How to regulate the metaverse to protect the interests of consumers?


By Kazim Rizvi

Technology advances at an exponential rate in geometric progression. In a short time, we have seen a transformation from two-dimensional Web 2.0 to Web 3.0, bringing virtual reality to life across the metaverse. Metaverse is the next on the internet, which uses the open-source technical layer to create proprietary augmented spaces for individuals to experience virtual reality.

As technology advances, we need to analyze the regulatory landscape to protect consumer interests and make it safe.

Online behavior and conduct violation

While we are still grappling with concerns about internet security, the emergence of the metaverse could exacerbate issues of digital safety and conduct. Some of the critical security and safety concerns on the metaverse are sexual harassment, discrimination, hate crimes, identity theft, and more. While we have certain legal frameworks to address issues such as sexual harassment, identity theft, etc., it is unclear how they will apply to conduct and behavior on the Metaverse.

Without a clear definition of personal, private and public space within the metaverse, measures to combat online harassment would remain more symbolic than substantive.

Additionally, understanding how inappropriate actions of individuals like cyberbullying, sexual harassment, etc., in the metaverse would be scrutinized in the physical world remains unclear. For example, in the case of touching, it is neither a physical harm nor a virtual harm; instead, it is virtualized physical harm with real-world implications. While the Sexual Harassment of Women in the Workplace (Prevention, Prohibition and Redress) Act 2013 defines sexual harassment beyond physical contact, it remains unclear how it will apply to virtual spaces as a metaverse.

Second, identity theft issues could increase on the metaverse. Although identity theft is a punishable offense under computer law, it only covers passwords and other unique identifiers that could slip digital avatars through the cracks. Moreover, the verification of the digital version of the physical person could also become cloudy due to the existence of bots, deep fakes, manipulations and hacked avatars due to identity theft. It can also cause problems in differentiating children from adults.

Finally, the metaverse is not immune to the historical disposition that leads to discrimination, racism, discrimination based on religion, hate crimes and hate speech. As platforms evolve in their understanding of breaking content moderation on social media platforms; real-time content moderation on the metaverse under different scenarios would be a new challenge.

Data Protection and Privacy Concerns

India still has no data protection regulations to protect our right to privacy. While the Personal Data Protection Bill would put the Metaverse under its purview, the Bill would have to pay attention to some of the details of the Metaverse’s regulations to avoid falling through the cracks.

The data generated on the metaverse is of anonymous avatar (digital identity), but it can become personal data when it is traced back to the natural person. There may also be scenarios where the data generated on the metaverse only pertains to the avatar, unrelated to the physical person. However, it could also lead to falling through the cracks as a situation because we don’t have a concrete understanding of digital-only data privacy issues, where the line between real identity and digital identity becomes blurred. A recent study by NordVPN suggests that 41% of the sample think it is difficult to protect their real identity from their metaverse identity. The bill should clarify whether an anonymous avatar can be considered a data principal when this is the case.

With respect to harms, while the bill in its current form would recognize the tangible harms of a metaverse as a ripple effect of the internet in real life, it is crucial to recognize the intangible virtual harms that could not necessarily having physical repressions and giving individuals a set of digital rights to protect their privacy. In addition, the division of responsibilities in terms of collection, processing and sharing of data within the Metavers must be clearly outlined. A key question would be whether Metaverse will be a centralized or decentralized platform. While in the case of the former, Metaverse would be the administrator of data collection, processing and sharing in virtual reality. In the latter case, will the metaverse be considered an artificial legal person (like the “corporation” in the physical world) and several entities operating in space as trustees of the data?

Moreover, the emergence of Metaverse would also give rise to innovative hardware like eyepieces and other Internet of Things devices in the form of AR and VR devices. It will be important to study the interaction of such devices with the metaverse to protect the privacy of individuals. One of the critical concerns with the hardware is the extent to which entities can monitor and extract biometric data such as eye tracking, gait tracking, brain wave monitoring, etc. When these data points are combined with existing data sets, the levels of profiling can bring real implications in the form of greater online security threats and even physical repercussions.

On the other hand, by proposing a restrictive cross-border data transfer regime with strict data localization for critical data and data mirroring for sensitive data, the bill must explain how this applies to the metaverse. where individuals are avatars and not legal citizens of any jurisdiction.

While the Metaverse will provide a wealth of opportunities in the future, we need to make sure that we minimize risk and damage to make it a success.

(The author is founding director of The Dialogue, an emerging think tank on research and public policy. The opinions expressed above are those of the author and not necessarily of


Comments are closed.