Youth Privacy in Immersive Technologies: Regulatory Guidance, Lessons Learned, and Remaining Uncertainties

As young people adopt immersive technologies like extended reality (XR) and virtual world applications, companies are expanding their presence in digital spaces, launching brand experiences, advertisements, and digital products. While virtual worlds may in some ways resemble traditional social media and gaming experiences, they may also collect more data and raise potential manipulation risks, particularly for vulnerable and impressionable young people.

This policy brief analyzes recent regulatory and self-regulatory actions and guidance related to youth privacy, safety, and advertising in immersive spaces, pulling out key lessons for organizations building experiences in virtual worlds.

Recent FTC Enforcement Actions and Guidance

The Federal Trade Commission (FTC) has shown a strong interest in using its consumer protection authority to bring enforcement actions against a wide range of digital companies for alleged “unfair and deceptive” practices, rule violations, and other unlawful conduct. The Commission has also issued several policy statements and guidance documents relevant to organizations building immersive technologies, touching on issues such as biometric data and advertising to children. It is clear the agency is thinking seriously about how its authority could apply in emerging sectors like AI, and organizations working on immersive technologies should take heed. Lessons from recent FTC privacy cases and guidance include:

• The FTC interprets the Children’s Online Privacy Protection Act (COPPA)’s definition of “personal information” broadly, including data types that immersive technologies commonly collect, like eye tracking.
• Default settings are key in protecting children’s and teens’ privacy and safety.
• Immersive technologies’ unique capabilities may give organizations new ways to engage in manipulative design.
• Immersive application providers must comply with COPPA if their application is “directed to children” or if there is “actual knowledge” children are accessing it.
• Organizations should provide privacy policies and notices in a format appropriate for and consistent with the design elements of immersive experiences.
• Organizations should take additional steps to be transparent about advertising practices.

Self-Regulatory Cases and Safe Harbor Guidance

Self-regulatory bodies also have an essential role in ensuring privacy and safety in child-directed applications and providing guidance to companies operating in the space. For example, organizations designated as COPPA Safe Harbors can guide companies toward compliant, developmentally appropriate, and privacy-protecting practices. Lessons from recent self-regulatory cases and Safe Harbor guidance include:

• Advertising disclosures in immersive environments should be designed to be as clear and conspicuous as possible and provided in an age-appropriate manner.
• Platforms that allow advertisements to children should ensure that developers, brands, and content creators have the necessary tools and guidance to clearly and conspicuously disclose the presence of advertising to children.
• Privacy by design and by default demonstrate to regulatory and self-regulatory bodies that an organization takes youth privacy seriously.
• Privacy and advertising practices for teens should take into account the unique considerations relevant to teen privacy and safety, compared to child and adult guidance.
• Organizations with a robust privacy culture that demonstrate good faith efforts to follow the law are more likely to be given the benefit of the doubt.

Remaining Areas of Uncertainty

Because immersive technologies are relatively new and evolve rapidly, much of the existing regulatory and self-regulatory guidance is pulled from other contexts. Therefore, questions remain about how regulations apply in immersive environments and how to operationalize best practices. These questions include:

• How age-appropriate design principles will best fit into an immersive technology context, such as how best to ensure strong default privacy settings for underage users; the best methods for clarity and transparency regarding data practices notices and advertising disclosures; and whether an immersive experience should require unique, additional safeguards.
• What novel data collection and analysis methods in the immersive technology space will require discerning data practices surrounding its safeguarding and use, such as what kinds of inferences are appropriate to make from body-based data or to what extent avatars not derived from a child’s data are considered personal information.
• How immersive technologyimpacts children and teens; more research is needed to understand whether certain kinds of experiences and privacy practices are harmful for children and teens, if there are unique risks to children’s privacy and mental health, and how organizations, parents, schools, and other stakeholders can address potential issues.