13.09.2022 | KPMG Law Insights

Metaverse: Privacy in the digital world

The Metaverse is currently being traded as the next iteration of the Internet. A precise definition of what the term “metaverse” actually means and how it will be technically designed has not yet been determined. However, the consensus is that the metaverse will be a decentralized, virtual, highly interactive and transaction-driven space with fluid links to the real world. New technologies in the field of “Extended Reality” as well as the introduction of “Digital Twins” – digital representations of real assets – offer completely new forms of interaction and evaluation of accruing data. Even a 20-minute use of a VR headset can capture up to two million data points; many of them biometric and thus worthy of special protection. In this context, one of the major legal challenges is to bring the Metaverse in line with existing data protection regulations, in particular those of the General Data Protection Regulation (GDPR).

Responsibility under data protection law

The GDPR is also applicable in the Metaverse. Their obligations affect controllers established in the EU or processing personal data obtained in the EU. But the uncertainties already begin with the answer to the fundamental question of responsibility under data protection law. According to Article 4 No. 7 of the GDPR, a controller is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. The way the Internet is currently designed, responsibility can be determined relatively easily by assigning a website to an operator. When a new website is called up, the responsibility of the operator of the old site is left and that of the operator of the next site is entered. However, such clear demarcations will hardly be conceivable in the metaverse and are not compatible with the idea of an immersive virtual world with seamless transitions between the most diverse offerings. A connection to the “owners” of virtual spaces, in which the avatars of users reside, is a possible approach. However, there will also be “public” areas in the metaverse, such as squares and paths, which cannot be assigned to any individual provider:in and to which the virtual stores and presences are adjacent. How will these need to be addressed? Are the adjacent provider:s jointly responsible? Or is there a virtual “infrastructure provider” who is responsible for data processing in these areas? The decentralized and seamless design of the metaverse will still lead to some headaches when determining data protection roles under the GDPR.

Information requirements under data protection law

A question of a more practical nature concerns the fulfillment of information obligations under Articles 13 and 14 of the GDPR. Accordingly, data controllers must provide information about the details of data processing in advance. If the current practice of detailed privacy statements were to be transferred to the metaverse, this would literally lead to “walls of text” that would have an extremely disruptive effect on immersion and have a lasting negative impact on the user experience. Here, the hitherto hardly observed Article 12 para. 7 of the GDPR come into play. This provides for the use of standardized image symbols. This can reduce the amount of text required. By interacting with the respective icon, users can obtain additional information about the identified data processing.

Marketing, sensitive data & consents

The integration of extended reality devices – i.e., devices such as headsets and other sensors that are capable, among other things, of transmitting the user’s facial expressions, gestures, and other movements to his or her avatar – processes vast amounts of biometric data in real time, which can even indicate medical indications. Optical sensors detect the user’s surroundings – usually his or her own home – and microphones transmit every spoken word. The collection of this data will provide entirely new opportunities for profiling and tracking technologies. For example, pupil dilation indicates that the user likes the ads or products he or she is looking at without being able to consciously control this. While the use of biometric and other sensitive data regularly requires explicit consent anyway, the question arises as to whether extensive evaluation and use of other data that users unknowingly disclose may be carried out for marketing purposes on the basis of a legitimate interest or likewise only on the basis of consent. And how should consent be structured? An implied consent in the online area cannot be assumed without further ado. An express declaration of intent by the user is required. Simply continuing to use a website despite the cookie notice or accepting pre-filled checkboxes is not sufficient. Accordingly, merely entering a metaverse presence that triggers processing requiring consent is not likely to have any corresponding explanatory content. But is a nod of the avatar’s head sufficient as consent?

Third country transfer

While the difficulties outlined above can largely be solved through designs of a technical nature and, as in the area of cookie banners, an increasingly clear line of jurisprudence on the exact requirements is likely to emerge, the much bigger problem is the third-country transfer of the data. Due to the multiple increase in the number of data collected and the constant transfer of data when using the Metaverse, recourse to the existing transfer instruments does not always appear to be expedient. In particular, the standard contractual clauses on international data transfer are still subject to the basic idea of the current design of the Internet, i.e., that there are data exporters and data importers as well as data processing operations that can be defined in advance in each case. But if the Metaverse is indeed a decentralized platform, part of its appeal is that users are constantly in spontaneous exchange of their data with third parties in their virtual environment. It is difficult to determine in advance which data will be transmitted by whom and to whom for which purposes – except in a controlled environment in which the user’s options are reduced to a predictable level. But this would be contrary to the idea of a true virtual world.


Even considering this small selection of obvious data protection law issues shows that the law in its current form is not yet designed for use in decentralized virtual worlds. It will be a challenge for all parties involved to find an appropriate balance between user-friendliness and immersion on the one hand and compliance with data protection requirements on the other. However, newly developed smart technical and legal methods make it conceivable to reconcile a virtual world that rivals the diversity of our reality with current data protection law – even if future regulatory adjustments will be unavoidable.

Explore #more

16.07.2024 | KPMG Law Insights

The AI Act is coming: EU wants to get a grip on AI risks

For many people, artificial intelligence (AI) is the great hope for business, healthcare and science. But there are also plenty of critics who fear the…

15.07.2024 | In the media

Guest interview in the Fachfragen Podcast: Is antitrust law becoming “greener”? – An update

Sustainability goals and criteria – i.e. ESG aspects in the broader sense – continue to be the focus of social debate and determine consumer behavior.…

12.07.2024 | Business Performance & Resilience, In the media

Guest article in the IPE Dach: Necessary contract adjustments for DORA implementation

Deadline January 17, 2025: Financial companies and other service providers should start implementing the rules of the “Digital Operational Resilience Act” today, because the preparations,…

08.07.2024 | In the media

Article in In-house Counsel with KPMG Law Statement: Have software modules delivered, assemble, fine-tune, done

The article from 05.07.2024 contains an article with a statement by KPMG Law expert Kai Kubsch. IT applications for the legal department programmed by…

05.07.2024 | In the media

Guest article in Deutscher AnwaltsSpiegel: Transformation in legal departments

The KPMG Legal Department Report, now in its tenth edition (see here), has established itself as the standard work for general counsel since 2005…

03.07.2024 | KPMG Law Insights

BImSchG amendment to speed up approval procedures

On 17.05.2024, the traffic light parliamentary groups agreed on the amendment to the Federal Immission Control Act (BImSchG). The law is intended to create faster…

01.07.2024 | In the media

Guest article in Business Punk: Startup insolvency – bargain for investors or incalculable risk?

The issue of June 25, 2024 contains a guest article by KPMG Law experts Stefan Kimmel and Gunars Urdze. The Covid-19 pandemic and the…

01.07.2024 | In the media

Guest article in IT-Zoom: The path to safe and ethical AI

The June 25, 2024 issue of IT-Zoom contains a guest article by KPMG Law expert Francois Maartens Heynike and KPMG Law expert Kerstin Ohrem.…

28.06.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: ESG and employment law

Sustainable corporate governance is increasingly becoming a legal obligation. The HR department is also affected. Because “sustainable” also includes social aspects. Accordingly, companies have numerous…

25.06.2024 | In the media

Guest article in the ESGZ: Is antitrust law becoming “greener”? – An update

The June issue of ESGZ contains a guest article by KPMG Law expert Jacqueline Unkelbach. Sustainability goals and criteria – in a broader sense…


Francois Heynike, LL.M. (Stellenbosch)

Head of Technology Law

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

tel: +49-69-951195770

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.