The ICO exists to empower you through information.


The ‘metaverse’, next generation virtual worlds, and the ‘3D immersive internet’ are all terms used to describe a vision for a future internet in which the physical and virtual worlds become increasingly blended. Though there are many different conceptions of the so-called metaverse, most immersive solutions being developed today focus on building virtual environments in which users interact in real-time. 

Users are able to visit virtual spaces across the globe, engage with virtual objects and artefacts and explore new environments from their homes, offices or classrooms.  

If implemented at scale, this technology has the potential to profoundly impact how people learn, play and work. But whilst these virtual worlds can bring many benefits, from allowing users to overcome language barriers to experiencing ideas and new worlds in an interactive and collaborative format, they may also require collecting a significant amount of personal information merely to function. 

About immersive virtual worlds (“the metaverse”)

There is a current lack of industry consensus on the terminology and definitions, as well as the technology stack that might underpin future immersive virtual worlds (IVWs). We expect these solutions to be immersive, 3D-rendered digital environments, where users will interact through avatars. Although the details and use cases remain relatively conceptual at this point. The avatars will serve as digital representations of people, which may range from being entirely lifelike or cartoon in style, and will be able to move between different digital worlds and environments. For example, to visit different shops, games, or virtual representations of famous landmarks and interact with other similar avatars. 

Beyond the 3D immersive element, the realisation of IVW’s varies. However the vision is broadly dependent on the advancement of many technologies which will “stack” to provide a seamless experience in the future. Some of these technologies exist today, for example virtual reality devices, along with some early use cases across home entertainment and gaming. However, we expect IVW’s to grow in sophistication, scale and degree of interactivity in the years to come. The technologies involved in this process may include: 

  • immersive technologies and integrated virtual world platforms; 
  • artificial intelligence (AI) including machine learning, large language models and chatbots; 
  • sensors including motion sensors, eye-tracking and audio sensors, haptic sensors and neural-sensors; and 
  • distributed ledger technologies such as blockchain and non-fungible tokens (NFTs). 

Users are likely be able to access virtual worlds through a variety of mediums, from existing devices including smart phones and tablets, to specialised extended reality hardware. Different types of extended reality solutions will require different devices:  

  • Augmented reality (AR) overlays computer-generated visuals onto a user’s perception of the physical world. Future AR solutions are likely continue to work through camera filters on smart phones, glasses or head-mounted displays (ie headsets).  
  • Mixed reality (MR) combines elements of AR and VR. It involves computer-general visuals that interact with the physical world beyond a simple AR overlay. For example, a user throwing a virtual ball against a wall that exists in the physical world and having it bounce back to them. Similar to AR devices, users experience MR through handheld devices or headsets. 
  • Virtual reality (VR) is made up of 3D computer-generated environments that replace a user’s field of vision with total immersion, typically through a headset. This is the deepest and most “immersive” reality that can be created. 

State of development

Similarly to the lack of clarity on what the metaverse is, there is some scepticism around the speed at which these visions may be realised. The  barriers to bringing the metaverse to life span across the social and technological. This includes the ability to scale the number of concurrent users in virtual worlds at any one time, to the relatively limited number of use cases for immersive technologies currently available. This leads to more limited uptake when compared to other devices. These are not challenges that are anticipated to be overcome in the short term, with many industry leaders estimating the full potential of immersive futures may not be realised for another 10 to 15 years. 

Fictional future scenario

Aoife is new to the world of immersive environments and is setting up her profile for the first time. She is interested in managing her data herself, so instead of opting for the more common third-party intermediary to manage her data, she chooses to use a decentralised data store she controls herself. This way, she can pick what information she wants to share with the virtual worlds she enters – beyond the minimum required information to continue interacting in the space. A single, interoperable token (agreed upon by all major platforms) is used to provide authentication across the different virtual worlds, devices, platforms and systems.   

Aoife chooses to share a high volume of her information with the platforms, as she enjoys receiving personalised recommendations for content and goods. This includes physiological information collected from her VR headset, including optical information (such as how long she looks at content and eye dilation reaction) and cardiac responses to stimulation. Platforms use this information to deduce that she enjoys horror-related content. Her streaming service begins recommending a new series within this genre.  

The next time Aoife goes shopping within her virtual high street, the mannequins at the front of the shop are wearing merchandise about the new TV series. Upon purchasing, Aoife is offered the opportunity to buy an NFT t-shirt for her avatar to wear, or a physical copy of the t-shirt which she can purchase in the virtual environment. The physical t-shirt would be shipped directly to her home. Interested in the physical version of the t-shirt, Aoife uses the AR capabilities on her phone to try on the t-shirt and select the best fit so she can minimise needing to return items.  

Data protection and privacy implications

Immersive technologies pose a number of significant data protection and privacy challenges. Primarily around the required collection of increasingly high volumes of sensitive information on users and transparency concerns affecting both users and (unwitting) bystanders.

  • Processing large amounts of information about sensitive human characteristics: Immersive technology hardware collects vast amounts of information on users, including eye movement tracking, iris scans and facial movement monitoring. This may be biometric under the UK GDPR and therefore subject to special category information protections. Even where the threshold for biometric data is not met, the data when considered as a whole can reveal a vast amount of information about a person. This could provide organisations with increasingly sophisticated user profiles and centralises a huge amount of information in one place increasing security risks. These risks were explored in detail in our 2022 Tech horizons report
  • Children’s information: Children are already active users of early immersive virtual environments for gaming, socialising and learning purposes. A recent decision by a leading hardware and platform provider to lower the minimum age for their VR headset use from 13 to 10 years old indicates they will likely continue to be a growing user base. Research conducted by Global Counsel showed 56 percent of the UK public strongly supported rules which would require technology companies to protect children by restricting their experience of the metaverse.20 Organisations should proactively consider putting in place safeguards in their IVW solutions. In particular,  their application of age assurance technologies and compliance with privacy and safety by design requirements. Our Age appropriate design code, which provides guidance for online services likely to be accessed by children, is particularly relevant here.
  • Interoperability: Interoperability between different IVW providers will enable users to have an increasingly “frictionless experience”. This means they can move between different environments seamlessly. This may allow users to easily enter different shops in a virtual shopping centre or visit a number of virtual tourist attractions one after the other without having to ‘sign in’ to each location. In practice, this would mean there is no need for multiple log ins, usernames and passwords for different platforms. It may also provide a more dynamic user experience than being blocked from entering new virtual spaces until terms and conditions are agreed with each virtual world operator. Therefore, interoperable virtual worlds may empower users to be more in control of their personal information. However, they will also rely on establishing common technical standards, protocols and systems. Any standardisation of these will rely on platform and industry agreement and collaboration.  
    Interoperability also has the potential to open up digital markets and allow a level playing field in which users can exercise more control over their personal information. However, if badly executed, it can also present new privacy, safety and security risks. This is because there is uncertainty about how personal information may flow between solutions. This question only becomes more complex when considering different jurisdictions. Data minimisation in exchanging personal information should be a guiding principle in the design of seamless experiences. 
    Within this complex ecosystem, other key considerations will include establishing: 
      • who the data controller or joint data controllers are, and who the processors are; 
      • which organisations hold copies of a user’s personal information; and
      • how users know how to enact their individual rights, and with whom. 

  • Digital identity is also likely to be a core element of future IVWs. Developers of interoperable environments may look to digital identities to help provide a frictionless experience in moving between virtual worlds. Users may enter IVWs using portable, unique identities, which may be lifelike representations of themselves or may be intentionally not lifelike at all. Platforms will need to find a balance between accountability and privacy, as many users may seek to be anonymous while online for a variety of reasons. While this challenge is one that is faced by platform providers today, the potential to interact via visible avatars in immersive virtual worlds adds a new dimension to this conversation.

Recommendations and next steps

We will continue to monitor developments in the space of immersive virtual worlds and scrutinise the market as new products and services emerge and use cases become clearer. 

Regulatory cooperation: We will continue to engage with other regulators working across digital services, jurisdictions and industries as policies and standards emerge. We have in December published an Immersive Technologies Foresight Paper with our counterparts within the DRCF. 

Privacy by design: As metaverse technologies evolve in the years to come, new privacy concerns may emerge. It will be critical for organisations to embed privacy by design approaches into the infrastructure of the metaverse as it develops and industry standards are set. This will ensure solutions are built with high data protection standards and safeguards in mind. 


 20 Global Counsel report on “Regulating the metaverse”