Meanwhile, Meta’s current privacy policies for VR devices leave plenty of room for the collection of personal, biological data that reaches beyond a user’s face. As Katitza Rodriguez, policy director for global privacy at the Electronic Frontier Foundation, noted, the language is “broad enough to encompass a wide range of potential data streams – which, even if not being collected today, could start being collected tomorrow without necessarily notifying users, securing additional consent, or amending the policy. ”
By necessity, virtual reality hardware collects fundamentally different data about its users than social media platforms do. VR headsets can be taught to recognize a user’s voice, their veins, or the shading of their iris, or to capture metrics like heart rate, breath rate, and what causes their pupils to dilate. Facebook has filed patents concerning many of these data collection types, including one that would use things like your face, voice, or even your DNA to lock and unlock devices. Another would consider a user’s “weight, force, pressure, heart rate, pressure rate, or EEG data” to create a VR avatar. Patents are often aspirational – covering potential use cases that never arise – but they can sometimes offer insight into a company’s future plans.
But “information about your environment, physical movements, and dimensions” could describe data points far beyond estimated hand size and game boundary – it could also include involuntary reaction metrics, like a flinch, or uniquely identifying movements, like a smile.
Meta twice declined to detail the types of data that its devices collect today and the types of data that it plans to collect in the future. It also declined to say whether it is currently collecting, or plans to collect, biometric information such as heart rate, breath rate, pupil dilation, iris recognition, voice identification, vein recognition, facial movements, or facial recognition. Instead, it pointed to the policies linked above, adding that “Oculus VR headsets currently do not process biometric data as defined under applicable law.” A company spokesperson declined to specify which laws Meta considers applicable. However, some 24 hours after publication of this story, the company told us that it does not “currently” collect the types of data detailed above, nor does it “currently” use facial recognition in its VR devices.
Meta did, however, offer additional information about how it uses personal data in advertising. The Supplemental Oculus Terms of Service say that Meta may use information about “actions [users] have taken in Oculus products ” to serve them ads and sponsored content. Depending on how Oculus defines “action,” this language could allow it to target ads based on what makes us jump from fear, or makes our hearts flutter, or our hands sweaty.