Virtual reality (VR) games are incredibly popular these days. If you are the owner of a VR platform or a distributor of online VR applications you should pay close attention to your Privacy Policy agreement.
This article addresses the privacy implications specific to VR businesses and their users. It also lays out specific Privacy Policy clauses for a VR game or application that complies with global privacy laws.
- 1. VR Apps and Personal Data
- 1.1. At Registration
- 1.2. To Set Up Profile
- 1.3. During the Game
- 2. Clauses for your VR Privacy Policy
- 2.1. Types of Information Collected
- 2.1.1. Example #1: Solfar
- 2.1.2. Example #2: OrbusVR
- 2.1.3. Example #3: Oculus
- 2.2. The Purpose for Collecting the Data
- 2.2.1. Example #1: Oculus
- 2.2.2. Example #2: Epic Games
- 2.3. Affiliated Websites or Organizations
- 2.3.1. Example #1: Oculus
- 2.4. Use of Cookies
- 2.4.1. Example #1: Oculus
- 3. What You Should Keep in Mind if You Develop a VR Game or App
VR Apps and Personal Data
VR apps collect a lot of information about their users. In fact, according to a well-known VR industry website, VR Heads, every VR app collects the following information from their users:
- Personally identifiable information
- Aggregate data
- Location-based information
- Browser activities information
- Device details
- IP addresses
Privacy laws require that you disclose every type of personally identifiable information that you collect from your users. They also require you to disclose the methods you use to collect that data and state the reason for collecting it.
At Registration
Most VR apps require their users to provide registration information in order to use them.
The information your VR app collects from users generally includes the user's name, date of birth, and email address. It may also collect information like the user's photo or social media profile information.
All of this information is considered personally identifiable information and triggers the need for a Privacy Policy.
To Set Up Profile
User profiles significantly improve the app experience and VR apps, more or less, work the same way. Users become much more invested in the app when they are given the choice to personalize their online profiles.
Most VR apps let users add their personal information (like a bio or interests) or upload a profile picture/avatar. They sometimes even give users the option to add personal information that might not be necessary for app registration.
Any information that your VR app collects from user profile fields is confidential.
Privacy laws require you to inform the user about the information you collect from user profile form fields the same way you inform them about the information you collect from them at the time of registration.
You are also required to inform the user about the reason for collecting that information, how you will use that information, and whether or not you will share it with any third-party vendors.
During the Game
VR technology has the ability to collect user's private information while they're immersed in a game. VR apps can track the information about the physical profile of the user, including the height, weight, girth, gait, and movement patterns of the user. Its purpose is to personalize the user's experience and make the game more immersive.
The information collected may include the user's hair color, eye color, and skin color. All of this information makes the user's VR app experience better but the privacy concerns it raises are serious.
If an app can create a picture of a user based on their usage of the app or the data the app collects - the users, especially children, can be exposed to potential risks.
A clear and explicit Privacy Policy can help negate some, if not all, of the potential privacy risks that VR apps and games bring to the table. A comprehensive Privacy Policy informs the user about information that helps them better understand the implications of using that app.
Clauses for your VR Privacy Policy
Let's take a look at some of the different clauses you should include in your VR app's Privacy Policy.
Types of Information Collected
The information most VR apps collect includes location-based information like the user's country of residence and its time zone. This information provides the user with personalized content like making their native language the default and sending software upgrades to them.
VR apps also collect personally identifiable information such as a usernames, email addresses and dates of birth.
Example #1: Solfar
In its Privacy Policy, Solfar has a clause for Information we collect from you. The clause provides simple and clear information about what data Solfar collects:
Solfar collects personally identifiable information like the user's name, address, email address, phone number, photograph and date of birth and makes this clear to users via its Privacy Policy.
Example #2: OrbusVR
In its Terms agreement, OrbusVR has a clause titled What Personal Data Do You Collect and Why?, which clearly describes the information their VR app collects:
OrbusVR collects personally identifiable information such as a user's name, email address, IP address and password.
Example #3: Oculus
Oculus includes a clause titled Information automatically collected about you when you use our services in its Privacy Policy. This clause points out the information the service automatically collects including interactions with other users, in-app purchases made and information collected via cookies:
This information is considered to be personally identifiable information.
The Purpose for Collecting the Data
All VR apps collect user information to guide their marketing strategies. Your VR app may collect information to give personalized product recommendations to users or it may send notifications of contests and promotions.
It may also use the information to help put relevant ads in front of their users or offer products by third parties.
Whichever marketing strategy your VR app uses, you should clearly state it in your Privacy Policy agreement.
Example #1: Oculus
The Oculus Privacy Policy includes a clause titled How do we use information? This clause clearly states that personal information is used to provide personalized services to its users and to improve user experience:
Oculus uses this information to market its services to users and to promote safety and security on and off its services.
Example #2: Epic Games
The Epic Games Privacy Policy includes a clause titled How We Use and Share Information. This clause points out that it collects its user's personal information for communicating with the user to deliver a personalized experience, display customized ads, make promotional offers, etc.:
Affiliated Websites or Organizations
All VR apps collect data of users when they are actively playing a game to compile statistics like number of users in a region.
This data is not considered personally identifiable information.
Users can allow Google to share this data with "companies, organizations, or individuals outside of Google." Otherwise, it is only shared with affiliates or for legal reasons.
Example #1: Oculus
Oculus has a clause titled Third Parties that Provide Content, Marketing, or Functionality on Our Services that clearly mentions that Oculus shares information with third parties to market their services to the users. The information is shared with companies to better understand how people use our services:
Use of Cookies
All VR apps use cookies and/or beacons to store user information.
In the context of VR apps, cookies are small files used for storing user information like login information and previously seen advertisements.
Beacons are used to establish communication between a user's device and a server - usually to check if the user has accessed some content.
Example #1: Oculus
Oculus has a clause titled Cookies and Other Local Storage that mentions cookies being used to help users log in to its services, to provide the users with shopping baskets for making purchases, and to help understand how people use its services.
Oculus also uses cookies to protect users against frauds and to improve its marketing efforts:
What You Should Keep in Mind if You Develop a VR Game or App
All Privacy Policy laws, including the GDPR and CalOPPA, require VR app owners to clearly communicate their Privacy Policy agreement and protocols for privacy compliance to their users.
Pay special attention to the following guidelines when drafting a Privacy Policy for your VR app or game. These guidelines will also help you fulfill the requirements of all applicable privacy laws:
- Use simple language to draft your Privacy Policy your typical users can comprehend easily.
- Inform your users all the types of data that you directly and indirectly collect.
- Inform your users of all reasons for collecting their information.
- Inform your users all the methods you use to share their information.
- Mention the steps you take to secure this information.
- Give clear instructions on how users can request retrieval, deletion, or transfer their data.
- Post your Privacy Policy on your website and within your app in an easy-to-find location.
When developing your VR app, it is highly recommended that you deploy a strategy for Privacy by Design. This strategy will help you implement privacy laws, evaluate risks, and ensure protection of user rights at every stages of your VR app design.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.