Browse all articles

Kids Deserve Better Privacy in Virtual Reality

Our new report reveals how vulnerable our personal data is in VR, and why now is the time to define what privacy means for all of us.

Adult showing a child a VR headset

Virtual reality (VR) devices are a whole new world when it comes to consumer privacy. They collect exponentially more data than any other digital device available—and in doing so, they're putting our kids' privacy at risk. Our new report evaluating the privacy policies and platforms of the most popular VR devices is the first research of its kind in the industry. We discovered that these popular VR devices, which track personal details from the moment they're put on, take advantage of users' sensitive data for profit. Not a single VR headset that we tested in the market right now has earned our recommendation for kids and teens.

The Common Sense Privacy Program evaluates the privacy policies of popular consumer technology applications and services like VR that are currently used by children at home and in the classroom. This new research underscores how we find ourselves at a critical moment in our history to demand, 1.) better privacy practices from VR companies, and 2.) stronger privacy regulations of VR technologies, to help reshape what privacy in virtual reality and the metaverse means for all of us.

VR headsets and platforms collect much more data than mobile apps and websites—including body posture, eye gaze, pupil dilation, gestures, and facial expressions. They can even recognize attributes as specific as skin color. A user's body movements in VR are tracked more than 100 times per second, which means that spending 30 minutes or more in a VR experience can create more than 2 million unique data points. Automatic body responses can betray your innermost thoughts and feelings, which means that users may unintentionally share personal biometric data on private interactions and emotions.

This sensitive data is fodder for a new type of biometric personalized advertising, which can be more invasive and exploitative than any other targeted advertising known to date. Our research found that all of the privacy policies for these VR headsets were either unclear or said they use data for commercial purposes. More than half (57%) have no parental controls, and less than a third had any safety settings at all. By incorporating privacy settings to prohibit advertising, marketing, and tracking purposes, we can put an end to the practice of profiting from the use of sensitive biometric data that exposes users to privacy risks and harms.

Industry developers can do a better job of identifying the age of the user, defaulting to privacy-protecting settings for new users, and setting age-related time limits. Developers could also limit the data being collected and stored to restrict advertising by default. By creating a safe space for kids to interact in a virtual world, we can establish a community standard in the industry that agrees that kids' and teens' data is off limits.

VR can be a positive experience for kids in so many ways. Families and educators can engage kids in new, immersive experiences, from virtual-reality tours of historical locations to role-playing different characters in books, trying out virtual musical instruments, and even learning new science concepts by shrinking to the size of a cell or exploring the solar system. But these positive experiences should not come at the expense of their privacy.

We have seen a significant increase of both interest and investment in the VR marketplace, and we know that major content providers are planning for tremendous expansion in this area in the future. We have a rare chance at this moment to reflect on the current privacy of VR and implement appropriate privacy and safety-by-design policies before VR is fully adopted and integrated into society.

Our goal for this new report is to bring more awareness of the need to protect our kids' privacy in VR. It is critical that VR devices and platforms, and the content and experiences they provide, are both age appropriate and privacy-protective. This is also a chance for us to define what "privacy" means in VR. This new technology demands new forms of privacy regulations, as it collects more sensitive data than any other technology or device we have encountered to date. We need stronger laws and more awareness around these issues in VR so we can build better, safer devices before it's too late.

Girard Kelly

Girard Kelly is the head of the Common Sense Privacy Program. He is an attorney focused on Internet, privacy, cybersecurity, and Intellectual Property law who thrives on cutting-edge legal issues and has a strong background in public policy, information technology, entrepreneurship, and emerging technologies.