Critical backlash against Oculus's privacy policy reached Capitol Hill on Thursday, when Sen. Al Franken (D-Minn.) demanded that Oculus and its parent company Facebook answer for the data its new headset collects from virtual reality users.

"Oculus’ creation of an immersive virtual reality experience is an exciting development," Franken wrote in an open letter to Oculus CEO Brendan Iribe, "but it remains important to understand the extent to which Oculus may be collecting Americans’ personal information, including sensitive location data, and sharing that information with third parties."

The question is, what exactly is Oculus asking to collect—and how much worse is it compared to other online services' EULAs?

A veritable House of Cards

The website UploadVR was first to the original story last week in a report that spelled out the most extreme parts of the privacy policy—and the .exe at its center. The headset currently requires Oculus's software suite to operate, which headset wearers must use to load games and find more software in the online Oculus Store. The software requires an Internet-connected process called OVRServer_x64, which sends and receives data even when you're not in a game, and the privacy policy spells out at least some of what's included in those transmissions.

The short version is, Facebook can keep tabs on what software you're running through the Oculus Home hub, where you're using your Oculus, and the positional tracking of your headset—and then will likely share that data among other Facebook-owned companies.

"I believe Americans have a fundamental right to privacy, and that right includes an individual’s access to information about what data are being collected about them, how the data are being treated, and with whom the data are being shared," Franken said in a public statement.

However, Franken's statement didn't mention any other major online services, so this is a good opportunity to review whether Oculus is really breaking new, privacy-infringing ground.

Let's run through those cases one-by-one. For starters, "information about your interactions with our services" is a long-winded way of saying, "we're gonna study anonymized data about general Oculus use." The same goes for any connected entertainment network you've used in the past five years, including Xbox Live, PlayStation Network, Hulu, Amazon Video, and Netflix. Netflix was even shameless enough to admit that House of Cards came as a result of studying its customers' watching habits.

Facebook also isn't saying much interesting with its clause on tracking a user's "location information." For starters, your IP address is pretty telling, as is any shipping information you provided with your Oculus preorder (since that's the only way people can currently buy the hardware). In addition, GPS tracking in online-service privacy statements isn't exactly new, though that's usually because the service or device in question offers useful services once we give it permission to stalk us. That doesn't mean the Oculus Rift headset has a GPS sensor in it—rather, this is the same services statement that a Samsung GearVR user will see when using its Oculus-powered app.

We imagine Oculus's smartphone-powered systems will see more GPS-powered apps before long (especially if mobile-friendly, GPS-tracked games like Qonqor or Ingress ever take a VR leap), so Oculus has to admit that it will have access to that data, at the very least. And Facebook has already made clear that it's analyzing users' GPS activity "to tailor our services for you and others," so this isn't a major leap for a company in the same corporate umbrella.

The last part, which gathers "information about your physical movements and dimensions when you use a virtual reality headset," seems the most prying. In good news, at least, those movements aren't being captured as photographic images, as the Oculus Rift "Constellation" sensor only tracks infrared lights. Meaning, if you wanna wave your naked butt at your headset, go to town (so long as you don't cover your cheeks with infrared sensors, at any rate). That simply leaves positional tracking of the headset mid-game and the times when the headset is left unused on a desk.

While we can understand reasons to want to opt out of any of these data-donation pools, we imagine that VR users might want Oculus to have as much positional data as possible, as this is the stuff researchers will be mining as they work on the problems of VR nausea and discomfort. Anonymized data from thousands of retail headset wearers might answer questions that a smaller pool of dev-kit owners simply couldn't.

Conversely, the ability to gather data on, say, where we point our VR "gaze" to look at is a bit disconcerting. We imagine Oculus's app isn't recording such granular data though, because that would require a lot of recording and processing, which would eat into PC performance. Oculus probably wants users to hit a rock-solid 90fps visual refresh way more than they want to know how long you stare at the caterpillar in Lucky's Tale. (However, the amount of time you spend within each app, game, or visual experience? Every other streaming-video and online gaming service captures that information, as well.)

Wasn’t set in stone until after preorders began

Should headset owners not want to fill Oculus and Facebook's data coffers with their own use history, we're not sure whether there's an option beyond "don't use the Oculus Rift." There's a kinda-sorta Internet requirement to run Oculus's "home" launching pad, in that you must always log in online to start the app. At that point, you can cut the app's Internet access for an indeterminate amount of time and play any offline games—but we don't know if Oculus's app gathers that data even when you're offline, waiting for a reconnection to upload it all. (The privacy policy is written in such a way that gives Oculus permission to upload after a disconnect, at any rate.)

VR is a new frontier for user experiences, but not for privacy policies surrounding a data-gathering gold-rush. The one complaint we'd levy specifically at Oculus is that its privacy and legal policy pages weren't set in stone until February—a full month after the headset's preorder campaign began in earnest—so we certainly understand why some customers would have preferred having that information before making a purchase decision.

Otherwise, we hope Congressional leaders like Franken are mindful of the fact that what Oculus is doing here is incredibly typical—and if he wants to take legal action about privacy policies, and with whom a company shares its users' data, he's gonna need a bigger boat.