Even though the Metaverse from science fiction is not a reality yet, it is possible to take a glimpse into how it might look like. Several companies and platforms are currently working and developing their versions of how the Metaverse will look in a not-so-distant future. However, the current vision of the Metaverse does not only encompass software. A great deal of companies is complementing their Metaverse projects with Virtual and Augmented Reality devices such as headsets and glasses. In this line, one of the last technological advancements in virtual and augmented reality devices included the introduction of eye-tracking technology. However, when new and additional kinds of data are processed, emerging risks for data protection might arise. While there is an already incipient stream of scholarship that analyses the risks that eye-tracking devices might entail for privacy, such literature mostly focuses on the technical side. However, no scholarship, up to this moment, has examined such devices from a legal perspective and particularly from a data protection lens.
This paper discusses the compatibility of eye-tracking devices for virtual and augmented reality environments with the European Union General Data Protection Regulation (GDPR). Being the GDPR considered a worldwide role model in terms of fundamental rights protection, the compatibility of such devices with one of the most severe data protection regimes will be put to the hardest test. The paper will do so by analysing the state of the art of the technology, its use in headsets and glasses for virtual and augmented reality Metaverse environments, and the potential risks that such use might entail for data protection. After that, such risks will be confronted with the relevant applicable provisions of the GDPR.