Whether you are creating new virtual worlds, realities or universes, the digital assets that populate them, or the infrastructure that enable individuals to interact and transact in them, there are numerous legal issues that you may have to navigate. Here are four potential pitfalls that creators of and in the metaverse should avoid.

  1. Foregoing Legally Enforceable Contracts. Relying on smart contracts, dapps and other programs exclusively expressed in code to govern transactions between parties can be efficient but may also leave a party with little recourse if they were treated unfairly. Establishing clear terms governing sales, services, IP rights, voting rights and other important matters in plain language helps to avoid costly disputes and facilitate access to real-world mechanisms to enforce your rights. For example, being unclear about whether the sale of a non-fungible token (NFT) includes the assignment of copyright in the work associated with the NFT may result in misunderstandings. As another example, virtual world creators can mitigate liability associated with changing or disabling elements of their creations by making it clear in contracts that they can do so at their sole discretion where permitted by law. Contracts should also be precise in their terminology. For instance, some people use the term NFT to mean only the token—i.e., a non-interchangeable unit of data stored on a blockchain—while others use the term to mean both the token and the digital work with which it is associated. A written contract should address this ambiguity. Smart contracts can help to give effect to provisions of a written contract, such as by automatically turning off subscription services if payments stop. But executing a clear and precise written contract wherever possible is an advisable step for creators transacting in good faith.
  2. Not Taking Advantage of Established Property Rights Regimes. Having the legally enforceable right to do something with respect to a particular asset is what gives rise to the concept of property. Otherwise, “owning” certain “property” is not meaningful in a legal sense. If you create digital works, you may be eligible to own and exploit valuable copyrights, design, trademark, contractual and other proprietary rights, and you should take steps to perfect and protect those rights, including by registering them with government agencies, being careful about what IP rights you are licensing or giving away when you monetize your works, and taking action against infringements. If you create a virtual world in which third-party creators can display or sell their works, you should impose terms on them to protect yourself in case they infringe others’ IP rights, and implement additional measures to protect yourself from contributory liability. For example, the U.S. Digital Millennium Copyright Act (DMCA) establishes a safe harbor for providers that passively host user-generated content that infringes third-party copyrights, as long as the provider administers a DMCA-compliant notice-and-takedown procedure and takes other prescribed steps. U.S. case law has also established that a repeat infringer policy for counterfeit works may be necessary for a marketplace operator to avoid contributory trademark infringement liability.
  3. Ignoring Laws that Prohibit Certain Content and Activities. Laws around the world impose criminal and civil liability on people participating in proscribed activities even if they take place online. An obvious but important example is the production and dissemination of child sexual abuse material (CSAM). If you operate a virtual world and discover CSAM on your services, you may be subject to mandatory reporting requirements around the world, and must have a way to block access to such materials. Another example is that generating NFTs or other virtual assets associated with brands, music, videos or other content that you do not own or have permission to exploit can expose you to significant liability. Although interactive computer services providers in the U.S. are generally immune to liability associated with hosting and moderating content exclusively created or developed by third parties, this immunity is subject to significant exceptions, including with respect to violations of U.S. federal laws and IP infringements. Thus, for example, a platform provider would generally not be able to rely on this immunity to dismiss a claim that it abetted the commission of a criminal offense by knowingly disseminating user-generated content that violates a federal criminal statute. Creators of virtual worlds should therefore generally retain the ability to expeditiously restrict prohibited conduct and content (which may require specific technical measures given the immutable nature of on-chain data) and terminate the accounts of violators.
  4. Considering Privacy Too Late. Mobile and virtual/augmented reality interfaces allow for the online collection and use of extensive sets of personal data, and public blockchains record data immutably to a distributed ledger accessible to virtually anyone with an internet connection. Creators of virtual worlds who leverage these technologies should design their services from the outset in ways that address applicable data privacy, security and government access laws. You may be able to track and record a user’s behaviors, actions and communications in a virtual environment, and you may have legitimate reasons to do so such as to protect against objectionable content and conduct, but how can you design your systems to minimize privacy violations? How will you ensure that you can respond to users who exercise their rights under applicable privacy laws to obtain copies of the personal data you control about them, port that data to an alternative system, or delete their personal data from your virtual world? What notice and consent mechanisms should and must you implement to ensure that users understand and can control how their personal data will be processed in your virtual world? What assistance can and must you provide to law enforcement authorities who ask or order you to produce data relevant to a criminal investigation? Adherence to the principles of data protection by design and default, which are codified in the EU and UK General Data Protection Regulation (GDPR) and ISO 27701, entails asking these types of questions early and often, proactively designing features to protect users’ privacy, and, by default, only processing personal data that is necessary, and only to the extent necessary, to fulfil the purposes of your offering.

There is exciting work being done to create new and imaginative worlds, communities and experiences in the metaverse. The explosive growth of interest and investment in Web3 will also inevitably lead to disputes among parties and increased regulatory attention. Those working to build the metaverse should take steps to avoid the pitfalls listed above, and examine other legal issues that may apply to their specific activities.


Jonathan Tam is a licensed attorney in California and Ontario. He focuses on privacy, advertising, intellectual property, content moderation and consumer protection laws. He is passionate about helping clients achieve their commercial objectives while managing legal risks associated with activities involving data, information technology and media. Jonathan regularly writes about information technology and privacy, and is the Vice Chair of the Cybersecurity and Privacy Law Section of the Bar Association of San Francisco. He has completed secondments at a global payment services provider based in London, England and a world-leading tech company based in Silicon Valley. He joined Baker McKenzie as a summer associate in 2012 and has also worked in the Firm's Toronto office.