VR and your privacy: how are these companies treating your data?

In order to play in the world of VR, you have to be prepared to share some data. That's not really a new concept; our devices and apps always come with a privacy policy (that most of us scroll through and agree to without actually reading). So what exactly are your VR devices and games getting from you, and what are the companies doing with that data? Good question.

Let's focus on the big players right now: Windows Mixed Reality (WMR), HTC Vive, Oculus Rift, PlayStation VR, Google Daydream, and Samsung Gear VR. All of them have privacy policies available to users on their websites, and not surprisingly, all have pretty similar clauses. The language may change a little from one brand to the next, but they essentially say the same thing.

Here's what the privacy policies for these brands have in common

All will use cookies and/or beacons to collect and store data.

Cookies are small files that store things like login information and ads you've already been exposed to on various sites. Beacons are a means for your device to communicate with a server and they're embedded in online content. That's not unique to VR; your laptop, desktop, phone, and tablet do it, too.

All will collect location-based information.

This includes things like your timezone and the country you live in; these have to do with apps and content availability, ensuring that user experiences are relevant for your part of the world with proper language availability and time-sensitive software upgrades. Those are necessities, so you can't mind them knowing where in the world you are.

All will share aggregate data with third-party companies.

This generally doesn't include your specific or personal data; it's more like the statistics of when people are actively playing and the numbers of regional users. That's not terrible, and most non-VR games and apps do that anyway.

With Google, you can opt in and allow your personal data to be shared with "companies, organizations or individuals outside of Google," otherwise it's the usual sharing with affiliates or for legal reasons.

All will take data about your IP address, the browser you're using, and your device.

Each will also ask for details like your name, an email address, and your date of birth. Depending on how much you want to honestly volunteer, you can falsify a handful of those "facts". Plenty of people do, but plenty of people provide their real information, and the choice is yours.

All will the use information they collect about you to guide their marketing strategies.

HTC's privacy policy clearly states that you're going to receive customized product recommendations, as well as notifications of contests and promotions. Samsung wants to give you "customized content and advertising", and Oculus Rift states that it aims to "measure how users respond to our marketing efforts" so you can't avoid being the target or victim here. As for Microsoft, it's stated in the privacy policy that "we use data to help show more relevant ads, whether in our own products supported by advertising like MSN and Bing, or in products offered by third parties."

Sony does give you a choice, but it's whether you want your information shared with Sony Interactive Entertainment America (SIEA) or SIEA's third-party partners; either way, you're receiving direct marketing.

Every privacy policy reminds you that nothing is 100 percent safe, in spite of their best efforts.

Part of the reason for this is, as always, unforeseen security breaches, but there is something else you need to be aware of. Your data may be transferred to servers throughout the US and around the world at each company's discretion since they're all international companies. Once your data is "over there", it's subject to the laws of that land, and those laws may be far less stable or enforceable. That's a little scary, but VR isn't the only industry doing it.

All communication via the social features of your VR is stored.

Your messages are generally saved in a temporary cache if they're between users, but more permanently if they're forum posts, like in the Oculus support community. However, there will always be a record that some form of communication happened between you and a friend or another user. Again, that kind of permanent digital trail of breadcrumbs isn't unique to VR, but it's good to be reminded that it's there.

No matter which VR you're using, your data will be shared with network affiliates and subsidiaries.

These large companies have many affiliates and subsidiaries, which aren't always easily tracked down. Some information can be found here.

So how are the privacy policies different?

So how are the privacy policies different?

The basic differences are pretty simple:

  • Samsung's privacy policy is overarching, designed to apply to all of its devices.
  • HTC's privacy policy uses pretty straightforward language, but it's not easy to find a complete list of affiliates and subsidiaries.
  • Sony's privacy policy is actually split into two parts, one for SIEA and one for PlayStation Network.
  • Google's privacy policy, like Samsung's, is meant as an overarching one for a wide range of its products.
  • Like Google and Samsung, Microsoft's privacy policy is intended for a wide range of products, and there doesn't yet seem to be a specific section for WMR.
  • Oculus Rift's privacy policy is the one that kind of blew up this whole privacy thing and made us stop and question VR and data privacy. There's an interesting reason for that.

It says very plainly in the privacy policy that "you have the option" of submitting to Oculus information about your movements and dimensions, everything from the slightest tilt of your head to the flick of your wrist to the size of the room you're in. The company states that all of that information is necessary to help make your game experience more immersive; it also uses the data to make improvements on future games. But permanently storing that data, and then sharing it? That's a bit invasive.

Let's add to that the fact that Facebook bought Oculus Rift in 2014. This means that whatever Oculus knows, Facebook knows, and that's unnerving for lots of people, especially in the wake of some recent bad press. Yes, Facebook has been collecting everyone's data, and it's not exactly being kept safe. To be fair, Facebook never said it'd keep your data safe, but that's a whole other can of worms.

Facebook never earned your trust and now we're all paying the price

According to the Voices of VR Podcast, where host Kent Bye spoke with Jenny Hall and Max Cohen (Oculus privacy policy architects), a new privacy policy and updated terms of service are coming from Oculus, and are expected to go into effect May 20. The new privacy policy is expected to give Oculus more authority over what data is collected, though increased transparency is also apparently considered. Along with the updated documents, there is expected to be a new online interface that allows users to see what type and how much of their personal data has been collected while in VR. Will this really help anything? Hard to say.

Microsoft has a similar section in its privacy policy that states it collects information from device sensors, whether "your phone's microphone or accelerometer, your laptop's fingerprint scanner, and internal GPS sensor, and more." WMR headsets and motion controllers are loaded with device sensors, and I suspect the "and more" portion would apply here. You can tailor how much data gets sent back to Microsoft through Windows 10 settings, but there's no way to completely turn off the flow.

Related: Does Google sell your personal data?

Reality check

The point here isn't to tear up one company for oversharing, but instead to raise awareness about how data is being handled when you're in VR. Oculus isn't exactly doing anything legally wrong ― what it's collecting is all laid out in writing ― though where that data goes is kind of alarming; Facebook is no stranger to highly publicized privacy concerns.

This doesn't mean the other VR companies don't have their share of interesting privacy lingo and subsidiary companies. When you experience VR, you are granting access to a good amount of your personal data to multiple organizations and companies. The conversation surrounding VR and privacy is far from over, but while it's evolving, get to know the privacy policy that currently exists for your system of choice and decide how much personal data you're prepared to share with the powers that be.

Remember, none of this is new. Some people call it spying, others call in necessary, and the companies that are producing top-notch VR call it business. Data makes companies a lot of money, and ignoring that stream when there is no legal reason to doesn't make sense.

What is your opinion on privacy in VR? What about the eroding privacy in our everyday lives? Let us know in the comments section!

Updated April 19, 2018: I've added information about Windows Mixed Reality, as well as some information about current Facebook privacy issues to ensure you're up to date on how the most popular VR companies are treating your privacy.