Mitigating Privacy Harms from Deceptive Design in Virtual Reality

Abstract

This report was prepared as a final project report in response to the Office of the Privacy Commissioner of Canada Contributions Program 2024-25.

This research investigates deceptive design in Virtual Reality (VR) environments and its impact on user privacy. The research team at the University of Waterloo conducted an autoethnographic evaluation of 12 top-rated VR applications to analyze deceptive design patterns in their privacy communication and interaction mechanisms. The findings reveal 14 distinct deceptive design patterns and demonstrate how deceptive tactics in traditional web and mobile environments are being adapted to immersive environments. While many of these patterns still heavily rely on 2D interfaces elements, VR’s spatial, immersive, and multi-sensory features amplify their impact and increased the privacy risks for users. The VR applications’ convoluted privacy policies and consent mechanisms further hinder user comprehension on the data practices. Through the evaluation, the team also identified 7 exemplary privacy-enhancing design strategies, which can serve as a foundation for improved implementation of privacy mechanisms in VR environments.

To assess user perceptions of these deceptive design patterns, the team surveyed 424 users of the selected VR applications. The findings indicate that while users felt the manipulative influences and expressed discomfort, they often resign themselves to accepting privacyinvasive options and viewing such design as “typical” or “inevitable” across both VR and nonVR platforms. Their repetitive exposure to such design in mobile and web environments fostered a false sense of normalcy, and eroded user resistance to manipulation.

This research provides valuable insights for VR developers, designers, policymakers, and researchers on creating privacy-preserving VR experiences and developing clearer, more ethical privacy policies in this rapidly evolving field.