Virtual and augmented reality: what are the legal issues?
10th October 2018
In this article, we explore the growing trend of virtual and augmented reality technologies and examine how this technology may develop while highlighting some of the legal issues that developers and users should consider.
It has been estimated that the virtual and augmented reality markets will generate revenue of over $162 billion in 20201 and it is expected that 24 million devices will be sold in 20182. Growth is expected to reach an average of 181% with Europe being the main contributing market along with North America and Asia3.
Most of us have heard of virtual reality (“VR”) and have an idea of how it works, with devices such as Oculus Rift, and the lower tech Google Cardboard, hitting the market and allowing users to immerse themselves in a 3D, simulated environment. VR can be delivered to the user through a multitude of equipment, including headsets, handsets/gloves and dynamic platforms. VR allows the user to “interact” with its environment, responding to the user’s movements (for example, changing vision perspective when the user “moves” within the VR system). It has the potential to be used in a vast range of media forms, be it computer gaming, film/television, or industry training. It is predicted by some to be the next mass medium, and has huge potential. As bandwidth improves, companies will be able to deliver immersive content to mobile headsets, paving the way for VR applications that are not tied to a physical location.
One of the appeals of media is that it can facilitate social interaction; be it going to the cinema with friends, or indulging in back-to-back episodes of TV shows with family. However, current VR solutions have significant draw backs in that they offer a solo experience for the person wearing the headset. If VR solutions are to be truly successful, they will have to offer solutions that allow groups/families to enjoy VR together. Content owners also see VR as a fantastic way to introduce content to younger audiences, for example by being able to use existing content to build new VR content. This has huge potential to be the next “big thing”, drawing younger audiences away from the current trends in social media. This is a prized market and VR providers will need to fight to ensure that they are current and “on trend” to keep the attention of this fast-paced media market.
Augmented reality (“AR”) is more of an unknown entity. AR allows a computer generated image to be superimposed on to the user’s own real-world view. Think Terminator vision, or its real-world equivalent, smart glasses like Google Glass and Snapchat’s Spectacles, or camera effects like the Facebook Camera Effects Platform and Apple’s ARKit4.
Both AR and VR technologies immerse the user in an altered reality, but in different ways. AR users continue to be in touch with their real-world surroundings whilst interacting with virtual objects, but VR users are isolated from the real world and immersed in a virtual one.
Last year, many of us became part of the AR trend by downloading the Pokémon Go app. The app received 900,000 downloads on its first day alone5. It allows users to catch Pokémon as they pop up in the user’s path as overlaid on a map of your real-world whereabouts.
AR and VR technologies are already in use in the aerospace, education, healthcare and advertising sectors with uses ranging from ground breaking PTSD and stroke treatments to using smart glasses in automotive manufacturing. Goldman Sachs has predicted that the markets most likely to first be disrupted by AR/VR technology are real estate, retail and healthcare6. With the wide spectrum of industries that the technology can be used in, and the speed with which it is evolving, AR and VR are now being seen as “natural extensions of business strategies with digital technology at their core”7.
As with all exciting new technologies, there are legal boundaries to be explored.
With new devices come new vulnerabilities to hacking and cyber-attack, particularly where a user may have used a work device to download the latest AR game app and his/her device is synced to a smart watch or PC. This could result in hackers gaining access to not only a number of devices owned by one user, but potentially devices owned by the user’s employer and creating vulnerability in the network. Interestingly, despite the apparent security risks involved, only 36% of consumers in a recent survey said they had concerns over security when purchasing equipment.8 It is likely that VR/AR devices will experience similar reductions in costs that smartphones and computers have seen, with prices likely to fall up to 5-10% per annum.9 This is likely to encourage wider adoption.
Many gaming apps require a user to verify their details by linking to a social media account and this again leaves users open to malicious use of their personal information if adequate security measures are not taken by developers to ensure that information is encrypted.
AR devices and applications in particular, can make use of a user’s GPS, microphone and camera; the importance lies in striking a balance between access for functionality of the application and the risk of the access to this data being misused.
As AR apps develop, interactions may move from using a click or touchscreen to facial or voice recognition. This could be particularly high risk where the AR system is able to run simultaneously with other applications meaning that the voice or camera input could be stolen by another compromised application and used maliciously.
Cyber-attacks are becoming more commonplace and attract a large amount of media attention. Not only would this have ramifications in relation to the potential harm caused to users, but it would also severely damage reputations, perhaps irreparably. Businesses should keep a constant vigilant watch on security surrounding their use of VR and AR (and for that matter any other technology they use), as the damage caused by any breach in security could be insurmountable.
Interestingly, despite the apparent security risks involved, only 36% of consumers in a recent survey said they had concerns over security when purchasing equipment.
Unsurprisingly, AR and VR involve the processing of personal data about their users – whether their location, IP addresses, images of them or others around them or other information about their activities in the app or on their connected social media accounts. The Internet of Things is becoming more and more prevalent in our everyday lives, and wearable VR/AR is poised to become an important participant in this. Interacting seamlessly with other screens and devices and creating ever-more personalised experiences for their owners, the technology has the potential to appeal to audiences in working with their current devices and targeting their specific preferences. Customisable viewing options will open up new opportunities for companies to be able to leverage personalised data to hyper-target their content, advertising and brands. With personal data becoming more and more valuable to businesses, giving them the ability to use algorithms to predict customer requirements and patterns of behaviour, this could have unbridled potential. This data can include things like purchasing habits, viewing preferences and personal networks. A number of AR and VR apps also focus on shared experiences, adding a further level of data sharing concerns.10 Developers must be mindful to comply with the applicable data protection laws where the information they process or collect relate to an identifiable person.
Whilst the Data Protection Act 1998 already governs strictly the way that this information can be used, and what information must be given to users, the General Data Protection Regulation, coming into force in May 2018, is even clearer that users need to be fully informed.
It is vital that developers make users aware of what personal data is being collected or processed and how it may be used or shared in order to be compliant with data protection law. It will also be important for developers to ensure they have incorporated privacy by default and privacy by design, as required by the GDPR. This means thinking carefully about the impact on users whilst embracing the exciting new things that you can do.
Developers – and others – can learn a lot about users, and the desire to combine this information with other information known about them or other related analytics can be very appealing. The apps may be frequently open and in use, allowing developers to get a real insight as to the activities of users in time and space. There is a word of caution however – the GDPR brings in additional requirements when large scale monitoring of individuals, or profiling is taking place. Just because you have all of this information doesn’t mean that you can use it. And be careful about sharing personal data – you are responsible for making sure that you have all the legal rights to pass that data on, and if not, you will be responsible for what happens to it once it has left your hands.
Finally, to the extent that developers require consent to process the data they are gathering through their app, they will need to be smart. How do you know whose consent you need? Multiple users may use one app, and indeed to the extent that images can be taken, stored and even manipulated, those images may be of third parties who would never be asked for their consent.
The penalties under the existing regime for non-compliance include a fine of up to £500,000. There could also be severe impacts on the business’ reputation, customer base and share price where there is a data breach. Under the GDPR this increases substantially – up to €20million or 4% of worldwide annual turnover. Brexit or no Brexit, the GDPR is going to come into force in the UK in May 2018, and so it’s worth making sure your product is compliant.
When developers incorporate music, images, logos or trademarks into VR or AR apps the real world trademark and copyright laws will apply and developers will have to ensure that they seek the relevant permissions and licences to do so.
Another issue to consider is where the ownership of intellectual property rights will lie where users have created images or content within the app.
AR and VR technologies have the potential to significantly benefit users whether in a work or leisure setting and will become ever more prevalent in all walks of life over the coming years.
Many businesses will crave cost-effective solutions, such as a VR version of a supermarket for customers to use in online shopping, or VR viewings of houses for sale, hotels, holiday resorts and museums. They could create safer working environments, with more realistic training before entering dangerous work environments. The list is potentially endless.
They also have significant potential for general business use; for example once VR and AR solutions become refined and cost effective, they could potentially be used for meetings where attendees are based in different locations across the globe, but feel as though they are sat around the same table.
It is important that developers aim to limit their access to the data required to allow the technology to properly function, only retain data for as long as is necessary and to make users aware of what data is being accessed by providing clear terms and conditions of use.
For more information about virtual or augmented reality and the issues relating to you business please contact Gayle McFarlane.
 International Data Corporation http://www.idc.com/getdoc.jsp