Meanwhile, Meta’s current privacy policies for VR devices leave plenty of room for the collection of personal, biological data that reaches beyond a user’s face. As Katitza Rodriguez, policy director for global privacy at the Electronic Frontier Foundation, noted, the language is “broad enough to encompass a wide range of potential data streams — which, even if not being collected today, could start being collected tomorrow without necessarily notifying users, securing additional consent, or amending the policy.”
By necessity, virtual reality hardware collects fundamentally different data about its users than social media platforms do. VR headsets can be taught to recognize a user’s voice, their veins, or the shading of their iris, or to capture metrics like heart rate, breath rate, and what causes their pupils to dilate. Facebook has filed patents concerning many of these data collection types, including one that would use things like your face, voice, or even your DNA to lock and unlock devices. Another would consider a user’s “weight, force, pressure, heart rate, pressure rate, or EEG data” to create a VR avatar. Patents are often aspirational — covering potential use cases that never arise — but they can sometimes offer insight into a company’s future plans.
Meta’s current VR privacy policies do not specify all the types of data it collects about its users. The Oculus Privacy Settings, Oculus Privacy Policy, and Supplemental Oculus Data Policy, which govern Meta’s current virtual reality offerings, provide some information about the broad categories of data that Oculus devices collect. But they all specify that their data fields (things like “the position of your headset, the speed of your controller and changes in your orientation like when you move your head”) are just examples within those categories, rather than a full enumeration of their contents.
The examples given also do not convey the breadth of the categories they’re meant to represent. For example, the Oculus Privacy Policy states that Meta collects “information about your environment, physical movements, and dimensions when you use an XR device.” It then provides two examples of such collection: information about your VR play area and “technical information like your estimated hand size and hand movement.”
But “information about your environment, physical movements, and dimensions” could describe data points far beyond estimated hand size and game boundary — it also could include involuntary reaction metrics, like a flinch, or uniquely identifying movements, like a smile.
Meta twice declined to detail the types of data that its devices collect today and the types of data that it plans to collect in the future. It also declined to say whether it is currently collecting, or plans to collect, biometric information such as heart rate, breath rate, pupil dilation, iris recognition, voice identification, vein recognition, facial movements, or facial recognition. Instead, it pointed to the policies linked above, adding that “Oculus VR headsets currently do not process biometric data as defined under applicable law.” A company spokesperson declined to specify which laws Meta considers applicable. However, some 24 hours after publication of this story, the company told us that it does not “currently” collect the types of data detailed above, nor does it “currently” use facial recognition in its VR devices.
Meta did, however, offer additional information about how it uses personal data in advertising. The Supplemental Oculus Terms of Service say that Meta may use information about “actions [users] have taken in Oculus products” to serve them ads and sponsored content. Depending on how Oculus defines “action,” this language could allow it to target ads based on what makes us jump from fear, or makes our hearts flutter, or our hands sweaty.