Risk Framework for Body-Related Data in Immersive Technologies
Today, the Future of Privacy Forum (FPF) released its Risk Framework for Body-Related Data in Immersive Technologies for organizations to structure the collection, use, and onward transfer of body-related data.
Organizations building immersive technologies like extended reality and virtual worlds often rely on large amounts of data about individuals’ bodies and behaviors. While body-related data allows for new, positive applications in health, education, entertainment, and more, it can also raise privacy and safety risks. FPF’s risk-based framework helps organizations seeking to develop safe, responsible immersive technologies, guiding them through the process of documenting how and why they handle body-related data, complying with applicable laws, evaluating their privacy and safety risks, and implementing best practices.
While the framework is most useful for organizations working on technologies with immersive elements, it is also useful for organizations that handle body-related data in other contexts.
Stage 1: Understanding How Organizations Handle Personal Data
Understanding your organization’s data practices is the first step toward identifying potential privacy risks, ensuring legal compliance, and implementing relevant best practices to improve privacy and safety. It can also allow organizations to better communicate about those practices. To this end, organizations should:
- Create data maps of their data practices, particularly in regard to body-related data types.
- Document the purpose of each data practice.
- Identify all relevant stakeholders impacted by data practices, including third-party recipients of personal data and data subjects.
Stage 2: Analyzing Relevant Legal Frameworks and Ensuring Compliance
Collecting, using, or transferring body-related data may implicate a number of current and emerging U.S. privacy laws. As such, organizations should:
- Understand the individual rights and business obligations that apply under existing comprehensive and sectoral privacy laws.
- Analyze how emerging legislation and regulations will impact body-based data practices.
Stage 3: Identifying and Assessing Risks to Individuals, Communities, and Society
Privacy harms may stem from particular types of data being used or handled in particular ways, or transferred to particular parties. In that regard, legal compliance may not be enough to mitigate risks, and organizations should:
1. Proactively identify and minimize the risks their data practices could pose to individuals, communities, and society. Factors that impact the risk of a data practice include:
|Use for critical decisions
|Partners and third parties
|Potential for inferences
|Data accuracy and bias
|User expectations and understanding
2. Assess how fair, ethical, and responsible the organization’s data practices are based on the identified risks.
Stage 4: Implementing Relevant Best Practices
There are a number of legal, technical, and policy safeguards that can help organizations maintain statutory and regulatory compliance, minimize privacy risks, and ensure that immersive technologies are used fairly, ethically, and responsibly. Organizations should:
1. Implement best practices intentionally—adopted with consideration of an organization’s data practices and associated risks; comprehensively—touching all parts of the data lifecycle and addressing all relevant risks; and collaboratively—developed in consultation with multidisciplinary teams within an organization including stakeholders from legal, product, engineering, privacy, and trust and safety. Such practices include:
|Local and on-device processing and storage
|Purpose specification and limitation
|Third party management
|Meaningful notice and consent
|Privacy-enhancing technologies (PETs)
2. Evaluate best practices in regard to one another, as part of a coherent strategy.
3. Assess best practices on an ongoing basis to ensure they remain effective.