Search
Contact
13.09.2022 | KPMG Law Insights

Metaverse: Privacy in the digital world

The Metaverse is currently being traded as the next iteration of the Internet. A precise definition of what the term “metaverse” actually means and how it will be technically designed has not yet been determined. However, the consensus is that the metaverse will be a decentralized, virtual, highly interactive and transaction-driven space with fluid links to the real world. New technologies in the field of “Extended Reality” as well as the introduction of “Digital Twins” – digital representations of real assets – offer completely new forms of interaction and evaluation of accruing data. Even a 20-minute use of a VR headset can capture up to two million data points; many of them biometric and thus worthy of special protection. In this context, one of the major legal challenges is to bring the Metaverse in line with existing data protection regulations, in particular those of the General Data Protection Regulation (GDPR).

Responsibility under data protection law

The GDPR is also applicable in the Metaverse. Their obligations affect controllers established in the EU or processing personal data obtained in the EU. But the uncertainties already begin with the answer to the fundamental question of responsibility under data protection law. According to Article 4 No. 7 of the GDPR, a controller is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. The way the Internet is currently designed, responsibility can be determined relatively easily by assigning a website to an operator. When a new website is called up, the responsibility of the operator of the old site is left and that of the operator of the next site is entered. However, such clear demarcations will hardly be conceivable in the metaverse and are not compatible with the idea of an immersive virtual world with seamless transitions between the most diverse offerings. A connection to the “owners” of virtual spaces, in which the avatars of users reside, is a possible approach. However, there will also be “public” areas in the metaverse, such as squares and paths, which cannot be assigned to any individual provider:in and to which the virtual stores and presences are adjacent. How will these need to be addressed? Are the adjacent provider:s jointly responsible? Or is there a virtual “infrastructure provider” who is responsible for data processing in these areas? The decentralized and seamless design of the metaverse will still lead to some headaches when determining data protection roles under the GDPR.

Information requirements under data protection law

A question of a more practical nature concerns the fulfillment of information obligations under Articles 13 and 14 of the GDPR. Accordingly, data controllers must provide information about the details of data processing in advance. If the current practice of detailed privacy statements were to be transferred to the metaverse, this would literally lead to “walls of text” that would have an extremely disruptive effect on immersion and have a lasting negative impact on the user experience. Here, the hitherto hardly observed Article 12 para. 7 of the GDPR come into play. This provides for the use of standardized image symbols. This can reduce the amount of text required. By interacting with the respective icon, users can obtain additional information about the identified data processing.

Marketing, sensitive data & consents

The integration of extended reality devices – i.e., devices such as headsets and other sensors that are capable, among other things, of transmitting the user’s facial expressions, gestures, and other movements to his or her avatar – processes vast amounts of biometric data in real time, which can even indicate medical indications. Optical sensors detect the user’s surroundings – usually his or her own home – and microphones transmit every spoken word. The collection of this data will provide entirely new opportunities for profiling and tracking technologies. For example, pupil dilation indicates that the user likes the ads or products he or she is looking at without being able to consciously control this. While the use of biometric and other sensitive data regularly requires explicit consent anyway, the question arises as to whether extensive evaluation and use of other data that users unknowingly disclose may be carried out for marketing purposes on the basis of a legitimate interest or likewise only on the basis of consent. And how should consent be structured? An implied consent in the online area cannot be assumed without further ado. An express declaration of intent by the user is required. Simply continuing to use a website despite the cookie notice or accepting pre-filled checkboxes is not sufficient. Accordingly, merely entering a metaverse presence that triggers processing requiring consent is not likely to have any corresponding explanatory content. But is a nod of the avatar’s head sufficient as consent?

Third country transfer

While the difficulties outlined above can largely be solved through designs of a technical nature and, as in the area of cookie banners, an increasingly clear line of jurisprudence on the exact requirements is likely to emerge, the much bigger problem is the third-country transfer of the data. Due to the multiple increase in the number of data collected and the constant transfer of data when using the Metaverse, recourse to the existing transfer instruments does not always appear to be expedient. In particular, the standard contractual clauses on international data transfer are still subject to the basic idea of the current design of the Internet, i.e., that there are data exporters and data importers as well as data processing operations that can be defined in advance in each case. But if the Metaverse is indeed a decentralized platform, part of its appeal is that users are constantly in spontaneous exchange of their data with third parties in their virtual environment. It is difficult to determine in advance which data will be transmitted by whom and to whom for which purposes – except in a controlled environment in which the user’s options are reduced to a predictable level. But this would be contrary to the idea of a true virtual world.

Conclusion

Even considering this small selection of obvious data protection law issues shows that the law in its current form is not yet designed for use in decentralized virtual worlds. It will be a challenge for all parties involved to find an appropriate balance between user-friendliness and immersion on the one hand and compliance with data protection requirements on the other. However, newly developed smart technical and legal methods make it conceivable to reconcile a virtual world that rivals the diversity of our reality with current data protection law – even if future regulatory adjustments will be unavoidable.

Explore #more

10.07.2026 | KPMG Law Insights

New Packaging Implementation Act tightens obligations for companies

  Co-author: Séverine Sieprath, Director of Audit, KPMG AG Wirtschaftsprüfungsgesellschaft   The Packaging Implementation Act (VerpackDG),…

09.07.2026 | In the media

Op-Ed in *Versicherungsmagazin*: D&O Insurance—A Legal Safety Net in Turbulent Times

Liability risks for executives are increasing significantly: New regulatory requirements such as NIS-2, CSRD, and the Supply Chain Act are expanding the responsibilities of managing

02.07.2026 | KPMG Law Insights

Registered mail with return receipt no longer provides proof of delivery—here are some alternatives

Registered mail with return receipt, when used as part of electronic documentation, no longer constitutes prima facie evidence of a…

02.07.2026 | Deal Notifications

KPMG Law advises the Prinzhorn Group on the acquisition of Stora Enso’s German facilities

KPMG Law has advised Mosburger GmbH, a subsidiary of Dunapack Packaging and part of the Austrian Prinzhorn Group, on the acquisition of Stora Enso’s German…

02.07.2026 | In the media

KPMG Law Interview in Focus Business: EmpCo Is Coming: Sustainability Marketing Becomes a Top Priority

Stricter EU rules set clearer boundaries for climate pledges and social claims. KPMG Law expert Manuela Meyer explains which claims must be verified and how…

29.06.2026 | KPMG Law Insights

Embedding Digital Sovereignty in the Enterprise – Legal Requirements for IT Systems

Digital sovereignty is an important strategic success factor, and many measures are also required by law. Through legislation such as the Data Act, NIS-2, the…

25.06.2026 | In the media

KPMG Law Interview in fvw I Traveltalk: Upcoming EU Package Travel Directive — “For the industry, the real work is just beginning”

After more than two and a half years, the legislative process, including publication, was recently completed. Now the deadline for tour operators and travel agencies…

24.06.2026 | Deal Notifications

KPMG Law advised the shareholders of Zimmermann PV-Steel Group on the sale to Nextpower

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) advised the shareholders of Zimmermann PV-Steel Group (Zimmermann) on the sale of the company to Nextpower™ (Nasdaq: NXT), a…

23.06.2026 | KPMG Law Insights

Germany is modernizing its arbitration law

On June 10, 2026, the Federal Government presented a draft of the “Act on the Modernization of Arbitration Law.” Its aim is to adapt the…

18.06.2026 | In the media

KPMG Law Guest Article in *Innovative Administration*: Protection in Turbulent Times

Board members of municipal enterprises face personal, unlimited liability, which is further exacerbated by the unique characteristics of the public sector. D&O insurance protects their…

Contact

Francois Heynike, LL.M. (Stellenbosch)

Partner
Head of Technology Law

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

Tel.: +49-69-951195770
fheynike@kpmg-law.com

© 2026 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll