ZACH GREGG—In early February, Facebook’s parent company Meta Platforms, Inc. (“Meta”) suffered the worst single-day crash in stock market history. The price of the company’s shares declined twenty-six percent, wiping out an unprecedented $250 billion from the tech conglomerate’s market value. Meta’s plummet is partially attributable to its underwhelming year-end earnings report, which the company blamed on “headwinds from platform and regulatory changes.”
The cited regulatory winds have largely been gusting from the European Union (“EU”), where the General Data Protection Regulation (“GDPR”) imposes rigorous compliance obligations on companies that target or collect online data from European citizens. Following GDPR criteria, the U.S. and EU had been operating under an agreement known as the Privacy Shield, a framework that allowed U.S. organizations to legally transfer EU residents’ personal data stateside. But in July 2020, the EU’s highest court struck down the Privacy Shield, reasoning that U.S. law would not adequately protect Europe’s consumer data. The Privacy Shield’s fate mirrored its predecessor, known as the Safe Harbor, which was quashed for similar reasons in 2015 after facilitating data transfer for over a decade. To fill the hole left by the Privacy Shield, the EU Parliament is currently in the process of approving the Digital Services Act, a sprawling regulation that would create even tighter restrictions on tech companies and data-related practices in Europe. Though companies have found temporary workarounds, Meta stated that, with rising compliance costs posed by the incoming Act, and the lack of any cross-border data transfer mechanism, it may need to withdraw its most popular apps from the EU.
In the U.S.––where a patchwork of sector-specific laws protect consumer information far less strictly than in the EU and other developed nations––similar data privacy “headwinds” have long been brewing. State legislatures have increasingly focused on online privacy in recent years, and 2021 saw more states pass privacy-related bills and tackle novel issues surrounding biometric information such as facial recognition and fingerprinting. Many pushing for stronger safeguards hope for a uniform federal regime, and while Congressional efforts have been repeatedly unsuccessful, the momentum on Capitol Hill suggests that it may be just a matter of time before the U.S. passes federal data privacy legislation. The FTC recommended a federal approach back in 2020, and recently heightened requirements around handling of consumer financial information. In January, the U.S. Chamber of Commerce, along with numerous national and state business associations, urged Congress “to pass bipartisan and durable national data protection legislation.” Weeks later, several congressional committee leaders similarly called on President Biden “to commit to doing what more than 100 countries have already done: establish a baseline privacy law in the United States.”
Compounding the governmental pressure, internal policies adopted by Apple and Google have stifled the targeted advertising engines that drive Facebook and ad-tech peers like Twitter, YouTube, and Snap. In April 2021, Apple introduced its App Tracking Transparency Policy, which allows users to block apps from monitoring their iPhone activity. A large majority of users opted for the enhanced privacy feature, and Meta executives stated that the dearth of user data not only contributed to last year’s lackluster performance, but also threatens to cause an anticipated $10 billion revenue loss in 2022––a large factor in Meta’s market fall. Twisting the knife, Google announced in mid-February that it would follow Apple’s lead by adding similar opt-out features for Android users.
Meta’s bet-the-company investment in helming the metaverse also contributed to the skittish reaction on Wall Street. Reality Labs––the arm of Meta building its metaverse technology––burned over $10 billion last year and more than $3 billion in the fourth quarter alone. The metaverse is slated as an immersive, interconnected, and perpetually-existing 3-D virtual world that combines the Internet with virtual-reality technologies. Users, embodied by individualized avatars, will be able to work, play, and participate in a full-blown second economy. While still largely speculative, mainstream companies are getting serious about this once-fringe idea. Nike, Walmart, McDonald’s and other heavyweight brands have been filing trademarks for NFTs and virtual products, eyeing a radically new metaverse retail market. Investors, real estate agents, and celebrities are purchasing nonphysical land in what can be described as a “metaverse real estate boom.” Venture capital firms are funneling billions into the fledgling industry, and reputable investment banks predict a $1 trillion annual opportunity in the space.
The budding interest in the metaverse from companies and investors, against the ever-growing attention to digital privacy from U.S. lawmakers, signals an impending clash between the nascent technology and data privacy efforts. A fully-realized metaverse promises massive prospects for the data economy, but also presents unique consumer privacy concerns, and Meta’s grand vision for the future is already receiving the same pushback hampering its current business.
Even in the present reality, advocates point to rampant data breaches by large corporations, U.S. government agencies, and hackers, as well as invasive data-collection practices that exploit consumers’ sensitive information. But in the metaverse, these problems may be exacerbated. Commentators have speculated about the myriad of new, uniquely intimate data sources that could be snagged from users as the technology evolves. Those with access to the metaverse infrastructure could collect swaths of biometric information and monitor physiological reactions like eye movements, facial expressions, blood pressure, heart rates, breathing rates, and pupil dilation––all valuable data for marketers who may want to tweak their messaging in real time. Critics further highlight that metaverse-related technologies will introduce more sensors into users’ homes, and even full-blown brain-reading may be on the table in the future.
It is unclear whether the metaverse will develop into all it is cracked up to be; even if it does, a truly transformative version is several years away. But in a privately-owned, immersive, and addictive environment that offers unparalleled data-harvesting opportunities, whether, when, and to what extent the U.S. will recalibrate its lax data privacy approach remain critical questions as the metaverse comes to fruition.