Meanwhile, Meta’s current privacy policies for VR devices leave plenty of room for the collection of personal, biological data that reaches beyond the user’s face. As noted by Katitza Rodriguez, global privacy policy director at the Electronic Frontier Foundation, the language is “broad enough to cover a wide range of potential data streams — even if it’s not collected today, it could start collecting tomorrow without necessarily notifying users, obtaining additional consent, or amending the policy.”
By necessity, virtual reality hardware collects fundamentally different data about its users than social media platforms. VR headsets can be taught to recognize a user’s voice, their blood vessels or the shade of their iris, or capture metrics such as heart rate, breathing rate and what causes their pupils to dilate. Facebook has filed patents for many forms of this data collection, including using things like your face, voice or your DNA to lock and unlock devices. Another considers the user’s “weight, force, stress, heart rate, strain rate, or EEG data” to create a VR avatar. Patents are often aspirational — involving potential use cases that may never arise — but they can sometimes offer insight into a company’s future plans.
Meta’s current VR privacy policies do not specify all types of data it collects about its users. The Oculus Privacy Settings governing Meta’s current virtual reality offerings, the Oculus Privacy Policy, and the supplemental Oculus Data Policy provide certain information about the broad categories of data that Oculus devices collect. But they all specify that their data fields (“things like the position of your headset, the speed of your controller, and changes in your orientation when you move your head”) are just that. Examples In those categories, instead of a complete enumeration of their contents.
The examples given do not convey the breadth of classes they are intended to represent. For example, the Oculus privacy policy states that Meta collects “information about your environment, physical movements, and dimensions when you use an XR device.” It then provides two examples of such collection: information about your VR play area and “technical information such as your estimated hand size and hand movement.”
But “information about your environment, physical movements and dimensions” can describe data points beyond the boundaries of estimated hand size and play — including involuntary response metrics like uniquely identifying movements like a flinch or a smile.
Meta has twice declined to describe the types of data its devices collect today and the types of data it plans to collect in the future. It declined to say whether it currently collects or plans to collect biometric information such as heart rate, breathing rate, pupil dilation, iris recognition, voice recognition, vein recognition, facial movements or facial recognition. Instead, it pointed to the policies linked above, “Oculus VR headsets do not process biometric data as currently defined under applicable law.” A company spokeswoman declined to specify which laws Meta applies. However, about 24 hours after this story was published, the company told us that it “currently” does not collect the types of data described above, nor does it “currently” use facial recognition on its VR devices.
However, Meta provided additional information about how personal data is used in advertising. A supplemental Oculus Terms of Service states that Meta “may use information about actions.” [users] We took Oculus products to serve them ads and sponsored content. Depending on how Oculus defines “action,” this language allows us to target ads based on what makes us jump in fear, or make our heart flutter, or our hands sweat.