Will the Metaverse be a Universal Platform? Part II - The Legal Issues

Suddenly the metaverse is everywhere. But what are the potential legal ramifications of living and working in this parallel universe? In this second part of two part article a team from Norton Rose Fulbright LLP will look at the potential legal issues. Part 1 looked at the technology behind the concept

In Part I of this article we looked at what the Metaverse is, its potential for disruptive change, and some of the computer science challenges. In this Part II, we consider some of the key legal and regulatory issues future stakeholders may need to consider.

What are the potential legal issues?

The revolutionary nature of the Metaverse is likely to give rise to a range of complex legal and regulatory issues.  We consider some of the key ones below.  As time goes by, naturally enough, new ones will emerge.


Participation in the Metaverse will involve the collection of unprecedented amounts and types of personal data. Today, smartphone apps and websites allow organisations to understand how individuals move around the Web or navigate an app. Tomorrow, in the Metaverse, organisations will be able to collect information about individuals’ physiological responses, their movements and potentially even brainwave patterns, thereby gauging a much deeper understanding of their customers’ thought processes and behaviours. 

Users participating in the Metaverse will likely be “logged in” for extended amounts of time. This will mean that patterns of behaviour will be continually monitored, enabling the Metaverse and the businesses (vendors of goods and services) participating in the Metaverse to understand how best to service the users in an incredibly targeted way. 

The hungry Metaverse participant
How might actors in the Metaverse target persons participating in the Metaverse? Let us assume one such woman is hungry at the time of participating. The Metaverse may observe a woman frequently glancing at café and restaurant windows and stopping to look at cakes in a bakery window, and determine that she is hungry and serve her food adverts accordingly. Contrast this with current technology, where a website or app can generally only ascertain this type of information if the woman actively searched for food outlets or similar on her device.

Therefore, in the Metaverse, a user will no longer need to proactively provide personal data by opening up their smartphone and accessing their webpage or app of choice. Instead, their data will be gathered in the background while they go about their virtual lives. 

This type of opportunity comes with great data protection responsibilities. Metaverse businesses will need to comply with data protection legislation when processing personal data in this new environment. The nature of the Metaverse raises a number of issues around how that compliance will be achieved in practice.

Who is responsible for complying with applicable data protection law? 

In many jurisdictions, data protection laws place different obligations on entities depending on whether an entity determines the purpose and means of processing personal data (referred to as a “controller” under the EU General Data Protection Regulation or just processes personal data on behalf of others (referred to as a “processor” under the GDPR). 

In the Metaverse, establishing which entity or entities have responsibility for determining how and why personal data will be processed, and who processes personal data on behalf of another, may not be easy. It will likely involve picking apart a tangled web of relationships, and there may be no obvious or clear answers – for example:

  • Will there be one main administrator of the Metaverse who collects all personal data provided within it and determines how that personal data will be processed and shared?
  • Or will multiple entities collect personal data through the Metaverse and each determine their own purposes for doing so? 

Either way, many questions arise, including:

  • How should the different entities each display their own privacy notice to users? 
  • Or should this be done jointly? 
  • How and when should users’ consent be collected? 
  • Who is responsible if users’ personal data is stolen or misused while they are in the Metaverse? 
  • What data sharing arrangements need to be put in place and how will these be implemented?

Biometric Data
Virtual reality headsets and glasses will likely be commonplace in the Metaverse (unless they are replaced by something more sophisticated in the meantime, such as direct electronic/brain interfaces). Such devices have the potential to collect a wide range of sensitive data about the wearer (for example, eye and body movements, physiological responses and even brainwave patterns, etc.)

To the extent that this data is used by actors in the Metaverse to learn about the user or to make decisions about them, then it will be considered to be special category data under the GDPR.

This means that extra conditions would need to be satisfied. Most importantly, the user would most likely need to give their explicit consent for each purpose for which the data is used. Let’s take the hungry woman example described above. If the woman was targeted with food adverts using gaze analysis technology, for this to be lawful she would have needed to have given her express permission. A general marketing consent would not suffice. Quite how this consent would be sought and given is a question that goes to the issue of whether the Metaverse can operate on a decentralised/distributed model, discussed below (see Decentralised / distributed models).

Consent to marketing 

A key driver in the development of the Metaverse is its potential to enable new forms of marketing which are seamlessly integrated into the fabric of the Metaverse. For example, an individual heading to a store in the Metaverse might be shown deals on his/her favourite products in real time as he/she is browsing the shelves based on his/her previous behaviour. 

This is likely to constitute direct marketing under many countries’ data protection laws, which could require the consent of the Metaverse users. 

The precise nature of the obligations would likely depend on whether the brands themselves instigate the marketing and how the marketing is presented, including whether the presentation of marketing is more akin to online behavioural advertising or social media marketing (where a network of participants operate to present relevant advertising). 

However, in all cases, thought needs to be given as to how and when any required consent would be collected and, in particular, whether “real world” consent can be relied on by brands in the Metaverse and vice versa. 

It is one thing to process personal data of adults in the Metaverse, but it is quite another where children are concerned. Many countries’ data protection laws provide special protection for children’s personal data, and data protection authorities and other similar regulators often come down particularly hard on organisations that do not comply with the rules. 

In many circumstances, parental consent is required if a child is to participate in an online service, and the GDPR explicitly states that specific protection is required where children’s personal data are used for marketing purposes or creating personality or user profiles. 

Sophisticated age verification techniques, enforcing age restrictions and implementing measures to deter children from providing their personal data are therefore going to be essential components of increasing data protection compliance in the Metaverse.  

Data sharing

To enable interoperability, data collected by one entity in the Metaverse may have to flow seamlessly between different operators and even platforms. As interoperability improves and the consumers are allowed to move digital assets and avatars between platforms and across the Metaverse, software developers and brands will need to establish bilateral or multilateral data sharing agreements to improve the seamlessness of the consumer experience. 

This is not altogether different from the current environment in which databases are bought/sold, but there are conditions which must be met first. 

For example, one requirement under many data protection laws is that the receiving party’s privacy notice must be provided to an individual shortly after it receives the data to explain to the individual how their personal data will be processed. These conditions will become increasingly difficult to meet in the Metaverse, where data exchange is rapid and involves a multitude of participants. 

One solution to this might be for a central administrator of the Metaverse to give users a clear description of how their data will be used and (if necessary) the opportunity to give consent for various uses. However, data protection regulators have expressed distaste for this type of “catch-all”, bundled approach. These types of objections are likely to be more forceful in relation to the Metaverse, where the amount of data collected and complexity of data sharing networks is significantly greater in scale.

Data export and localisation

“Seamlessness” in the Metaverse demands that data crosses boundaries at speed and without friction. It will be challenging for organisations and/or central Metaverse administrators to manage this while the rules around data export and localisation are becoming increasingly strict. 

Many countries are also beginning to roll out “data localisation” laws which can impose onerous restrictions on data leaving the country in which it was collected. It would not be surprising to see developers and/or brands getting together to try and agree large, overarching data sharing/export agreements, although how feasible such initiatives might be remains to be seen. 

Responsibility for data breaches and cyber-attacks

As with any online platform, the Metaverse will face the usual challenges of fending off cybersecurity incidents and data breaches. However, in the Metaverse these types of attacks may also take more ‘sci-fi’ type forms through deep fakes and hacked avatars. 

These types of incidents may therefore be harder to identify, verify and bring under control, and it may also be difficult to ascertain where responsibilities lie in respect of breach notification to users and data protection authorities, given the complex web of relationships that entangle the Metaverse.

Decentralised / distributed models

The discussion on data, above, underscores a number of competing tensions that will need to be addressed in the Metaverse:

  • Participants will want a seamless experience in traversing the subsystems of the Metaverse. 
  • The platform technology itself may be decentralised. How will data sharing and a seamless user experience be possible in such circumstances if there is not central co-ordination by, say, an administrator?  How will vendors who do not know each other and may have no commercial connection co-operate in relation to the exchange of data?  
  • Vendors will want to have customer “ownership”. To do that, they may want their own terms and conditions to which a participant subscribes. Will this mean that large areas of the Metaverse will be gated (greatly reducing the user experience)? At the moment, if we want access to the World Wide Web, we subscribe to an ISP’s terms and conditions for that access, but such terms and conditions do not prescribe the terms applicable to our access to particular websites on the World Wide Web. We are used to “partitioned” access to websites, governed by separate clickwrap or webwrap terms and conditions.  As that approach does not lend itself to seamlessness, how will it be addressed in the Metaverse? Universal terms and conditions seem unlikely, so would technology provide the solution (for example, self-executing smart contracts)?

Competition Law

Competition law issues may arise as a consequence of both developer and participant conduct. Businesses developing Metaverse products and services on their own are unlikely to face antitrust concerns. However, the global and interoperable nature of the Metaverse will inevitably encourage multiple businesses to communicate and co-operate with each other in order to provide greater choice and a better experience to participants. Where they are competitors, communications or co-operation between Metaverse offerings could give rise to antitrust issues, which will need to be examined with caution. 

For example, while co-operation among competing Metaverse businesses to facilitate interoperability will most likely be viewed as pro-competitive, any sharing of competitively sensitive information (especially pricing) or agreeing on separate areas of focus and development could constitute serious antitrust infringements and lead to high fines. 

To mitigate this risk, Metaverse businesses will need to implement competition policies and training programmes, not only for their employees but, potentially, for certain Metaverse participants as well. 

Similar to other online gaming platforms, participants in the Metaverse could engage in conduct that would contravene antitrust laws in the real world. Where online products and services hold real-world value, real-world antitrust laws (such as the prohibition on cartels and joint boycotts) will also apply, which could have both civil and criminal consequences for those participating.

Social Media Regulation

Will social media regulation impact upon Metaverse stakeholders? It is difficult to speculate, so far in advance, on what the legal position will be in relation to the Metaverse when social media itself is not yet much regulated globally.  

BigTech, as incumbents, have a particular interest in the evolution of the Metaverse. Some commentators are calling for tougher regulation in order to make BigTech more accountable for content that appears on their platforms. There is no doubt that change is coming in many jurisdictions for BigTech and social media platforms. As the Metaverse emerges, key stakeholders will face the same kind of scrutiny in relation to the same kind of content.

Intellectual property rights

If you collaborate with others to generate intellectual property rights, who owns the created rights?  Principles of joint authorship and co-ownership are complicated, and their application will become more so in complex virtual world scenarios where a community of stakeholders may have been involved.

It is for these types of reasons that the European Commission is considering legal reforms to clarify the position on “co-generated” data arising out of new technologies, as well as in relation to machine-generated data. Metaverse stakeholders will need to navigate these kinds of issues when participating in the Metaverse.

An IPR licence is a permission to do that which would otherwise be forbidden by intellectual property rights. The fast-moving world of the Metaverse may involve character “mash-ups” and the bringing together of intellectual property rights owned by separate stakeholders. Infringements caused by “use in combination” with other intellectual property rights (in a software licensing context) is a typical carve-out in indemnities included in licences for intellectual property, but “use in combination” is precisely the kind of scenario that the Metaverse will bring about.  Rights holders may be expected to be very prescriptive about who their characters can and cannot interact with.  Traditional risk allocations in IPR licences will need to be reviewed, as will scope of use provisions.

European Regulatory Initiatives

Some recent European legislative initiatives illustrate the kind of approach that regulators might take in dealing with the Metaverse (of course, the legislation might be in a very different form by then). One need only think of the following EU legislative initiatives to wonder how they (or what follows them) might apply to the Metaverse:

  • The Platform to Business Regulation (EU Regulation on Promoting Fairness and Transparency for Business Users of Online Intermediation Services (Regulation (EU) 2018/0112)).
  • The proposed Digital Services Act.
  • The proposed Digital Markets Act.
  • The proposed EU AI Regulation.

Of these, the proposed AI Regulation manifestly could have a significant impact on the Metaverse, given the Metaverse is likely to be powered by ubiquitous and opaque AI. The proposed AI Regulation:

  • Is designed to protect humans in relation to the impact of AI, whether through direct interactions between humans with AI or (say) via AI decision-making that affects humans.  
  • Can apply in relation to the use of AI by businesses (B) or humans (C), so potentially within scope are B2B (where it affects humans), B2C or C2C situations. All of these scenarios are likely in the Metaverse.

Under the proposed AI Regulation, AI systems may be classified as prohibited, high risk, limited risk, or minimal / no risk (the classification determines the compliance obligations applicable). Among the prohibited practices include the following:

  • Subliminal techniques: putting into service or use an AI system that deploys subliminal techniques to materially distort a person’s behaviour in a manner that causes / is likely to cause physical or psychological harm.
  • Exploiting the vulnerable: putting into service or use an AI system that exploits vulnerabilities of a specific group of persons due to age, physical or mental disability, in order to materially distort behaviour in a manner that causes / is likely to cause that person or another person physical or psychological harm.

Clearly such matters could be an issue in the virtual world of the Metaverse. Moreover, the compliance obligations applicable in the case of even limited risk AI could be an issue for the Metaverse, where transparency obligations apply (for example, explicit disclosure that a human is interacting with AI) for the following kinds of AI systems:

  • Human interaction: AI systems intended to interact with natural persons.
  • Emotion recognition: emotion recognition systems or biometric categorisation systems.
  • Deep fakes: AI systems that generate or manipulate image, audio or video content that appreciably resembles existing persons, objects, places or other entities or events and would falsely appear to a person to be authentic or truthful.

Relevant Metaverse stakeholders should expect that they will need to comply with regulatory requirements of the type envisaged by the proposed AI Regulation in the years ahead.  

Other issues and final thoughts

As aspects of the Metaverse materialise, so too will other legal issues we cannot yet foresee. We can, however, expect that Metaverse stakeholders will need to deal with the full range of other issues that would apply in any trading and digital context, such as anti-money laundering issues, sanctions and technology export restrictions, financial services regulation and the like.

When the Internet first emerged, technology lawyers spent some time working out how existing legal principles applied in that context. The same will be true of the Metaverse. The great challenge the Metaverse will give rise to will not be whether or how such principles apply, but rather, how to balance business commercial imperatives against legal and compliance requirements. Technology lawyers have already pragmatically navigated similar issues with the GDPR and will do so again with AI regulation. We can reasonably expect that such pragmatism will be necessary in relation to the Metaverse too.   


profile picture of sean murphy

Sean Murphy, Partner, Norton Rose Fulbright LLP 

profile picture of lara white

Lara White, Partner, Norton Rose Fulbright LLP 

profile picture of professor peter mcburney

Professor Peter McBurney, Professor of Computer Science in the Department of Informatics

profile picture of dr michael sinclair

Dr Michael Sinclair, Head of Knowledge, IT/IP, Norton Rose Fulbright LLP

The authors wish to acknowledge the contributions of the following Norton Rose Fulbright LLP lawyers to versions of this publication: Jay Modrall, Mike Knapper, Susan Ross, Bryan Park, and Tong Lap Way.

Published: 2021-10-29T11:00:00

    Please wait...