Meta Quest virtual reality headsets can put your personal data at risk

Virtual reality headsets and apps collect highly sensitive personal data, and the more that data is collected and stored, the more it’s at risk of getting into the wrong hands.

PIRG staff | TPIN
The Meta Quest 3 headset has 6 external facing cameras, 4 of which you can see here.

Take Action

When you see another story about a big data breach, you might expect that your own personal data, such as your name, email or even password, has been exposed. 

But if you own a virtual reality headset such as the Meta Quest 3, a data breach could expose much more (and more personal) information about you, such as the layout of your home, recordings of your voice or even your body movements. 

With the advent of new technology comes new risks — and companies that sell virtual reality headsets like Meta should take steps to protect users of their latest products.

A recent report from PIRG Education Fund finds that virtual reality (VR) headsets, such as Meta’s popular Quest 3, can collect a lot more data than we’re used to, potentially putting it at risk.

Meta Quest VR headsets can collect highly sensitive personal data

Meta Quest headsets include sensors, microphones and cameras. These features help bring VR to life, but they also enable a lot of data collection. 

That includes audio data, such as voice recordings or background sounds in your home, as well as a lot of visual data. 

VR headsets — especially those designed for mixed reality use, like Meta’s Quest 3 — can have outward-facing cameras that gather data like the dimensions of the room you’re playing in and the placement of your furniture. In the wrong hands, this data can reveal everything from where your family shops to how much money you have.

Quest’s cameras and sensors also collect data about how you move your body in order to translate your actual body movements to allow your avatar to move the same way in the virtual world. That body movement data can be revealing.

One study found that just a few minutes of movement data collected through a VR escape room game gave researchers enough information to infer a player’s geolocation, age, relative fitness level, and physical or mental disabilities. 

It would be easy for malicious actors to set up an innocent-looking VR game to harvest user data. And, given that there are practically no laws regulating how companies use player data, users should be aware of how their sensitive personal data may be used legally before purchasing a VR headset.

Third-party apps can collect your personal data, too

Just like apps on your phone or tablet, Meta’s VR app store offers a lot of third-party apps to choose from — and each one you download can collect and store your personal data.

Rec Room is a free and popular app available in the app store. Its privacy policy states that it may collect “your first, middle and last name, email address, username, mailing address, Social Security number or employer identification number, telephone number, IP address, or display name,” among other things. That’s a lot of personal information!

The more apps you download, the more times your personal data is being collected and stored. You need to review each VR app’s privacy policy to know what data will be gathered, and each app will have plenty of fine print. Each app will likely have its own privacy settings as well, which you’ll need to check and update individually.

The more your personal data is collected, the more it’s at risk

When apps gather our personal data and sell or share it with other companies, it increases the odds that our data will be exposed in a breach or a hack. 

That can put you at risk of being targeted with scams, fraud or identity theft, and it can even pose immediate safety concerns if your location data is exposed. 

And as technology grows more sophisticated, so do scams. Companies that collect, store and use your voice data can put you at risk of being the victim of a “deepfake” voice scam.

PIRG is working to get better protections on the books. 

Tell Meta to protect its youngest users

Meta recently lowered the recommended age for its Quest 3 headsets to 10 years old in a push to win a younger market. That means kids’ personal data is also collected and put at risk by these headsets, but that’s not the only danger.

While kids’ accounts offer increased parental controls, PIRG Education Fund’s researchers found that young users can be exposed to inappropriate content, violent content and hate speech. Meta has also yet to release any testing proving that VR technology and content is safe for children in the first place.

You can read more about the risks VR poses to young users, and join our call on Meta not to push VR headsets onto kids until they’re proven safe.


R.J. Cross

Director, Don't Sell My Data Campaign, PIRG

R.J. focuses on data privacy issues and the commercialization of personal data in the digital age. Her work ranges from consumer harms like scams and data breaches, to manipulative targeted advertising, to keeping kids safe online. In her work at Frontier Group, she has authored research reports on government transparency, consumer debt and predatory auto lending, and has testified before Congress. Her work has appeared in WIRED magazine, CBS Mornings and USA Today, among other outlets. When she’s not protecting the public interest, she is an avid reader, fiction writer and birder. Though she lives in Boston, she will always consider herself a Kansan at heart.