiles. All of these types of data are considered personal data.
Oculus provides a good example of a typical VR app sign-up form:
Oculus also has a clause for "Information Automatically Collected About You When You Use Our Services." This includes information such as app interactions, bodily movements, device details, IP address and location.
Separate mention is made for information third parties share with Oculus, such as vendor partners, Facebook and other affiliated companies:
In the clause below, "Types of Information We Collect," LL clearly defines three types of information they may use: Personal, Anonymous and Aggregate.
This simple, straightforward, approach meets mandates of the EU's General Data Protection Regulation (GDPR) and California's Online Privacy Protection Act (CalOPPA), both of which require plain and simple language the typical user can understand.
User Profile Data and Collection of Personally Identifiable Information
User profiles greatly benefit any app experience and VR apps are no exception. The more app users personalize their online profiles, the more invested they are in the app.
Many VR apps invite users to say something about themselves, upload an avatar or profile pic, or enter personal information not required for app registration.
Information the user provides to you through your VR app's profile fields is protected information.
Privacy laws require you to disclose the information you collect in the user profile fields in the same way you must disclose the information collected during user registration.
Additionally, you must disclose why that information is collected and how it's used by you or your third parties vendors.
The same clause goes on to acknowledge that information about a user's physical features and dimensions may be collected by their apps. This helps educate users about the many types of personally identifiable information being collected about them.
Minors are considered particularly vulnerable to over-disclosing personal information in user profiles. Because of this, many privacy laws require app owners to make special disclosures that will aid minors in understanding their privacy risks and rights.
CalOPPA requires that you do all of the following:
- Allow minors to instruct you to permanently remove all information you have collected about them. This includes ceasing use of, or sharing of, their data.
- Provide notice to minors of their rights.
- Provide clear instruction to minors of the right to instruct you to remove their information, and also of their right to request an electronic copy of their information at no charge.
Educate minor users that the removal of their information from your database does not provide protection of any data you have shared with third parties prior to receiving their request. You must also advise them that removal might not necessarily clear all of their data stored in your app.
GDPR requirements are similar. The regulation defines the age of a minor as a child aged 16 or younger. However, it allows member states to independently establish age for consent to anywhere from age 13 to 16.
Because of this rule, VR apps attracting children must collect user date of birth, typically at the user registration level.
Any app user under the age of consent for the EU member state must provide parental consent to use the app.
Additionally, the app owner must make a reasonable effort to verify that the individual providing the parental consent is, in fact, a legal guardian of the minor.
User Physical Data and Collection of Personally Identifiable Information
An exciting and, to some, scary ability of VR technology is the ability to harvest information about a user's physical profile. Height, weight, girth, gait and movement patterns all are tracked by VR apps in order to personalize and improve the user's app experience.
Some VR apps also learn additional personal information about users, such as hair, skin and eye color.
While the technical benefits to an app experience are clear, the risks to privacy are a bit fuzzier.
Technologies that can essentially create a picture of a user based on their use of an app and the data collected through use of the app pose certain risks, especially to minors.
Interaction with Groups and Aggregate Data Collection
Many VR apps provide an exciting user group experience, enabling users to experience an app simultaneously with friends or even strangers around the world.
They also offer group chat threads and community forums, allowing users to interact socially but also risking the sharing of personally identifiable data.
As exciting as this technology is, it introduces a new level of potential privacy risk, particularly to minors. However, adult VR apps also carry risks of inadvertent sharing of personal information among users who are uninformed about their privacy risks.
Location Data and Collection of Non-personally Identifiable Data
Location data is an increasingly common and highly valuable piece of data. It is readily collected from internet and app users. This data is useful to advertisers in understanding consumer behavior and conducting "push" marketing to identify users near advertising businesses.
This data is useful for VR app owners because it allows them to learn more about their users, generally and individually.
While users have the option to control whether their device will or will not allow location identification, many apps require location data in order to function.
In addition, many third-party vendors such as Google Analytics, AdSense, map apps and others require user location information to be provided before a user can interact with the app.
Because of the security concerns of knowing a user's exact location at an exact time, Privacy Policies increasingly identify this as protected personal data.
Browser Activities, Device Data and Collection of Non-personally Identifiable Information
Most if not all VR apps monitor user browser activities for many reasons. Knowing when users take certain actions, why they do, and how they navigate from one app to another is useful for improving app performance and user experience.
In the case of VR, the interaction between a user's device and the VR hardware is particularly valuable to app developers, allowing them to constantly improve the reality features of their apps.
However, many consumers are unaware of how apps, websites and third-party technologies work together to monitor online behavior and use the information collected.
Additionally, the devices a VR app uses is valuable information to app developers for many reasons. Bugs isolated to certain devices, performance of devices, consumer buying choices and user patterns all help app developers improve their products.
Because user devices contain significant data about their users including what other apps are being used on their devices, privacy laws encourage disclosure of data collected about users from those devices.
Remember These Best Practices for VR App Privacy Policies
As discussed earlier, a key requirement of CalOPPA, GDPR and virtually every other privacy law is to clearly and simply communicate privacy policies and privacy compliance protocols to users.
- Disclose all of the types of data you collect, both directly and indirectly.
- Disclose all of the reasons you collect this information.
- Disclose all of the ways you share the information.
- Explain your efforts to protect this information.
- Provide clear instruction for requests to retrieve, destroy or transfer user data.
Finally, when developing your VR apps, be sure to deploy a strategy for Privacy by Design. This ensures you will consider privacy laws, risks, user rights and protections at all stages of your design, thus improving your outcomes and limiting your liability.