Every day, millions of gamers, students, and other users around the world log in to experience the virtual world. Some are intent on playing the latest, most realistic video game. Others seek to recreate real-life social interactions in the virtual space. More employ the metaverse and virtual, augmented, and extended reality (VR/AR/XR) for commercial and educational purposes. Whatever the motive, any environment or platform on which people congregate and transactions occur and can lead to disagreements.
Up to now, legal issues arising in the virtual world have been resolved through the real-life tort system and criminal courts by attempting to apply existing laws developed for the physical world. But is this approach still suitable, scalable, and viable? Is the present legal system prepared to tackle legal issues related to the virtual space? Several legal issues and case studies demonstrate that real-life laws lack the nuance and context to resolve legal disputes developing as a result of engagements in the virtual world. Many of the thorny issues revolve around contracts and privacy, however, online activities that jeopardize personal safety and other criminal concerns also are becoming more prevalent as the metaverse coalesces and AR/VR/XR technologies mature.
Privacy Issues
As we increasingly conduct our daily lives –
entertainment, communication, shopping, work, etc. – online,
it becomes clear that privacy protections devised for the analog
world lack the sophistication required to keep personal data
secure. Bad actors will continue to employ brute force attacks,
credential theft, phishing, and other more sophisticated methods to
obtain access to personal and business financial records, track our
movements, and hack into sensitive information. There is a far
greater risk of personal information leaking in the virtual world
than in real life. Compromised personal data presents a world of
harm for the victim. In Carpenter v. United States, the US Supreme Court recognized
the privacy challenges associated with new technologies. While the
court did not delve specifically into privacy challenges posed by
virtual reality, it warned lower courts to 'tread carefully ...
to ensure that the legal system does not embarrass the
future.'
- Managing Consent
Real-life privacy laws require companies to obtain a user's prior consent before collecting their personal or sensitive data. AR/VR/XR environments involve zettabytes of observable data, collected in the background, complicating the ability to collect, manage, and safeguard consent, the Future of Privacy Forum found.
- Protecting Children
Since VR/AR/XR technologies often appeal to underage gamers, it is particularly important for platforms and websites to implement extra procedures and security measures to protect the personal data of children. Strong real-life privacy laws exist that require businesses, schools, and other organizations catering to minors to take extra precautions to limit and to secure their related data. However, in many cases it remains unclear whether and how these laws are applicable to the virtual world.
- GDPR Compliance
Additional legislation and case law are needed to clarify to what extent the European Union's General Data Protection Regulation (GDPR) is applicable to the virtual world. The concept of "inferred data" complicates matters. Information users share with their virtual platforms may be considered inferred. However, there currently exist few ways to ensure providers have inferred the data correctly, as users cannot access the algorithms or databases. GDPR does cover some aspects of data privacy, but these must be clarified and possibly amended before they can be considered adequate.
VR/AR/XR poses significant privacy risks since, in the virtual world, users do not actively provide personal information. Instead, providers gather personal data by tracking online activities as the users go about their virtual lives. Real-life privacy laws were designed to address situations where users proactively provide their personal information. They may lack the specificity to cover new privacy issues that extend through AR/VR/MR, the metaverse, and other virtual environments. Alternatively, an amendment to the existing privacy laws, notably the Children's Online Privacy Protection Act (COPPA) and the Health Insurance Portability and Accountability Act (HIPAA) may be required to ensure their suitability for our evolving virtual existence. A well-drafted privacy policy, specific disclaimers, and disclosures may also be required.
Jurisdictional Issues
As VR/AR/XR evolves and new applications come online, few reliable precedents are in place to guide litigants, defendants, and legal counsel in their handling of civil and criminal cases arising from virtual encounters. Certain laws, such as patent, trademark, and copyright, vary among jurisdictions, and the situation is exacerbated by the borderless nature of the virtual space, blockchain, and other technologies inherent in the metaverse. To deal with these exigencies, businesses operating in the space should develop comprehensive legal strategies that can adapt to new information and new regulation.
- Crime
As in real life, crime is commonplace in the virtual world. Multiple forms of virtual crimes have been identified and reported – from disturbing the peace to indecent exposure, assault, and money laundering. Theft is among the most prominent. Avid gamers and entrepreneurs may spend hours in the virtual world crafting virtual goods which can then be sold to other users, speculators, and collectors for real money. What if someone steals these virtual goods and resells them? Where can victims turn for help? Who will investigate, capture, and prosecute the perpetrators? Do existing laws even consider the theft of virtual goods a crime? There are no clear answers as the definition of theft varies by jurisdiction.
- Applying the Law(s)
It is difficult to determine the applicable law and the jurisdiction applicable to disputes which take place over the virtual world, as the victim may live half a world away from the criminal. The platform on which the crime occurs likely will be hosted in a third country with servers in several difficult-to-pinpoint locations. If traditional, physical-world rules are applied, crimes would fall under the jurisdiction of the country in which they take place. But does this mean the location of the server, where the platform owner is based, or some other geographical determinant?
Perhaps a universal set of laws or code of conduct governing user behavior in the virtual world would solve the problem. Until then, VR/AR/XR users and companies are advised to develop, post, and adhere to robust terms of service and end-user license agreements that clearly delineate rights, expectations, and dispute resolution methods.
Contractual Issues
Legal anomalies can be expected when real-world contract law principles are applied to the virtual universe. The fundamental question is whether freedom of contract applies in this new context. What if parties willingly enter into a commercial transaction that obviously and disproportionately disadvantages one of the parties? Could the contract be annulled by citing existing contract law, or would the platform's term of service apply? Under traditional contract law, freedom of contract is limited. For example, contracts that contravene public order, morality, and law are generally not allowed. But users enter the virtual world in pursuit of novel experiences which may not necessarily be legal or moral if acted out in real life. Will real-life contract principles apply to cases where virtual users enter into agreements that allow or require these virtual transgressions? Will participants be allowed to take recourse to freedom of contract principles as laid down in physical-environment contract law? These are all complex questions, with no clear answers. Once smart contracts become the norm, these legal questions will become more complex.
Legal issues which present themselves in the virtual world may be quite different from those which arise in real life. Privacy invasion over the metaverse is not the same as in the real world. Similarly, a host of jurisdictional and transnational issues cannot be tackled through traditional laws. Some scholars assert that existing laws could be tailored for the virtual world while others are of the opinion that the virtual world may require a specific legal system, with its own laws. In the absence of laws meant specifically for the virtual world (including the metaverse), the onus of protecting the interests of users lies on the companies (such as video game companies and emerging technologies companies) which create and operate the virtual world. A nuanced legal strategy is required to protect the rights of users and to mitigate any legal liability. Tailored legal documents can help mitigate some of the legal anomalies which arise due to the absence of laws meant for the virtual world. An attorney specializing in emerging technologies including AR/VR/XR and the metaverse can provide legal advice on how to prevent legal liability or to come up with a nuanced legal strategy.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
