25 January 2022

Heavy Meta: Privacy And Cybersecurity In The Metaverse

Gamma Law


Gamma Law is a specialty law firm providing premium support to select clients in cutting-edge media/tech industry sectors. We have deep expertise in video games and esports, VR/AR/XR, digital media and entertainment, cryptocurrencies and blockchain. Our clients range from founders of emerging businesses to multinational enterprises.
The metaverse is poised to become the biggest technological revolution of the 21st century. It is likely to change the way humans engage with each other, revolutionizing social interaction...
United States Privacy
To print this article, all you need is to be registered or login on

The metaverse is poised to become the biggest technological revolution of the 21st century. It is likely to change the way humans engage with each other, revolutionizing social interaction, building whole new economies, and ushering in a host of privacy and cybersecurity issues. Emerging technologies companies should be aware of these issues and take the necessary steps to mitigate risk as these markets enter gray or wholly unexplored legal territories. In this article, we examine some of the issues related to the areas of privacy and cybersecurity in the metaverse.


The interconnected universe can be expected to collect, store, and rely on more personal data than ever before by unifying currently disparate personalized digital experiences that range from shopping to virtual travel, to entertainment, and information gathering. Metaverse providers will have access to even more personal data, including biometric responses, physical location, financial records, and even the appearance of users' homes. FurtherMetaverse companies such as Mark Zuckerberg's Meta are likely to collect personal information for individual identification, advertisement targeting, tracking through multiple channels, health monitoring (such as heart and respiratory rates), and others to optimize the virtual experience. Metaverse companies will combine and aggregate vast quantities of data that influence every aspect of our lives. 

Protecting user privacy presents a serious hurdle for metaverse, XR, and video gaming platforms, both from a practical and a legal standpoint. And the meta environment magnifies the cost of getting it wrong. 

  • Device and Headset Proliferation – According to Facebook whistleblower Frances Haugen, the metaverse will require people to put "many, many more sensors in our homes and our workplaces in addition to those attached to our bodies to generate fully interactive virtual reality experiences. A metaverse setup is likely to include added gear such as headsets and AR glasses which could present major privacy threats by bringing live cameras and microphones inside homes and offices. This poses challenges from a privacy point of view as it would give these sensors unprecedented real-time insight into the everyday lives of individuals. International Data Corp reports that shipments of AR and VR headsets more than doubled in the second quarter of 2021 to 2.2 million compared with the same period last year. The consultancy expects total headset sales to reach 9.7 million in 2021 and nearly triple again by 2025. Much of the growth is driven both by more sophisticated gaming systems and the use of VR in events, conferences, education, fitness, and the metaverse.
  • Collaboration and Interoperability – The primary purpose of the metaverse is to allow people to interact in a digital world, which means that each metaverse should be accessible from all devices and headsets. This has ramifications from a privacy standpoint since user data will be accessible across devices and platforms. To mitigate the privacy challenges arising as a result of universal interoperability, experts have proposed that technology companies agree to certain standards for a connected metaverse that can integrate among different creators. In the absence of such standards, technology companies will have to license the rights to use another company's underlying technology to build its own metaverse. 

The metaverse poses significant privacy-related challenges. In the absence of specific laws to protect data privacy over the metaverse, emerging technologies companies should undertake specific legal measures to minimize the risk of privacy-related issues in the metaverse.  


The metaverse's cybersecurity legal challenges are similar to those posed by the internet which, in turn, reflect those of society in general. According to experts, the metaverse is likely to give rise to entirely new cybercrimes due to its unique infrastructure. For example, a metaverse, which is heavily centered on the use of cryptocurrencies and non-fungible tokens (NFTs) can be a hotbed for financial cybercrimes such as fraud, theft, and money laundering, as well as "old-school" digital malfeasance such as phishing, ransomware, and hacking.

  •  Cheating and duping – There is a high likelihood of cheating and duping on the metaverse primarily due to the ease by which attackers can conceal their true identities behind multiple layers, screens, and avatars. Famous art dealer Sotheby's has recently introduced Sotheby's Metaverse which is aimed at digital art collectors. It offers a curated selection of NFTs chosen by the auction house's specialists. The NFTs available on Sotheby's Metaverse are verified and digitally tracked through a public ledger of the blockchain via Ethereum. However, just like in the real art world, collectors can easily be fooled by counterfeits, replicas, and prints that are minted by cybercriminals poised as legitimate authenticators.
  • Cybersquatting – The ease of obscuring one's identity also enables would-be cybersquatters. Fraudsters can take advantage of squatting on .eth websites that use a legitimate company's name. In this case, the cybercriminals leverage the goodwill or reputation of established businesses by creating Ethereum domain names and smart contracts that ostensibly belong to the victim organizations. Hence, transactions on the metaverse may not be safe as it is difficult to ascertain a user's identity.  

In addition to the above, other questions must be answered before users can truly feel comfortable spending time in the metaverse and platform holders feel reassured that they will not be held liable for enabling security breaches or harboring cybercriminals:

  • How will metaverse cybersecurity be managed?
  • What requirements will apply with respect to keeping data secure?
  • How will regulation or site policies evolve to address deep fakes, avatar impersonation, trolling, and other cyber threats?  
  • What laws will apply and how will the various players collaborate in addressing this issue?

The metaverse poses complex questions that most likely require the amending of existing laws and regulations. Until then, having appropriate legal and technological measures in place can help mitigate risk and provide some degree of protection for metaverse users.      

Recently, Facebook's metaverse has come under scrutiny for potentially violating users' privacy. Haugen has argued that  Facebook's metaverse (and the virtual reality world in general) could be addictive and lead to the stealing of personal information. To prevent similar allegations, Emerging technologies companies working in the metaverse space should be fully aware of the privacy law-related implications of the metaverse. These companies should consider developing their own metaverse (or virtual platform) privacy policies, personal data protection policy, data retention policy, data subject consent form, licensing agreements, and other legal documents in place. A law firm specializing in emerging technologies can help you in drafting these legal documents and provide you with guidance on the privacy and cybersecurity-related regulatory challenges posed by the metaverse. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More