This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Social Media Links

| 5 minutes read

The Metaverse – What Does It Mean for Data Privacy and Information Security?

What are the implications for data privacy and information security in the Metaverse?

The metaverse will create an “even more immersive and embodied Internet”, [1] where users can meet friends, collaborate with colleagues, play games, and go shopping among other activities. The announcement of the metaverse can be perceived as a glimpse into an exciting world of new experiences, innovative learning, and enriched business opportunities.

It’s not just Facebook that is promoting the metaverse. Epic Games, creators of Fortnite, are also creating the necessary infrastructure. Recently, Ariana Grande performed in its metaverse interacting with avatars in a world of bright pink trees and swirling waves. [2] In a recent interview with Bloomberg, Google's CEO, Sundar Pichai, was asked about his thoughts on the metaverse to which he responded, "It's always been obvious to me that computing over time will adapt to people than people adapting to computers. You won't always interact with computing in a black rectangle in front of you. So, just like you speak to people, you see, and interact, computers will become more immersive. They'll be there when you need it to be. So, I have always been excited about the future of immersive computing, ambient computing, AR". [3]

Data privacy was already high on the agenda of politicians, regulators, and, increasingly, ordinary internet users. Creating the avatars needed to “live” and "co-exist" in the metaverse, and perform activities involves sharing and exposing more data with tech corporations. The tech corporations that create and manage this online world can leverage this data to streamline and tailor their products and services towards individual user expectations. There are concerns that entering the metaverse could result in greater supervision of an individuals’ activities which could be monitored and analyzed before the resulting data is sold on to advertisers. Naturally, as users ingest more personal data onto the metaverse, the risk of sensitive or confidential data theft will increase. To achieve what its fans see as its potential, it is highly likely that the metaverse might need to use more sensors around homes and offices. The valuable capabilities of these devices to monitor user behavior and actions in real-time will increasingly make these devices prone to targeted cyber-attacks.

Data will be produced, for example, when users spend money to customize their avatars. As they increase their digital footprint in the metaverse and undergo a more immersive experience, they will create greater volumes of data than their online interactions have produced so far. This raises the question of whether metaverse creators should be permitted to sell this data to third parties. Further questions include in addition to being able to monetize this data, who will be responsible for storing it, handling it, and safeguarding It?

As the metaverse becomes part of the workplace, employers will have the opportunity, should they wish to take it, to keep a closer eye on the activities and performance of their staff.

Organizations plan to combine real business meetings with the metaverse, via virtual meeting software called Horizon Workrooms. [4] More generally within the metaverse, managers may be able to monitor employee conversations, and potentially even the tone of their voice and their general manner or behavior. Employee data relevant to managers and organizations include the emails they send, the Slack, Teams, Skype conversations they have, and the URLs they visit. This will enable managers to find answers to questions such as: Who is enthusiastic and hard-working and who isn’t? Who demonstrates team spirit and takes the initiative, and whose behavior in the metaverse of the workplace appears to be uncooperative and not aligned to the organization’s objectives?

Social media platforms have struggled with "trolling" and perpetrators of online attacks on individuals, there is concern that these could also occur or have a greater impact in the metaverse. Here, instead of suffering a barrage of nasty words, victims could be subject to gangs of angry avatars yelling at them, pointed out Amie Stepanovich, Executive Director of Silicon Flatirons, an organization that “propels the future of law, policy, and entrepreneurship in the digital age”. [5]

There are concerns, as well, about cybercrime. Given that this new experience is more "all-embracing" and "immersive" than the digital world we currently know, a cyber breach could be even more damaging financially and reputationally for the organizations and individuals concerned. With regards to copyright and Intellectual property, a complex question would be if an Individual created something in the metaverse - would the Individual own rights to the creation of the organization that created the metaverse?

Meta has announced that it will work with civil rights organizations to ensure that the metaverse is “built in a way that’s inclusive and empowering”. [6] There are already initiatives to create other versions of the metaverse, which give users greater privacy and more control over their personal data. Companies such as Mysilio and Uhive use decentralized solutions to achieve this. [9] Uhive describes itself as “the first social network to merge our physical reality with the digital world by following the Five Laws of the Metaverse, in the process aligning culture, communities, shopping, entertainment, and economies, a convergence known as the Social Metaverse”. [7]

The EU’s proposals published this year, on the regulation of Artificial Intelligence (AI), which is fundamental to the metaverse, might limit unwelcome developments. [8] Meanwhile, in the US, activists are calling for a national digital privacy act that can cover the metaverse in addition to the current digital technology landscape.[5] GDPR and similar regulations will need to be revised and updated.

It is up to individual organizations to start thinking about their own policies and attitudes towards data privacy and human rights issues in the revolutionary age of the metaverse. Organizations should start planning now to maximize the metaverse's potential while minimizing risk.

[1] Meta: "Founder's Letter, 2021" (28 October 2021). Link: “”

[2] BBC News: "Ariana Grande sings In Fortnite's metaverse" (9 August 2021). Link: “”

[3] Bloomberg: "Google CEO Sees Company's Next Trillion in Value From Search AI" (17 November 2021). Link: “”

[4] Meta: "Oculus - Introducing Horizon Workrooms: Remote Collaboration Reimagined" (19 August 2021). Link: “”

[5] Associated Press: "Plenty of pitfalls await Zuckerberg's 'metaverse' plan" (7 November 2021). Link: “”

[6] Meta: "Building the Metaverse Responsibly" (27 September 2021). Link: “”

[7] Data Ethics EU: "The Metaverse - A Dystopian Future" (2 November 2021). Link: “

[8] UHive. Link: “”

[9] European Parliament Think Thank: "Artificial Intelligence Act" (17 November 2021). Link: “”

© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.


cybersecurity & data privacy, data privacy & cyber risk, data & technology, memo, f-risk, f-performance, dubai, saudi arabia

Let’s Connect

We solve problems by operating as one firm to deliver for our clients. Where others advise, we solve. Where others consult, we partner.

I’m interested in

I need help with