Despite Facebook’s repeated data lapses over the years, Zuckerberg said during his company’s Connect event on Thursday that he’s taking a thoughtful approach to privacy as he attempts to build the immersive, virtual world for users known as the metaverse.

“Interoperability, open standards, privacy, and safety need to be built into the metaverse from day one,” Zuckerberg said. “And with all the novel technologies that are being developed, everyone who’s building for the metaverse should be focused on building responsibly from the beginning.”

Facebook is no stranger to controversy when it comes to data privacy. Since its founding in 2004, the company has made numerous data blunders, the most high-profile being the Cambridge Analytica scandal of 2018 in which a rogue researcher improperly accessed user data and then sold it to a political consulting firm. 

In a settlement with the Federal Trade Commission over the matter, Facebook paid $5 billion and promised to improve user data privacy. In 2020, Facebook paid another $550 million to settle a privacy lawsuit involving allegations that the company violated an Illinois state law that requires companies to get permission from users to store their biometric data, which include data that links faces to individual identities.

More recently in April of this year, Facebook data that included the full names, locations, email addresses, and relationship status of over half-a-billion of its users was leaked online.

Although the metaverse is still in its infancy, Meta, as Facebook’s parent company is now called, is spending billions of dollars on technologies like virtual and augmented reality that would power the new online universe, if and when it’s developed. 

Marcus Carter, a senior lecturer in digital cultures at the University of Sydney, voiced his concerns about data privacy in Facebook’s metaverse on Friday, saying, “Facebook’s VR push is about data, not gaming.” 

“Metaverse technologies like VR and AR are perhaps the most data-extractive digital sensors we’re likely to invite into our homes in the next decade,” Carter said. 

He added that some of the user data that Facebook can track in VR includes information about how people move in virtual environments. This VR movement data “can be used to identify you, like a fingerprint,” he said.

Indeed, Meta is already collecting huge amounts of user data through its existing virtual reality products, including people’s physical features like an estimate of their hand size, the digital objects and audio they create in VR, and information from third-party VR developers about users.

Zuckerberg said his company is working with outside experts to ensure future metaverse products are designed “for safety and privacy and inclusion.” Still, even though privacy experts may have recommendations, Zuckerberg has the ultimate say on whether to act on them.

Civil rights group Access Now, for instance, said it consulted with Facebook about the smart sunglasses the company developed in partnership with Ray-Ban. But the social networking giant ignored the group’s top recommendation, which was to prioritize “alerting bystanders that they are being recorded” by the glasses.

Access Now was concerned that the small white light on the rim of the glasses that activates during filming was easy to miss. Facebook rejected that concern.  

All that people have is Zuckerberg’s word that his company will develop the metaverse while prioritizing privacy, security, and other values considered important.

But if Zuckerberg ends up creating his metaverse, he’ll have the final say on what’s worth prioritizing. History tells us that data privacy may not be high on his priority list.