Privacy and Cybersecurity for Retailers in the Metaverse
Imagine a customer walking into a clothing store. She browses the racks, selects a few items, and asks the sales associate for a dressing room. She walks to the dressing room and tries on the clothes. Then she heads to the counter, pays for some of the items, and leaves.
We take for granted — because it's so obvious — how much information is transferred from customer to the company in this very normal situation: her height, weight, clothing preferences, credit card number, and bank account information. If the sales associate is discerning, the company might also learn why she prefers some clothes over others, or what other shops she frequents.
What happens when the customer is in the United States, the racks of clothes are in France, the dressing room is in the U.K., and the counter to pay is in Japan? Sounds crazy! But in the metaverse, it actually is possible.
The metaverse is a digital world seamlessly integrated into the physical world. In the most ambitious visions of the metaverse, people around the globe use digital avatars to work and socialize together in a virtual cyberspace. This active commercial environment could make the metaverse a valuable location to access potential customers, and retailers could also make the metaverse a more desirable place to visit.
However, the metaverse also brings risk. In nearly every jurisdiction across the globe, consumer privacy laws regulate the collection and use of customers’ personal information obtained over the internet. Complying with these laws in a traditional setting can already be complex. This article identifies some of the most pressing issues that could arise for retailers in the digital future of the metaverse.
Which Data Privacy Laws Apply in the Metaverse?
A California retailer in the metaverse may host virtual customers from Virginia, France, and China all at the same time. In this example, the California retailer would not only be responsible for complying with California privacy laws, it also must comply with the privacy laws of Virginia, the European Union, and China.
Each one of a retailer’s virtual visitors may be protected by one or more regional privacy law regimes, and retailers are responsible for complying with them all. This creates challenges. Retailers must take reasonable steps to determine each customer’s location; determine whether that location has additional or different laws related to the use and collection of personal information; and, if so, comply with those laws, which sometimes may require making business changes to how information is collected, stored and used. On top of these practical challenges, retailers will need to address how these privacy regulations interact and how they can comply with the several different and possibly conflicting regimes at once. Major online platforms deal with challenges like this regularly, but the metaverse makes this a problem for much smaller retailers for the first time.
How to Handle International Data Exchanges in the Metaverse
One of the key benefits of the metaverse is that retailers aren't limited by physical boundaries. A Belgian citizen could visit the store of a U.S.-based retailer without leaving home. However, this simple interaction necessarily includes the transfer and exchange of data across international borders.
Retailers processing this type of international transaction will need to be aware of international data transfer and data localization laws. In the metaverse, as in today’s digital space, international data transfer laws will govern exchanges of information across borders, while data localization laws will dictate where the information can be stored. Retailers must be aware of these laws and take steps to remain in compliance.
For example, a straightforward way to stay within the law for transfers to and from the European Union is to rely on standard contractual clauses (SCCs). SCCs are model contractual clauses pre-approved by the European Commission to ensure adequate data protection during international exchanges of information. Soon, U.S.- and EU-based retailers will be able to participate in the EU-U.S. Data Privacy Framework. This new framework, implemented by the Biden administration’s recent executive order, facilitates transfers between the U.S. and the EU that comply with the EU’s General Data Protection Regulation (GDPR).
How to Comply With Data Privacy Laws in the Metaverse
Some of the most basic elements of modern U.S. privacy law — such as providing notice and obtaining consent for the collection and use of personal information — become surprisingly complex in the metaverse.
It's not too complicated to make a privacy policy reasonably accessible on a website. In most situations, all the company has to do is have a hyperlink on its homepage that links to the policy. However, there are no “homepages” in the metaverse. It's not even obvious when a metaverse avatar moves from one retailer’s online space to another’s. But in jurisdictions that require conspicuous notification of privacy policies, this complexity must be sorted out.
Consent is even more challenging. When and how is consent obtained? What would be equivalent to a pop-up bubble prior to entering a website. Perhaps a floating orb? Or a new avatar that seeks the consent? If express written consent is required to collect any data, then companies must get creative to ensure they don't inadvertently collect data prior to obtaining consent. In a space where every step potentially implicates the collection of personal information, there are significant risks to not proactively preparing to comply with the laws.
How to Maintain Data Governance and Cybersecurity
The metaverse could substantially change how we interact in digital spaces, and the amount of collectible information may increase in size just as much. Body movements, the smallest glances, changes in vocal tone, heart rate, proximity to other avatars — all of this information is theoretically collectible in the metaverse. This creates real opportunities and real risk for both consumers and retailers that are promising to protect that same information through privacy policies.
Retailers will need to place an even greater emphasis on data governance and cybersecurity to deal with the increasing amount of information and interaction. An increase in personal and sensitive information coupled with an increase in possible access points may incentivize bad actors to target retailers in the virtual space. Therefore, retailers will need to be vigilant and consistent in their data management and security practices to stave off these threats.
Conclusion
While the future of the metaverse is still unknown, retailers should be aware of the privacy concerns it may bring. The global nature of the metaverse will challenge retailers to comply with a multitude of privacy regimes, while the novel structure of the metaverse will require them to collect and secure data in new ways. Retailers that are able to adapt to these privacy challenges may discover new opportunities in the metaverse.
Kristin Madigan is a partner in Crowell & Moring’s San Francisco office and a member of the firm’s Litigation and Privacy & Cybersecurity groups.
Jacob Canter is an attorney in the San Francisco office of Crowell & Moring. He's a member of the Litigation and Privacy & Cybersecurity groups.
Alexis Ward is a senior law clerk at Crowell & Moring.
Kristin Madigan is a partner in Crowell & Moring’s San Francisco office and a member of the firm’s Litigation and Privacy & Cybersecurity groups.
Jacob Canter is an attorney in the San Francisco office of Crowell & Moring. He is a member of the Litigation and Privacy & Cybersecurity groups.
Alexis Ward is a senior law clerk at Crowell & Moring.
