The Internet of Things (IoT) took off in 2016, with improved home automation systems and other smart gadgets that promised to make our lives easier.

Augmented Reality (AR) added to IoT’s success by making our lives more enjoyable. And while expectations are high for the AR market in 2017, there are some key legal (and PR) considerations to keep in mind to avoid having your rose-colored (AR) headset meet up with plain old reality.

First, let’s level set. Not to be confused with virtual reality (participating in a computer-based wholly imaginary world), AR involves technology that enhances a person’s view of the real world with a digital overlay.

Analysts predict that the combined virtual and augmented reality market will reach $162 billion by 2020, and that, of the two, AR will ultimately account for more of that revenue. But with rapid consumer adoption and popularity, there also are lessons to learn from the early innovators. Pokémon GO took over the summer of 2016, becoming the most successful U.S. mobile game ever (and the fastest game to hit $600 million in revenue).

It also triggered Congressional inquiries and privacy complaints (among others) when it came to light that the mobile game collected extensive amounts of personal information from its players arguably without players’ knowledge.

If you’re considering whether to add an AR device or game to your marketing mix, don’t forget to fold in traditional advertising and privacy law principles.

Verify Marketing Claims

In the marketing context, AR allows companies to give consumers a realistic, up-close, three-dimensional, or enhanced view of their products and services prior to purchase, from Lego stores to Ikea. If your AR product or service is used to promote or drive sales, verify the accuracy of the marketing claims to avoid overstating or misrepresenting key components that could sway a consumer’s purchasing decision. The FTC’s business guidance about marketing mobile apps is a helpful resource on point.

Privacy Design Is Key

As the Pokémon example revealed, it’s best to avoid negative privacy surprises for users. Transparency about your data practices and meaningful choices around personal and device data collection can be very helpful in avoiding a privacy snafu and public relations battle.

Some considerations on legal expectations and best practices for accomplishing such transparency can be found here (the FTC’s Mobile Privacy Disclosure guidance) and here (the California Attorney General Office’s privacy recommendations for the mobile industry), and don’t forget this self-regulatory one, from the Network Advertising Initiative.

In short, be mindful of what type of consumer and individual device data your AR product will collect, minimize your data collection when not needed, use privacy-sensitive defaults, and provide meaningful choice to your users about the collection, use, and disclosure of their data.    

Address the Kid Factor

AR can be a highly persuasive marketing tool, particularly with children who may be unable to distinguish between real and virtual worlds. Keep that in mind when evaluating your marketing, terms of service, and what laws and self-regulatory guidelines might apply, such as this one from the Better Business Bureaus. 

If your AR product will collect device or personal information, assess how to avoid collection of children’s information (including individual device-level data) unless you’ve taken steps to confirm compliance with applicable children’s privacy laws.

Prepare for Data Breaches and Security Vulnerabilities

As with anything connected to the Internet, hack attacks remain one of the most pressing threats in this space. Design, implement, and maintain your AR product and service with that in mind: pay attention to applicable industry security standards and updates, and take appropriate steps to verify that the AR – and collected data – are reasonably protected against foreseeable security vulnerabilities.

Pass those obligations along, by contract, to third-party developers who may have a relevant role, and take steps to confirm they’re complying with such provisions. If there is a potential security incident, be prepared with a data breach plan. While breaches may be inevitable, consumers (and the government) expect that you have taken appropriate precautions and are prepared to mitigate the exposure and potential harm to consumers.  

Helpful guidance is available from numerous sources, including the Federal Trade Commission, California Attorney General Office, the Open Web Application Security Project (OWASP), and NIST (Cybersecurity for IoT).


The law is always several steps behind technology, but companies can take proactive steps to not only minimize the likelihood of becoming a legal target, but also to build consumer trust and market success.