Oculus is complying with the EU’s new data protection rules with more detailed policies and a “privacy center” where users can check the data Oculus has collected about them. The Facebook-owned virtual reality company announced the news today, but its updates will take a little longer. “My Privacy Center” will launch on May 20th, and the new terms of service will be published on April 20th, but take effect on May 20th. Oculus will also expand its terms of service to cover augmented reality — a field that Facebook has openly explored, but that Oculus hasn’t so far.
Many companies are adapting to the upcoming General Data Protection Regulation launch, which requires them to set a higher standard for collecting personal information. The privacy center is a direct response to GDPR, but most of Oculus’ changes are just tweaks to how it explains and organizes rules. “Our practices are not changing with respect to how we use data today. We are just including more transparency,” says Oculus associate general counsel Jenny Hall. For instance, Oculus is adding its existing code of conduct to the official terms of service, “to provide increased visibility of our commitment to create a safe VR environment for all people.”
“We’re trying to follow that principle of only collecting data that we think is necessary for a good VR experience.”
In a list of frequently asked questions, Oculus reiterated a few of its policy stances, including the claim that it doesn’t share data with Facebook for third-party ad targeting. Oculus doesn’t explicitly rule out such sharing in the future, and product lead Max Cohen says that “there is a time at some point in the future where ads in VR will likely make sense.” (HTC already has a VR ad service for its Vive headset.) But “it’s not on our near-term road map, we’re not having any discussions about that, we don’t know when we would start,” says Cohen. “It’s really just not something that we’re looking to do.”
Oculus has also gone into more detail about how physical movement data is collected and stored. Cohen says the company samples headset wearers’ positions once a minute, aggregates and deidentifies that data, and tells developers how much play space the average user takes up. Oculus also asks for players’ height but says this data is only stored locally on your computer, not on Oculus’ servers. Consequently, no movement data is available for download through My Privacy Center.
Oculus says it shares “limited information” with Facebook, including information about accounts that are flagged for spam and abuse. According to Hall, that might include something like Oculus identifying a would-be hacker through their IP address or other tools, then telling Facebook what it’s found.
Facebook has spent several weeks under fire for letting data mining firm Cambridge Analytica collect user information, and some of that scrutiny has fallen on Oculus. The company responded to some questions from The Verge earlier this month, but it’s now making its current privacy stance a little more obvious.
As we heard before, Oculus doesn’t have a strict policy declaring what it might collect in the future. But Cohen says Oculus will follow the spirit of the current policy, even if specific details change. “We have a responsibility to be very transparent about when we collect data and what we’re doing with it. If we were to violate those principles, it would come at a heavy cost,” he says. “We’re trying to follow that principle of only collecting data that we think is necessary for a good VR experience, and I will commit to that principle not changing.”