By Daniel Levy and Volha Samasiuk
When you think about how virtual reality (VR), augmented reality (AR), or mixed reality (MR), collectively extended reality (XR), is used today, you probably imagine video games and entertainment. There are numerous VR games that put you in the middle of the action. You can also watch movies, visit museums or galleries, and attend concerts in an immersive 3D VR environment. However, the market for XR products and services is rapidly expanding.
The market for VR headsets grew 92.1% year over year in 2021. And future growth is not due only to consumer use, such as for gaming and entertainment. The global XR market is expected to grow to 125.2 billion USD by 2026 from 33 billion USD in 2021. A classic example of VR that we frequently see on television is a flight simulator to train pilots or astronauts. XR can also be used for other safety-critical training such as medicine, military, and construction. With the COVID-19 pandemic, XR could more commonly be used to facilitate hybrid or remote work, including virtual meetings and trainings.
Autodesk is also incorporating XR into its portfolio in new and exciting ways
Autodesk offers VRED, 3D visualization software that allows VR collaboration. VRED also now supports mixed reality, allowing designers to compare digital and physical prototypes while communicating during a remote design review. Fusion 360 allows you to use AR to view your designs in real life from your iPhone. And Autodesk recently acquired The Wild, a platform that allows AEC teams to collaborate and review projects using XR. Teams can work together inside digital project models to explore, interact, and make changes directly in the cloud. This allows for greater resiliency and sustainability by enabling more effective remote collaboration and reducing the need to travel.
So you have a great idea for an XR application, time to get to work implementing and launching as quickly as possible, right?
Not so fast. As with any new technology, the law is usually playing catch-up. However, general privacy and security laws, such as EU General Data Protection Regulation (GDPR) and recent California privacy laws (CCPA, and upcoming CPRA), still apply. And if your XR application collects biometric information, such as a retina or iris scan, fingerprint, voiceprint, or a scan of hand or face geometry, there are specific legal requirements that may differ by state or country.
Below are key points to remember while your team is embarking on the XR journey:
- Data is everywhere, so is the risk
AR/VR applications collect a lot of data. What is different here from traditional technologies, such as our desktops or laptops? At least three things – scope, scale, and sensitivity. VR/AR devices continuously record data about you, including sensitive data such as biometrics and data about your surroundings (people, places, etc.). Without proper notice and transparency, XR might be both unexpected and invasive. Just think about how you would feel if, in addition to someone monitoring everything you did online, they were now in your space monitoring your movements and environment. XR may be a powerful tool for this reason, but it could also quickly veer into being creepy.
Action item
Reach out to your legal team as early as possible to discuss your XR project to ensure that privacy considerations are baked into technical requirements at the outset (e.g., add/update privacy notice and consent prompt in your applications). You may need to complete a data protection impact assessment (DPIA) which will help to identify data risks and appropriate mitigations.
- Biometrics and AR/VR devices
Biometric information is “sensitive data” under many privacy laws. California’s new privacy law CPRA, which takes effect on January 1, 2023, limits how sensitive data can be used. Illinois’s Biometric Information Privacy Act (BIPA), enacted in 2008, is even more strict, requiring informed consent prior to collecting biometric data or sharing that data with third parties.
In the last few years, consumers have used BIPA to bring class action lawsuits against companies such as Target, Amazon, and Louis Vuitton for virtual try-on technology, alleging that the companies did not obtain consent for the collection of a facial template. In 2021, Facebook settled a BIPA lawsuit for $650 million USD with a class of 1.6 million alleging misuse of facial recognition to identify users. Numerous other states and countries either have laws regulating the use of biometrics or are considering enacting such laws.
Action item
Again, your legal colleagues can help you navigate this thorny privacy law landscape. In addition, make sure to review contractual provisions with partners that provide VR/AR services or devices (e.g., Oculus, HTC, etc.). They may want to use data collected through these devices for their own business purposes (e.g., for product improvement), so you should ensure that your users’ data is properly used and protected.
- Controls for user-centric design
Individual controls are an important component of customer trust. Due to the scope and sensitivity of data collected in XR applications, it is critical to establish a balanced set of choices for individual users to allow for effective collaboration, while preserving individual autonomy and privacy rights. Also, are you thinking about appropriate access controls to ensure that your XR application will not expose proprietary data or trade secrets to those who are not intended recipients (e.g., when you “invite” third parties to your virtual workplaces)?
Action item
Work with relevant stakeholders (Legal, Security, UX, etc.) to develop controls or settings for end users as well as administrators. Local legal requirements might differ, so you may want to discuss the benefits and drawbacks of a region-by-region approach vs. a standard global approach.
- Security concerns are real
As always, you should think about the security of the data you collect. However, given the sensitivity of the data that you might be collecting and the criticality of the service, you might reconsider what level of security you implement. Take into account both legal requirements and customer expectations in order to maintain trust. Consider what would happen if users were locked out of your service due to a ransomware attack. Does that mean a design review with participants from all over the world cannot take place? Will critical infrastructure or healthcare operations be impacted? Will cars that use AR suddenly turn into a safety hazard while people are driving?
Action item
Reach out to the security team to perform security assessment. Don’t wait until your XR application is built to talk with your security colleagues and always practice security by design.
Where does it leave us?
XR is a new frontier, and it is powerful and exciting. However, it allows the collection of different and more sensitive types of data than has been traditionally collected, and a lot of it. It’s a cliché, but it still rings true that with great power comes great responsibility. To be sure, there are existing laws that apply, and we need to be careful in how we treat our data. But even if you are legally allowed to do something, you should ask if you are doing right by our customers and our employees. And who knows, the law may catch up.
The Authors:
Volha Samasiuk is Senior Manager, Senior Privacy and Data Use Counsel at Autodesk
Daniel Levy is Privacy Counsel at Autodesk
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.