Oculus will be releasing a new Privacy Policy and Terms of Service tomorrow that will go into effect on May 20th, just five days before the EU’s General Data Protection Regulation (GDPR) privacy law enforcement deadline of May 25th. I had a chance to review the new privacy policy and terms of service as well as talk with the lead privacy policy architect Jenny Hall and a privacy cross-functional team member Max Cohen, who leads product for the Oculus platform.


Jenny Hall

Generally, both the old and new Oculus privacy policies are written in an open-ended way that provides Oculus great leeway in being able to capture and record a lot of different types of data, and the new privacy policy actually adds a number of new passages that allows for new types of data to be collected. Hall & Cohen emphasize that Oculus is committed to transparency and building trust, and that they need this flexibility to account for future applications that haven’t even been imagined yet. But as the line between Oculus and Facebook continues to blur, there are still many open questions for what types of data or biometric information gathered from VR is going to prove to be useful for Facebook’s advertising bottom line.

Max Cohen

In talking with Hall and Cohen, they were able to detail how Oculus is taking a much more conservative approach than a worst-case scenario interpretation of what the privacy policy affords, but up to this point their limited implementations have relied upon a ‘just trust us’ approach with not a lot of transparency on the full range of data that is actually being captured and how it is being stored. Oculus will soon be releasing more GDPR-inspired transparency tools so that users will be able to audit what personal data are being recorded so that users will be able to see for themselves, but these tools still will not reveal everything that Oculus is capturing and recording.

On May 20th, Oculus will be releasing a ‘My Privacy Center’ web interface that will allow users to download a copy of the personal data that Oculus has collected, view the information that Oculus collects when you use their platform, and set privacy settings around who can see your real name, real name search, sharing your Oculus apps & activity, as well as who can see your friends list. Hall and Cohen told me that Oculus is really committed to transparency, and these automated privacy tools will be a huge step in actually allowing users to audit what data are being collected.

The current privacy policy allows users to request to download and review your data, but I found their previous method to be both unreliable and non-responsive. Oculus did not respond to my previous email requests that I sent to privacy@oculus.com in January and March 2017, and so I’m happy to see that the GDPR obligations have catalyzed an automated web interface that will provide immediate access to the private data Oculus has captured. When asked if all of the GDPR obligations will be provided to all of the users around the world, an Oculus PR representative responded, “We are making sure everyone has the same settings, controls, and privacy protections no matter where they live, so not just Europe but globally. The GDPR’s penalties and notification policies are specific to EU law.”

Both the current and new privacy policies are more likely to grant Oculus permissions for what data they can collect than to detail the obligations for how Oculus plans on capturing and storing that data. Hall and Cohen described to me how Oculus takes a tiered approach to privacy where there are at least three major tiers of data that are collected: data that are collected and tied back to personal identity (which they try to limit), data that are de-identified and shared in aggregate (things like physical movements taken at a low sample frequency), and then personal information that is useful for VR and is only stored locally on your machine (like the height of the player).

However, Oculus does not disclose in the privacy policy which tier data will be captured at. For example, in the “Information Automatically Collected About You When You Use Our Services” section, Oculus only says that they collect “information about your environment, physical movements, and dimensions when you use an XR device.” Oculus doesn’t specify that their current recordings of physical movement data are not tied to your identity, that the sample frequencies are too low to fully reconstruct movements, and that it is only presented in aggregate form. This is the type of information that Hall and Cohen provided to me when I asked about it, but Oculus hasn’t disclosed this information in any other way.

Meta is Testing 'Instant Replay' Feature in 'Horizon Worlds' to Make Social VR More Viral

The way the privacy policy is written implies that physical movements could indeed be tied to personal identity at as high of a sample frequency as they would want. It’s this level of vague open-ended language that would allow Oculus to capture data at a much high fidelity than they currently are. Because Oculus doesn’t commit to any specifics in the privacy policy, then this means that they don’t have to commit to notifying users if their implementation changes. Currently Oculus isn’t tying physical movements to identity, but that could change next month and there are not any notification obligations that are specified in the privacy policy. The privacy policy merely states that Oculus can record physical movements without being overly prescriptive for how Oculus decides to implement it.

It is worth pointing out that both Hall and Cohen emphasized over and over again that they’re really committed to transparency, and that most of their interpretations of the privacy policy are very conservative. They’re not trying to scare users, but rather build trust with them. Users will be able to have tools in May to be able to verify what data are actually being recorded, and if there is a mismatch of expectations of having way more data that’s captured than users were expecting, then that’ll cause users to lose trust with Oculus. It takes a lot of time to build trust, but it can be lost in a moment and Cohen emphasized that losing trust can be detrimental for Oculus. So I took this message to be on good faith that Oculus’ Privacy Policy needs to be flexible enough for them to be able to provide the services that they are providing, but the privacy policy still only provides limited obligations for what Oculus is committed to providing.

It is likely that this is because Oculus is trying to keep their privacy policy simple in response to GDPR obligations to have human-readable privacy policies that give concrete examples. Hall also said that they’re trying to prevent the policy from exploding into hundreds of pages long. Once downloadable access to what exact data are actually collected and tied to identity will also likely solve some of these problems of having open-ended and vague language in the privacy policy, but it won’t solve all of the transparency issues about what exactly is being recorded.

Continued on Page 2 »

Newsletter graphic

This article may contain affiliate links. If you click an affiliate link and buy a product we may receive a small commission which helps support the publication. More information.

  • jj

    Yupp and this is a huge cripple for Oculus for those paying attention to privacy right now. Oculus=facebook=Zuccerburg who was just on trial for breach of millions of users data in this exact situation of user terms and agreements over data usage. His view was “well you signed up for it”. So it cannot be a surprise to any of you when we realize the rift has been gathering more data than you realized it had been. It just sickens me that fb is going through all these court procedures over privacy yet on the other end of their business they’re still trying to cover their ass and pull in data, regardless of how its being used.

    • jj

      ‘One of the passages in the “How do we use information?” section says that the information that they gather is used “To market to you. We use the information we collect to send you promotional messages and content and otherwise market to you on and off our Services.” ‘ quoted from the article that quote from their new terms….

  • Zucculus

    Who to say that their transparency tools will show everything they collect? They can’t even be clear about kind of data they capture in their privacy policy. If anything they are just releasing the tools to calm the media down about their recent privacy fiasco. Nothing has changed. People will just eat it up because they did something. Most won’t even bother using the tools. You can bet that facebook knows this too well.

    • JJ

      yeah notice how its a tool to view all the data they collect and not a tool to delete that data

  • oompah

    FACEBOOK == FBI And CIA Ebook on ur life

  • Nick Dauchot

    Talk is cheap

  • I don’t see a positive ending. Oculus is Facebook and Facebook is a company that lives by getting our data. So…