AI-powered augmented reality (AR), virtual reality (VR), and extended reality (XR) systems represent one of the most data-intensive technology categories in enterprise use. Unlike traditional software that processes text, images, or structured data, immersive AI systems collect continuous streams of biometric and behavioural information β eye movements, facial expressions, hand gestures, body posture, room geometry, voice characteristics, and in some cases physiological indicators like heart rate and galvanic skin response. This data is processed in real time by AI models that adapt the experience, track attention, assess engagement, and in workplace contexts, evaluate performance. The governance challenge is that most of this data qualifies as sensitive personal data under privacy law, and most organisations deploying these systems have not built governance frameworks that account for the volume, sensitivity, and continuous nature of what is being collected.
What AR/VR systems actually collect
Eye tracking data reveals not just what a user looks at but cognitive load, interest, fatigue, and in some research contexts, indicators of neurological conditions. Facial expression analysis can infer emotional states. Hand and body tracking captures movement patterns that may constitute biometric data. Room mapping and spatial data captures the physical environment, potentially including other people present. Voice data captures speech patterns, accent, and emotional tone. When AI processes these data streams together, the composite profile is far more revealing than any individual data type.
Regulatory landscape
Under GDPR, biometric data processed for the purpose of uniquely identifying a natural person is a special category of data requiring explicit consent or another Article 9 basis. The EU AI Act classifies real-time biometric identification systems in publicly accessible spaces as prohibited AI practices (Article 5). AR glasses with AI-powered facial recognition used in public contexts may fall within this prohibition. The EU AI Act also classifies emotion recognition systems in workplace and education contexts as high-risk, directly affecting AR/VR training and assessment applications.
In the United States, Illinois BIPA (Biometric Information Privacy Act) requires informed written consent before collecting biometric identifiers. The CCPA/CPRA classifies biometric information as sensitive personal information with enhanced protections. Critically, as of 2026, Connecticut, Colorado, California, and Minnesota have enacted laws that specifically protect neural data β information derived from the nervous system β which extends to XR devices that collect brainwave, EEG, or nervous system data. Additional neural data bills are active in Virginia, Alabama, New York, and Illinois.
Australia's Privacy Act applies to biometric information as sensitive information under APP 3, requiring consent for collection. The OAIC has indicated that continuous collection of biometric data by AI systems must meet the necessity and proportionality requirements.
The bystander privacy problem
AR devices worn in shared spaces β offices, public areas, retail environments β passively capture data from people who have not consented to any data collection. An employee wearing AR glasses in a meeting captures facial data, voice data, and potentially biometric identifiers of every other person present. This creates a governance challenge that traditional consent models cannot solve, because the data subjects are not the device users. Organisations deploying AR in shared spaces need policies that address notification, bystander rights, data minimisation, and retention limits.
Governance framework for immersive AI
Organisations deploying AR/VR for training, collaboration, remote assistance, or customer experience should implement data minimisation by design β collect only what is necessary for the specific use case and delete raw biometric data as soon as the immediate purpose is fulfilled. Conduct Data Protection Impact Assessments (DPIAs) before any deployment involving biometric or behavioural data. Implement technical controls that prevent raw biometric data from leaving the device where processing can occur on-device. Establish clear policies for bystander notification and rights. Review vendor contracts for AR/VR platforms to ensure data handling, training data use, and third-party sharing provisions are adequate.
Further reading: ICO AI and data protection guidance | EU AI Act full text
