Data Privacy Concerns in the Metaverse. May the privacy be with us!

April 2022 – All of us have concerns regarding data privacy in the metaverse. Countless questions come to mind, such as: What is the metaverse? Can a digital personality be considered as personal data? What happens if digital data is processed? In this short article we touch on the metaverse’s main data privacy concerns. 

What is the metaverse?

The metaverse is a virtual world that relies on multiple technologies such as virtual reality, blockchain, artificial intelligence, etc. There is no longer just one world like the real world anymore. A new virtual-world era has begun with the advent of different metaverses such as Horizon, Decentraland, Sandbox, and Upland, and it appears that their number will continue to increase.

Metaverses may be decentralised or centralised. If users govern the metaverse it is considered decentralised; metaverses governed by central authorities are considered centralised.

Users can do a variety of virtual things inside a metaverse—play sports, give a concert, buy clothes, shoes, or digital assets, and meet with friends. During these activities, vast amounts of data related to users may be collected. In this short article, we touch on the main data privacy concerns in the metaverse.

Can a digital personality be considered personal data?

The reality of the metaverse is virtual, not real. Those who wish to experience virtual reality need to create an avatar. These avatars may reflect any digital appearance the user chooses, such that users can even be a cat or a dog, as there is no rule that users must appear only in human form.

Users may create their digital personality in the metaverse that they desire. This digital personality may make it possible to identify a real personality or not.

Undoubtedly, if a digital personality makes a real person identifiable in the real world, this data shall be considered personal data. For instance, currently people can hold meetings in virtual meeting rooms with many attendees. Furthermore, there are some considerations regarding the implications of digital identities for the practice of international arbitration. As a result, digital personalities must be verified under specific circumstances. In such cases, digital personalities are considered as personal data in the real world.

What if digital personal data is processed?

Digital personalities unrelated to the real world may be monitored. For instance, a user’s preferences, behaviours, etc., may be monitored and processed, and marketing campaigns correlated with the processed data from the metaverse may be submitted to a user who has only a digital personality unrelated to the real world. In a nutshell, it is required to create mechanisms to ensure digital data privacy and particularly to protect the data of users who are children, people with mental disabilities, or who otherwise lack discretion of judgement.

Who is responsible for data security?

In the data ocean, the most important thing is security. It is crucial to determine who is responsible for data security, how data breach incidents may be prevented, and what happens in the event of a data breach incident.

The responsibilities of data controllers and data processors vary from one jurisdiction to another. However, in general, the concept of "data controller" is defined as a person, company, or other body that determines the purpose and means of personal data processing.

In the metaverse, who is responsible depends on whether the metaverse is decentralised or centralised. There may be one main administrator to process all personal data and determine how personal data will be processed, or there may be multiple entities that process personal data through a metaverse.

When a user shops in a store in a metaverse and provides their digital personal data, the store may also be considered as a data controller, similar to the real world.

In order to ensure transparency, each metaverse can create its data processing rules and declare who is the data controller and data processor of the relevant metaverse.

May the privacy be with us!

Even if teleporting is science fiction, human beings will still be able to go wherever they want and be whomever they want. As Facebook (Meta) Founder Mark Zuckerberg explains: “We’ve gone from desktop to web to mobile; from text to photos to video. But this isn’t the end of the line. The next platform will be even more immersive—an embodied internet where you’re in the experience, not just looking at it. We call this the metaverse, and it will touch every product we build.”

Since the metaverse embodies a virtual world identical to the real world, the importance of data privacy is taking on another dimension and many questions are arising. We hope that there will be adequate measures to ensure data privacy in both the real and digital worlds. May the privacy be with us!

For more information please contact Ceren Ceyhan, Associate, at


    • SHARE