Oculus Rift's privacy policy says it's not liable if it's hacked

The company's privacy policy also permits the company to terminate the service of any account at any time for any reason, turning the $599 device into an expensive paperweight.
Written by Zack Whittaker, Contributor
(Image: CNET/CBS Interactive)

There's a steep price to pay for jumping into the Oculus Rift virtual reality world.

The virtual reality company, bought by Facebook in March 2014, which launched its latest Rift headset only a few days ago, has drawn ire from some regarding its terms of service and its privacy policy, which some have argued are overly broad.

Almost every product and service comes with rules and regulations that you agree to prior to using it. But virtual reality is a relatively new concept in the tech world.

Given that Oculus is thought to be the leader in the virtual reality space, it hasn't done a great job of it so far.

Dig around into the legalese and there are some troubling details you have to agree to before you're allowed to use the device.

By far the most troubling section of the privacy policy is that Oculus washes its hands of any responsibility if it gets hacked or loses your data.

The policy says in point 6:

"Please note that no data transmission or storage can be guaranteed to be 100% secure. As a result, while we strive to protect the information we maintain, we cannot guarantee or warrant the security of any information you disclose or transmit to our Services and cannot be responsible for the theft, destruction, or inadvertent disclosure of information."

Hong Kong-based toymaker VTech, which last year was hacked leaving millions of child and parent data exposed, was criticized for including similar language in its new terms of service, following the recovery of its systems.

Given how much data the company collects on its users, such a policy could be problematic.

The policy says it will collect identifiable information, such as your IP address and other device identifiers to determine who you are, along with your GPS location and other data. But it goes a step further by saying the company will also collect "information about your physical movements and dimensions when you use a virtual reality headset."

What's Oculus doing with that data? It's handing it to Facebook, which uses it for advertising.

From point 2 of the privacy policy:

"We use the information we collect to send you promotional messages and content and otherwise market to you on and off our Services. We also use this information to measure how users respond to our marketing efforts."

Put the identifiable information together and you've got a system that allows Facebook to uniquely identify users on individual devices and build up advertising profiles.

And not just that: the data will be shared with Facebook's "related companies," such as WhatsApp, Instagram, but also its marketing and advertising companies, LiveRail and Atlas.

Facebook makes more than 95 percent of its revenue from advertising, so it's not all that surprising that the company is aiming to expand that effort. The virtual reality device is always on, so it's collecting data even when you're not using it. That leaves open the possibility of abuse.

And if at any point Oculus or Facebook doesn't like what users are doing with its service, it can cut off its users, for any given reason -- effectively turning your $599 virtual reality headset into an expensive paperweight.

Facebook did not respond to a request for comment.

Editorial standards