13.09.2022 | KPMG Law Insights

Metaverse: Privacy in the digital world

The Metaverse is currently being traded as the next iteration of the Internet. A precise definition of what the term “metaverse” actually means and how it will be technically designed has not yet been determined. However, the consensus is that the metaverse will be a decentralized, virtual, highly interactive and transaction-driven space with fluid links to the real world. New technologies in the field of “Extended Reality” as well as the introduction of “Digital Twins” – digital representations of real assets – offer completely new forms of interaction and evaluation of accruing data. Even a 20-minute use of a VR headset can capture up to two million data points; many of them biometric and thus worthy of special protection. In this context, one of the major legal challenges is to bring the Metaverse in line with existing data protection regulations, in particular those of the General Data Protection Regulation (GDPR).

Responsibility under data protection law

The GDPR is also applicable in the Metaverse. Their obligations affect controllers established in the EU or processing personal data obtained in the EU. But the uncertainties already begin with the answer to the fundamental question of responsibility under data protection law. According to Article 4 No. 7 of the GDPR, a controller is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. The way the Internet is currently designed, responsibility can be determined relatively easily by assigning a website to an operator. When a new website is called up, the responsibility of the operator of the old site is left and that of the operator of the next site is entered. However, such clear demarcations will hardly be conceivable in the metaverse and are not compatible with the idea of an immersive virtual world with seamless transitions between the most diverse offerings. A connection to the “owners” of virtual spaces, in which the avatars of users reside, is a possible approach. However, there will also be “public” areas in the metaverse, such as squares and paths, which cannot be assigned to any individual provider:in and to which the virtual stores and presences are adjacent. How will these need to be addressed? Are the adjacent provider:s jointly responsible? Or is there a virtual “infrastructure provider” who is responsible for data processing in these areas? The decentralized and seamless design of the metaverse will still lead to some headaches when determining data protection roles under the GDPR.

Information requirements under data protection law

A question of a more practical nature concerns the fulfillment of information obligations under Articles 13 and 14 of the GDPR. Accordingly, data controllers must provide information about the details of data processing in advance. If the current practice of detailed privacy statements were to be transferred to the metaverse, this would literally lead to “walls of text” that would have an extremely disruptive effect on immersion and have a lasting negative impact on the user experience. Here, the hitherto hardly observed Article 12 para. 7 of the GDPR come into play. This provides for the use of standardized image symbols. This can reduce the amount of text required. By interacting with the respective icon, users can obtain additional information about the identified data processing.

Marketing, sensitive data & consents

The integration of extended reality devices – i.e., devices such as headsets and other sensors that are capable, among other things, of transmitting the user’s facial expressions, gestures, and other movements to his or her avatar – processes vast amounts of biometric data in real time, which can even indicate medical indications. Optical sensors detect the user’s surroundings – usually his or her own home – and microphones transmit every spoken word. The collection of this data will provide entirely new opportunities for profiling and tracking technologies. For example, pupil dilation indicates that the user likes the ads or products he or she is looking at without being able to consciously control this. While the use of biometric and other sensitive data regularly requires explicit consent anyway, the question arises as to whether extensive evaluation and use of other data that users unknowingly disclose may be carried out for marketing purposes on the basis of a legitimate interest or likewise only on the basis of consent. And how should consent be structured? An implied consent in the online area cannot be assumed without further ado. An express declaration of intent by the user is required. Simply continuing to use a website despite the cookie notice or accepting pre-filled checkboxes is not sufficient. Accordingly, merely entering a metaverse presence that triggers processing requiring consent is not likely to have any corresponding explanatory content. But is a nod of the avatar’s head sufficient as consent?

Third country transfer

While the difficulties outlined above can largely be solved through designs of a technical nature and, as in the area of cookie banners, an increasingly clear line of jurisprudence on the exact requirements is likely to emerge, the much bigger problem is the third-country transfer of the data. Due to the multiple increase in the number of data collected and the constant transfer of data when using the Metaverse, recourse to the existing transfer instruments does not always appear to be expedient. In particular, the standard contractual clauses on international data transfer are still subject to the basic idea of the current design of the Internet, i.e., that there are data exporters and data importers as well as data processing operations that can be defined in advance in each case. But if the Metaverse is indeed a decentralized platform, part of its appeal is that users are constantly in spontaneous exchange of their data with third parties in their virtual environment. It is difficult to determine in advance which data will be transmitted by whom and to whom for which purposes – except in a controlled environment in which the user’s options are reduced to a predictable level. But this would be contrary to the idea of a true virtual world.


Even considering this small selection of obvious data protection law issues shows that the law in its current form is not yet designed for use in decentralized virtual worlds. It will be a challenge for all parties involved to find an appropriate balance between user-friendliness and immersion on the one hand and compliance with data protection requirements on the other. However, newly developed smart technical and legal methods make it conceivable to reconcile a virtual world that rivals the diversity of our reality with current data protection law – even if future regulatory adjustments will be unavoidable.

Explore #more

21.02.2024 | KPMG Law Insights, KPMG Law Insights

The Digital Services Act – what does it mean for companies?

The Digital Services Act (DSA) is a key component of the EU’s digital strategy and came into force on November 16, 2022. As a regulation,…

15.02.2024 | KPMG Law Insights

Data compliance management: How to implement it in practice

Part 3 of the article series “Professional tips for data compliance management”   The third part of this series of articles deals with data compliance

14.02.2024 | PR Publications

Guest article in ZURe: Monitoring the implementation of the LkSG

The current issue of ZURe (p. 20 ff.) contains a guest article by KPMG Law Partner Thomas Uhlig (Head of General Business and Commercial Law),…

14.02.2024 | KPMG Law Insights

The AI Act is coming: EU wants to get a grip on AI risks

For many people, artificial intelligence (AI) is the great hope for business, healthcare and science. But there are also plenty of critics who fear the…

09.02.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: The employment law function

In almost all German companies, the employment law function is located in the HR department and not in the legal department. One of the reasons…

02.02.2024 | KPMG Law Insights

CSDDD: Provisional agreement on the EU Supply Chain Directive

On December 14, 2023, the Council and the European Parliament reached a provisional political agreement on the EU Corporate Sustainability Due Diligence Directive (CSDDD). This…

01.02.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: Fair play in eSports

eSports is a billion-dollar market that is growing rapidly. This makes it all the more important for the economic players involved to comply with applicable…

24.01.2024 | KPMG Law Insights

How the new unitary patent works – ten facts

The new unitary patent can be applied for at the European Patent Office (EPO) from June 1, 2023. The Implementing Regulations and the Schedule of

22.01.2024 | PR Publications

Guest article in the Börsen-Zeitung on the subject of EU antitrust regulations

Agreements with competitors on sustainability efforts may violate antitrust law. Which legal interest should then take precedence? KPMG Law expert Jonas Brueckner discusses this question…

18.01.2024 | KPMG Law Insights

AI and copyright – what is permitted when using LLMs?

A few months ago, new players entered the legal scene and have since caused numerous legal discussions: Large Language Models (LLM), better known as…


Francois Heynike, LL.M. (Stellenbosch)

Head of Technology Law

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

tel: +49-69-951195770

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.