Facebook is overhauling the Oculus privacy policy and terms of service as the company prepares to launch its first standalone VR headset.

The change comes amid new European privacy regulations and an international movement calling into question Facebook’s platform and business model. Earlier this month, CEO Mark Zuckerberg appeared before Congress to answer questions about the company’s handling of personal data.

Also, in a few weeks at the F8 developer conference, Facebook is expected to provide launch details for the $200 all-in-one Oculus Go VR headset. The consumer-focused launch represents a big moment for Facebook as its first standalone consumer product. Go launches six years after Oculus was founded and more than four years after Mark Zuckerberg decided to acquire it. Oculus first launched with the Gear VR for Samsung phones and its high-end Rift headset sits atop Microsoft’s Windows. With Go’s launch, a VR headset will stand on its own for the first time as a self-contained consumer product at a pretty alluring price.

For the early VR developer community, there’s hope Go might open up a new active (and paying) user base. I’ve also heard from developers, though, who remain concerned about releasing their virtual worlds on Oculus platforms for reasons ranging from how Facebook collects and handles personal data to how it influences democracy going forward.

“It’s an existential crisis for us to make sure we get data handling right,” said Max Cohen, head of product for the Oculus Platform, during a phone interview.

What information does Oculus store?

When Oculus launched the Rift in 2016 the company started storing snapshots online, once per minute, of the actual and “average” position of the Rift and Touch controllers. Until recently, this data was connected to individual Oculus accounts.

The data is still there, but Oculus representatives said it “can’t be used to identify individuals.” According to Oculus, this data “is used to generate aggregated playspace information that developers can access to help inform their game design.”

“We realized over time that we don’t need to associate movement information with your account to make our systems work, so we moved to a system where all movement data is now de-identified,” an Oculus spokesperson wrote in response to questions.

For those unfamiliar, the Oculus Rift headset and Touch controllers which come packaged together are precisely tracked using sensors that are little more than slightly modified webcams looking for dots of light on the surface of the gadgets.

“We don’t log frame-by-frame movement information,” an Oculus spokesperson wrote in an email. “Rather, we log movement data at 1-minute intervals, including both samples (specific moment-in-time measurements) and aggregated information (such as minimum, maximum, and average) for the position of the headset and Touch controllers. This information isn’t granular and it can’t be used to identify individuals.”

Facebook’s Spaces app — a social experience that connects people on Facebook Messenger, Rift, as well as headsets not made by Oculus — is separate from Oculus and covered instead by Facebook’s privacy policy. The company said it “doesn’t log any movement information from Spaces.”

“Movement data is analogous in my opinion to mouse or keyboard for VR,” said Cohen.

I asked Facebook what’s to stop a developer from taking movement data and associating it with your account. Jenny Hall, who leads privacy programs for the Oculus legal team, said there’s an app review process and “contractual protections” in place with developers, along with other tools, to deter misuse.

“Privacy is something that we need the entire community of think about, we can’t just fix it or think about it on our own,” said Hall.

Next month, the company plans to launch a new “My Privacy Center” section of its service with updated tools where users are said to be able to download the information Oculus has stored about them.

“If there is identifiable data being stored and linked to your account we’ll make that accessible so people are aware of that and can download that,” said Cohen.

Setting user expectations

The new Oculus privacy policy and terms of service take effect May 20, with the service agreement incorporating the company’s code of conduct directly into the document.

The new terms state in one section “people can only have meaningful interactions if they feel safe” and in another requires users agree not to “disrupt, negatively affect or inhibit anyone from fully enjoying the Services, including, but not limited to, defamatory, harassing, threatening, bigoted, hateful, vulgar, obscene, pornographic, or otherwise offensive behavior.”

“If people don’t feel safe in VR they won’t use our services,” said Hall. “We want to make it super visible for people how we expect them to behave on our platform.”

Ad targeting from Facebook

Just like Rift and Gear VR, Oculus Go doesn’t require a Facebook account to use, but it is optional to link up your Oculus and Facebook accounts. If you do, certain information like “the interests you’ve chosen to share on your Facebook profile” could be used to suggest VR content you might like from Oculus.

According to a draft Oculus blog post explaining the updates: “We don’t share data with Facebook that would allow third parties to target advertisements based on your use of the Oculus Platform.” In an email, Oculus representatives clarified “it’s not our roadmap currently” to allow third-parties to target ads to Oculus users who have linked up their account.

This story originally appeared on Uploadvr.com. Copyright 2018