Oculus implements its own GDPR-compliant privacy controls

While Facebook is still struggling to regain user trust following a data fiasco that ultimately brought Zuckerberg to testify in front of Congress, the company still has plenty to do to ready itself for GDPR and appease EU lawmakers. This includes making sure that everything is up to snuff at its virtual reality company, Oculus.

The VR company announced today that it will begin rolling out changes, including a user-facing Privacy Center, an updated Terms of Service with a Code of Conduct to ensure that VR users operate in a safe environment.

The Oculus “My Privacy Center” feature will launch next month on May 20, and will allow users to take a look at the data that Oculus has on them while managing preferences. Users notably won’t be able to see anonymized data that Oculus collects, which includes the in-VR movements that users make with their headsets and controllers. Data also not available for download includes stuff that’s only stored on your device and data like your credit card info that they keep stored securely.

The Code of Conduct forbids users from accessing or promoting sexually explicit content, using hateful or racially offensive language, promoting illegal activities, or harassing other users. Here’s the full thing:

  • You may not use or promote sexually explicit, abusive or obscene content.

  • You may not use or promote language or content that would qualify as hateful or racially offensive. We don’t allow content that attacks people based on race, ethnicity, nationality, religious affiliation, sexual orientation, sex, gender, gender identity, diseases or disability.

  • You may not harass, bully, threaten other users, or encourage other users to do so.

  • You may not encourage, celebrate or promote real-world violence.

  • You may not encourage or promote illegal activity.

  • You may not impersonate an Oculus employee, partner, representative, other real person or encourage other users to do so.

Today, the company posted a blog seeking to answer a few questions ahead of launching the new ToS tomorrow.

On the user privacy front, few things have made Oculus users more antsy than the belief that the company was using the rich data it gathered, including data related to how users physically moved their bodes while inside VR, to help Facebook target advertisements to users. In the company’s blog post discussing these changes, they deny this outright early-on.

We don’t share data with Facebook that would allow third parties to target advertisements based on your use of the Oculus Platform.

While this hardly stresses a long-term commitment to carrying this out, for the time being, advertisers won’t get data related to user’s VR habits while they’re using Oculus platforms. This may not necessarily be the case with VR efforts built wholly beneath the Facebook platform like their social app Spaces.

How and why Oculus collects this movement data in the first place was also addressed, with the company stressing that this data is now de-identified and can not be associated with user accounts.

We collect the necessary movement and environment data required to deliver an immersive VR experience that is safe, comfortable, and seamless across apps. This could include the gestures you make with controllers or changes in your orientation, as well as the Guardian play space boundaries you provide us with. For example, in an app that lets you view 360° videos, the app needs to know which direction you’re facing in order to ensure the best possible viewing experience. Once this data is processed for its express purpose (ie: to make the app work), it’s de-identified in our systems and not associated with your account.

While the value of Facebook’s user data has been abundantly clear, Oculus is far more focused on ensuring that people actually start using VR in the first place, rather than quickly building out a virtual reality ads business. As such, their updated Terms of Service is likely to be less controversial than what’s found in Facebook’s implementation of GDPR-compliant policies.

Nevertheless, for a parent company that has repeatedly had to put to rest that it’s not listening to users via their device’s microphones, a platform ripe for dystopia like VR is undoubtedly going to gather more user paranoia as it grows in popularity, and thus more need for the company to transparently communicate what data it does and does not collect. And while it’s easy to see why certain permissions might be needed for an app to function, the important thing is ensuring that parties with access aren’t abusing their access.

The company’s “My Privacy Center” sounds like a government-mandated step in the right direction, but as always, it’s best to be skeptical and see where it moves from here.