Common Sense Media released a new report that evaluates the privacy policies of the most popular virtual reality headsets on the market. The report, “Privacy of Virtual Reality: Our Future in the Metaverse and Beyond,” examines the privacy trends and practices of seven of the top VR devices and found that none of them meet the minimum privacy and security requirements recommended to keep kids safe.
The report analyzed the privacy policies and practices of the HP Reverb G2, Meta Quest 2, HTC Vive Cosmos Elite, Pimax Vision 5K Super, PlayStation VR, Microsoft HoloLens 2, and Valve Index, and found that:
- Users are tracked from the moment they put on any of these VR devices.
- Sensitive data collected in virtual reality is shared with third parties for profit.
- Privacy policies were unclear or said sensitive data is used for targeted advertising, third-party marketing, and tracking purposes.
- None of these devices use privacy by design.
- They all displayed third-party advertising to users.
Additionally, the headsets lack specific protections for kids under 13 who use these devices. Among the privacy practices evaluated in the report, more than half (57%) of the devices have no parental controls, and less than a third had any safety settings at all.
“VR companies, just like any other tech company that targets teens, must use a privacy-by-design approach to create content and experiences that are age-appropriate, safe, and adhere to the strongest privacy protections possible. Anything less than that is unacceptable because the stakes are too high,” says James P. Steyer, founder and CEO of Common Sense Media. “We need to ensure that safe spaces exist in virtual reality for kids and teens to connect, play, and learn without the threat of encountering various forms of harassment and privacy risks that currently run rampant in the metaverse and beyond.”
According to the report, VR devices collect much more data than mobile apps and websites—including body posture, eye gaze, pupil dilation, gestures, facial expressions, and even minute variations in skin color. A user’s body movements in VR are tracked more than 100 times per second, which means that spending 30 minutes or more in a VR simulation can collect over 2 million unique data points.
“The bottom line is that every VR device we tested exploits users’ sensitive data for profit, so we can’t recommend any of these devices to parents as being safe for kids,” says Girard Kelly, privacy program director at Common Sense. “However, some of the devices we reviewed do have options available to turn off some of the most problematic data collection and safety settings. But that puts the onus on the parent or caregiver to navigate hard-to-find and complex privacy and safety options in order to keep kids safe.”
Meta Quest 2, arguably the most popular VR headset on the market (Meta owns approximately 90% of the VR headset market share), received the third-lowest privacy rating (55% Warning), ranking only ahead of Valve Index (50%) and Primax Vision 5K (30%). Meta’s privacy policy says it does not sell consumer data but that it does engage in everything else, including third-party marketing, targeted ads, third-party tracking, tracking users across the internet, and generating ad profiles based on the user data it collects. Microsoft’s HoloLens 2 received the highest privacy rating (75%), but like the other six headsets that were evaluated, they all failed to meet the minimum privacy and security requirements recommended to keep kids safe.
The data was collected and analyzed by the Common Sense Privacy Program, a team of attorneys and experts in privacy, law, computer science, education, academia, and public policy. The research team rated products on a 100-point scale across 155 unique evaluation questions.