How are VR companies treating my data?

In order to play in the world of VR, you have to be prepared to share some data. That's not really a new concept; our devices and apps always come with a Privacy Policy (that most of us scroll through and agree to without actually reading). So what exactly are your VR devices and games getting from you, and what are the companies doing with that data? Good question.

Let's focus on the big three players right now: the HTC Vive, Oculus Rift, and Samsung Gear VR. All of them have Privacy Policies available to users on their websites, and not surprisingly, all have pretty similar clauses. The language may change a little from one brand to the next, but they essentially say the same thing. I have to say, after reading through all that legal jargon, I totally understand why we usually skip over these documents, but it's interesting stuff once you've got it all translated and organized.

Here's what all three Privacy Policies for these brands have in common:

Rachel Riley

All three are using Cookies and Beacons to collect and store data.

Cookies are small files that store things like login information and ads you've already been exposed to on various sites. Beacons are a means for your device to communicate with a server and they're embedded in online content. That's not unique to VR; your laptop, desktop, phone, and tablet do it, too.

All three are going to collect location-based information.

This includes things like your timezone and the country you live in; these have to do with apps and content availability, ensuring that user experiences are relevant for your part of the world with proper language availability and time-sensitive software upgrades. Those are necessities, so you can't mind them knowing where in the world you are.

All three are going to share aggregate data with third party companies.

This generally doesn't include your specific or personal data, it's more like the statistics of when people are actively playing and the numbers of regional users. That's not terrible, and most non-VR games and apps do that anyway.

HTC Vive

Each system will take data like your IP address, the browser you're using, and your device.

Each will also ask for details like your name, an email address, and your date of birth. Depending on how much you want to honestly volunteer, you can falsify a handful of those "facts". Plenty of people do, but plenty of people provide their real information, and the choice is yours.

All three will use information they collect about you to guide their marketing strategies.

HTC's Privacy Policy clearly states that you're going to receive customized product recommendations, as well as notifications of contests and promotions. Samsung wants to give you "customized content and advertising", and Oculus Rift states that they aim to "measure how users respond to our marketing efforts" so you can't avoid being the target or victim here. Your preferences and purchases are going to be tracked and remembered.

Every Privacy Policy reminds you that nothing is 100% safe, in spite of their best efforts.

Part of the reason for this is, as always, unforeseen security breaches, but there is something else you need to be aware of. Your data may be transferred to servers throughout the US and around the world at each company's discretion, since they're all international companies. Once your data is "over there", it's subject to the laws of that land, and those laws may be far less stable or enforceable. That's a little scary, but VR isn't the only industry doing it.

All communication via the social features of your VR is stored.

Your messages are generally saved in a temporary cache if they're between users, but more permanently if they're forum posts, like in the Oculus support community. However, there will always be a record that some form of communication happened between you and a friend or another user. Again, that kind of permanent digital trail of breadcrumbs isn't unique to VR, but it's good to be reminded that it's there.

No matter which VR you're using, your data will be shared with network affiliates and business partners.

Extensive lists of these affiliates are listed on the Oculus website, the HTC website, and the Samsung website, and it's good to know who is connected. More about this in just a bit.

So how are the Privacy Policies different?

Oculus Rift

The basic differences are pretty simple:

  • Samsung's Privacy Policy is overarching, designed to apply to all of their devices.
  • HTC's Privacy Policy uses pretty straightforward language, but it's worth it to dig deeper and look at their affiliate network.
  • Oculus Rift's Privacy Policy is the one that kinda blew up this whole privacy thing and made us stop and question VR and data privacy. There's an interesting reason for that.

It says very plainly in the Privacy Policy that Oculus Rift is collecting and sharing your movements and dimensions, everything from the slightest tilt of your head to the flick of your wrist to the size of the room you're in. The company states that all of that information is necessary to help make your game experience more immersive; they also use the data to make improvements on future games. But permanently storing that data, and then sharing it? That's a bit invasive.

Let's add to that the fact that Facebook bought Oculus Rift in 2014. This means that whatever Oculus knows, Facebook knows, and that's unnerving for lots of people. Remember the whole mess with the Facebook Messenger app a few years back? People were up in arms about privacy concerns, but what was really done about it? Over time, the worries faded for that app, but they seem to be making a comeback with VR's connection to social media.

Just don't think for a second that there will be a separate clause for porn.

Minnesota Senator Al Franken has been doing a lot of letter writing to Oculus Rift, demanding answers as to why such detailed information is being collected, and whether or not it's absolutely necessary. Oculus Rift responded, essentially rewording their Privacy Policy and emphasizing that the storage and sharing of movement data is essential for VR progress and authenticity. The company also emphasized the fact that people should read the Privacy Policy in full and understand what's being tracked before they jump in. That's a totally fair statement.

One of the things that's come to the top of the concern list with the Oculus Rift policy is the potential for people to be tracked while they're viewing adult content; call it like it is, because the VR porn industry is growing, and if that's your thing, that's nobody's business but your own. Just don't think for a second that there will be a separate clause for porn. And if you haven't been paying attention to a policy like Oculus Rift's, don't act surprised when you later find out that you're being watched, and there are many sets of corporate eyes on you.

Reality check


The point isn't to tear up the people at Oculus Rift or Facebook over one clause in the Privacy Policy; neither company is doing anything beyond this that's much different than the other big VR players, it's just that the partnership/ownership by Facebook has been highly publicized, and Facebook has dealt with its own firestorm of privacy concerns. But the other VR companies have their share of interesting affiliates, too, not to mention the fact that Samsung Gear VR is powered by Oculus, so there are some interesting bedfellows to be made there. For example, apps are available from the Oculus store, so Samsung allows them to have your data because you agreed to it, therefore Facebook gets your data.

Here are a few noteworthy affiliates gleaned from each website:

  • Samsung has affiliates like Cheil (a Korea-based company that markets for GM, numerous coffee brands, and bath and body products);
  • HTC counts Facebook developers as an affiliate organization;
  • Oculus Rift, in addition to Facebook, is affiliated with Parse (open source API software), Moves (a fitness tracking app), and Liverail (a monetization platform for publishers like A&E and CBS). It's good to know what you're connected to.

The bottom line

When you play in VR, you are granting access to a good amount of your personal data to multiple organizations and companies. The conversation surrounding VR and privacy is far from over, but while it's evolving, get to know the Privacy Policy that currently exists for your system of choice and decide how much personal data you're prepared to share with the powers that be.

What do you think of the this whole privacy hullaballoo? Let us know in the comments section below!