Understanding Body-Related Data Practices and Ensuring Legal Compliance in Immersive Technologies

Organizations are increasingly incorporating immersive technologies like extended reality (XR) and virtual worlds into their products and services, blurring the boundaries between the physical and digital worlds. Immersive technologies hold the potential to transform the way people learn, work, play, travel, and take care of their health, but may create new privacy risks as well. Many of these technologies rely on large amounts of data about individuals’ bodies, without which they would be less immersive, and in some cases couldn’t function at all. 

Body-related data raises particular privacy risks, and leading organizations in the immersive technology space are adopting risk-based approaches for handling this type of data. Focusing on the risks—to the organization and to those impacted by the organization’s data practices—makes it easier not only to comply with the law but also to ensure more ethical data practices.

There are concrete steps organizations can take to ensure that body-related data is handled safely and responsibly. As part of their data protection strategies, organizations should:

1. Understand their data practices: mapping these practices, specifying their purposes, and identifying all relevant stakeholders.
2. Evaluate their legal obligations: analyzing existing legal obligations, as well as how they may change in the near future based on emerging trends.
3. Identify risks to individuals, communities, and society: cataloging the features of their data and data practices that create greater risks.
4. Implement best practices: operationalizing technical, organizational, and legal safeguards to prevent or mitigate the identified risks.

To guide organizations as they develop their body-related data practices, the Future of Privacy Forum created the Risk Framework for Body-Related Data in Immersive Technologies. This framework serves as a straightforward, practical guide for organizations to analyze the unique risks associated with body-related data, particularly in immersive environments, and to institute data practices that are capable of earning the public’s trust. Developed in consultation with privacy experts and grounded in the experiences of organizations working in the immersive technology space, the framework is also useful for organizations that handle body-related data in other contexts as well. This post will explore the first two stages of the risk framework: understanding an organization’s data practices, and evaluating legal obligations to ensure compliance.

I. Understanding how organizations handle personal data

The first step to handling body-related data is for organizations to understand how they handle personal data. Doing so will help them communicate these practices to their users, regulators, the general public, and other relevant stakeholders. Developing a comprehensive understanding of an organization’s data practices is also critical for identifying potential privacy risks and implementing best practices to mitigate them. Organizations should bring together experts from different teams to document how they collect, use, and onwardly transfer body-related data. The following steps help organizations conduct these processes effectively.

Create data maps of data practices, particularly in regard to body-related data

Data mapping is the process of creating an inventory of all the personal data an organization handles, including how it’s used, to whom it is transferred, and how long it is kept. While tools exist to assist organizations with data mapping, it is helpful to assign a designated person within an organization, such as a chief privacy officer or data protection officer, to be responsible for completing the data map. Data mapping also helps organizations in certain jurisdictions maintain compliance with legal obligations related to data practice documentation. Certain kinds of body-related data—such as data about people’s faces, hands, voices, and body movements—will be particularly relevant in immersive environments, and organizations operating in this space should pay special attention to them.

Document the purpose of each data practice

In order to determine which data practices are necessary, and which may be adjusted, organizations must be able to specify what goal or purpose each practice serves. Organizations might engage in a particular data practice for a variety of purposes: enabling relevant features or products, improving a product’s technical performance, facilitating targeted advertising, or customizing a user’s experience, to name a few. This documentation will help inform an organization’s evaluations of its privacy risks and legal obligations, and generate buy-in from business stakeholders within the organization by linking their interests to privacy compliance.

Identify all relevant stakeholders impacted by data practices

Evaluating an organization’s legal obligations and privacy risks requires key organizational leaders to understand which stakeholders are implicated—both as partners in data transfer agreements and as people impacted by the organization’s data practices. Organizations must understand the kinds of entities with whom they are transferring data, and who specifically within these third parties are handling the data. They should also understand who is impacted by their data practices, including data subjects or users as well as bystanders whose data may also be implicated. Special attention should be paid to individuals and communities whose data may raise additional legal or ethical considerations, such as children and teens, and people from historically marginalized or vulnerable communities.

II. Analyzing relevant legal frameworks and ensuring compliance

Once an organization has established a thorough understanding of its data practices, the next step in preparing to handle body-related data is to evaluate whether the enumerated data practices are in compliance with the law. Collecting, using, or transferring body-related data may implicate a number of issues under current U.S. privacy law. However, most existing regulations were not drafted with immersive technologies in mind. It can therefore sometimes be unclear how these rules apply to immersive technologies, and an organization’s obligations will depend on where it operates, what kind of data it handles and why, and the size and nature of the organization, among other factors.

To understand and comply with all existing obligations, organizations need to know the scope of data types covered by current laws, the requirements and rights that attach to them, and the unique considerations that may apply in immersive spaces and in regard to body-related data. Existing privacy laws in the U.S. apply, depending on jurisdiction, to body-related data involving personal, biometric, sensitive, health, and publicly available data, and organizations should pay special attention to the specific requirements under such laws.

Organizations dealing with these data types have certain legal obligations, including:

• Granting users access, correction, and deletion rights
• Providing opportunities to provide consent
• Avoiding “dark patterns” and manipulative or deceptive design
• Being transparent and providing notice to users
• Minimizing data collection and retention when necessary
• Conduct data protection impact assessments (DPIAs)
• Institute protections for kids and teens

2023 proved to be a significant year for state privacy laws, and new legislation and regulations will continue to impact the data privacy legal landscape. Organizations should keep an eye on the major areas for emerging legislation such as youth privacy and safety, as well as consumer health data. They should also monitor how emerging litigation impacts current requirements through interpreting current legislative language.

For more information on what organizations can do to ensure they handle body-related data safely and responsibly, read for the next post in our series, focusing on identifying risks and implementing best practices. For a comprehensive guide to body-related data practices in immersive technologies, see FPF’s Risk Framework for Body-Related Data in Immersive Technologies.