The European Union is putting the General Data Protection Regulation into effect next month, and as I reported last week, the rules are going to cause some changes to social VR and virtual world platforms -- even those with servers based in the US.
"We like the GDPR in it's broad respect for human privacy, and will work to fully comply with it," High Fidelity's Philip Rosedale tells me. "It is aligned with our own mission to give full control over identity and user data to end-users and not ourselves."
One unique challenge with High Fidelity is it's a grid-based metaverse, with servers owned by individual users and organizations. "Because High Fidelity servers are operated by others and not by us, some of the data that is of concern is gathered not by us but by those server operators," as Philip puts it. "We will work to add features as needed to allow appropriate controls for those server operators subject to GDPR requirements." He says the company will announce specific changes soon.
Second Life and Sansar will also see some changes: "Linden Lab is taking all actions to stay in compliance with GDPR regulations for both Sansar and Second Life," company spokesman Brett Atwood tells me. "Our company continues to respect and value the privacy of all our users and works diligently to ensure that we follow best practices for data protection across all platforms." He says a more detailed announcement will be posted in coming weeks.
Sinespace is already working on implementing changes in time for the GDPR's deadline in late May: "[W]e're adding a lot more to the privacy policy indicating where and when third parties can access data (e.g. our credit card processor will get your name and card details in order for us be able to bill you)," lead developer Adam Frisby tells me. "[We're] adding clarifying text around things on our signup and account pages, indicating exactly what things like an email address may be used for; finally we're adding a easier account deletion process to satisfy the 'right to be forgotten' parts of the legislation."
Echoing Philip, Adam is also welcoming of the GDPR, and explains why its rules matter:
"I think to be honest it's common-sense legislation that is long overdue; and despite the hassle of implementing the specifics, the Internet is overall better for it," as he puts it. "It's a net-win for everyone, and gives individuals a lot more knowledge about when/where their data will be used, and who will be getting copies of it.
"The key wins for consumers are: knowing who is getting their data, in advance, and having to give informed consent. You can't bury this stuff in a 100 page terms of service. It has to be clearly and plainly visible upfront. Data breaches will benefit from consistent reporting too - companies can now be fined for not reporting a data breach quickly. Companies should also be thinking twice about who they share data with, as they can be held liable for the actions of that third party if they break the rules."
As these companies make the adjustment to GDPR, third party developers on these platforms should also start making changes too -- for instance, re-consider how they collect (and share) customer data from external websites, or associate avatars with e-mail addresses. More on that hopefully soon.
Disclosure: Sinespace is a sponsoring media partner to this blog.
Comments
You can follow this conversation by subscribing to the comment feed for this post.