© AdobeStock: Art Photo

The metaverse and virtual worlds are becoming increasingly important. However, there is a lack of research examining these virtual realities from the perspective of users and their protection needs. The DIN Consumer Council – the representative body for consumers in standardization – has now published a comprehensive study on this topic. The study, conducted by ConPolicy, reveals surprising findings: Although users have already had negative experiences, they systematically underestimate potential dangers. The study analyzes the legal situation and develops concrete recommendations for policy, industry, and standardization.

Paradoxical Complacency despite Real Threats

The study reveals a remarkable contradiction: Metaverse users are predominantly young, educated, and have a very positive attitude – even when they have already experienced insults, identity theft, or other violations. The concrete figures are alarming: 44 percent of young metaverse users report hate speech or offensive statements, 19 percent of surveyed youth report sexual harassment. Additionally, between 2 and 20 percent of virtual reality users show addiction-like usage behavior, with over half of users spending more than 10 hours per week in virtual worlds.

Data Protection: Movement Data as distinct as Fingerprints

A central area of concern is data protection: Virtual reality (VR) technology captures highly sensitive biometric data such as facial expressions, eye movements, and movement patterns. Movement data alone – so-called telemetry data – is so distinct that it enables individual identification. The privacy policies of major platform operators sometimes comprise more than 100 pages when printed out – practically unreadable for consumers. Michaela Hildebrandt, Project Manager at the DIN Consumer Council Secretariat, explains: "The collection of such sensitive data combined with low transparency is particularly problematic." Our study shows: Users are often unaware of the extent of data collection."

Responsibility: Users demand Structural Solutions

The question of who should be responsible for user protection in the metaverse shows a clear picture: While 24 percent of users see responsibility with themselves and want to decide independently, the majority demands structural solutions. Platform operators, state institutions, and policymakers should create appropriate protection and control mechanisms. These expectations reflect the compromise between individual freedom and collective protection needs.

The Adaptation and Enforcement Problem

A central finding of the study: Comprehensive consumer protection regulations already exist – through the General Data Protection Regulation (GDPR), the European Digital Services Act (DSA), Cyber Resilience Act (CRA), and other laws. The problem lies in adapting these to virtual worlds and how to enforce them practically. Existing laws are not yet sufficiently tailored to the specific risk situations and complex structures of immersive systems and face considerable enforcement difficulties due to matters of jurisdiction on international platforms.

Act Now and Seize the Formative Phase

"The metaverse is in a formative phase," emphasizes Michaela Hildebrandt. "The discrepancy between the risks and users' low problem awareness makes clear: Now is the time to establish consumer-friendly structures before problematic practices become entrenched."

The study therefore develops concrete recommendations for action on three levels:

1. Education and Media Literacy

Users and their families must be empowered to recognize risks and act responsibly. This includes information on data protection, addiction risks, and violations, as well as how to utilize protection mechanisms.

2. Adaptation and Enforcement of Legal Requirements

Existing legal requirements for data protection, security, transparency, and youth protection must be adapted to the specifics of virtual worlds and made technically enforceable. The study identifies a clear gap between abstract legal requirements and their practical implementation.

3. Standardization and Governance

The study shows: Consumer protection can only be achieved through a combination of corporate self-regulation, legislation, and standardization. Standards can translate abstract legal requirements into concrete, verifiable requirements, and create international consensus. Additionally, the study recommends developing alternatives to tracking-based business models and establishing participatory governance structures.

At the international level, the ISO committee ISO/IEC JTC 1/SC 24 "Computer graphics, image processing and environmental data representation" is already working on standardization in this area. In Germany, there is a corresponding mirror committee that brings German interests into international standardization work. The DIN Consumer Council actively participates nationally and internationally with two voluntary experts. Interested individuals who would like to contribute during this important formative phase can apply to participate. Contact information and further details are available on the DIN website.

Comprehensive Methodological Foundation

The study is based on a multi-stage research approach:

• Systematic review of scientific literature as well as blogs and forums
• Comprehensive analysis of the legal situation in Germany and the EU
• Focus groups with users and their families
• Online surveys of VR users and their families with over 400 participants
• Interdisciplinary expert workshop with specialists from consumer protection, data protection, youth protection, addiction prevention as well as fromtechnology development, regulation, and science