Meanwhile, Meta’s current privacy policies for VR devices leave plenty of room for the collection of personal and biological data that goes beyond a user’s face. As noted by Katitza Rodriguez, director of global privacy policy at the Electronic Frontier Foundation, the language is “broad enough to encompass a wide range of potential data flows – which, even if not collected today today, may begin to be collected tomorrow without necessarily notifying users, obtaining additional consent, or changing policy.”
By necessity, virtual reality hardware collects fundamentally different data about its users than social media platforms. VR headsets can learn to recognize a user’s voice, veins, or iris shading, or capture metrics such as heart rate, respiratory rate, and what causes their pupils to dilate. Facebook has filed patents for many of these types of data collection, including a which would use things like your face, your voice, or even your DNA to lock and unlock devices. Another one would take into account a user’s “weight, force, pressure, heart rate, pressure rate, or EEG data” to create a VR avatar. Patents are often ambitious — covering potential use cases that never come up — but they can sometimes give insight into a company’s future plans.
Meta’s current virtual reality privacy policies do not specify all types of data it collects about its users. The Oculus Privacy Settings, Oculus Privacy Policyand Additional Oculus Data Policy, which govern Meta’s current virtual reality offerings, provide information on the broad categories of data collected by Oculus devices. But they all specify that their data fields (things like “your headset position, your controller speed, and orientation changes like when you move your head”) are just examples within these categories, rather than a full listing of their contents.
Nor do the examples given convey the breadth of the categories they are meant to represent. For example, Oculus’ privacy policy states that Meta collects “information about your surroundings, physical movements, and dimensions when you use an XR device.” He then provides two examples of such collection: information about your VR game area and “technical information such as estimated hand size and movement”.
But “information about your surroundings, physical movements and dimensions” could describe data points far beyond estimated hand size and game limits – it could also include measures of involuntary reaction, such as a flinch, or unique identifying movements, such as a smile.
Meta twice declined to detail the types of data its devices collect today and the types of data it plans to collect in the future. He also declined to say if he currently collects or plans to collect biometric information such as heart rate, respiratory rate, pupil dilation, iris recognition, voice identification, vein recognition , facial movements or facial recognition. Instead, he pointed to the linked policies above, adding that “Oculus VR headsets currently do not process biometric data as defined by applicable law.” A company spokesperson declined to elaborate on which laws Meta considers applicable. However, approximately 24 hours after this story was published, the company told us that it does not “currently” collect the types of data detailed above, nor does it “currently” use facial recognition in its VR devices.
Meta has, however, provided additional information on how it uses personal data in advertising. The Oculus Additional Terms of Service say that Meta may use information about “shares [users] took Oculus’ products to serve them ads and sponsored content. Depending on how Oculus defines “action,” this language could allow it to target ads based on what makes us jump in fear, or make our hearts race or our palms sweat.