The Next Platform Shift Is Wearable. Is Your Privacy Program Ready?

Recent industry announcements have made clear that AI-enabled eyewear and extended-reality devices are moving from experimental demos toward everyday consumer products. New smart glasses and related platforms promise hands-free directions, calls and texts, contextual assistance, media capture, translation, and app integrations—all in a form factor designed to be worn in public, at work, and in other sensitive environments.

As companies rapidly advance consumer-facing wearable computing technologies, social media is awash with concern about everyday devices being used for ambient surveillance. From videos of people being recorded by others wearing inconspicuous smart glasses to continued backlash over camera networks in public and commercial spaces, public concern is increasingly focused on technologies that can turn ordinary movement and everyday interactions into data collection without notice or consent.

In the wearable context, privacy failures are often architectural failures, and developers are the ones making those architectural decisions. Compliance risk will turn on product choices: whether sensitive information can be processed on-device rather than in the cloud, whether bystanders are swept into collection, and whether users are given the option to opt-out of human review of data, and more.

When “Always-On” Means Always Watched

AI-enabled glasses are not entering the market in a vacuum. Earlier generations of visual-AI-enabled smart glasses have already faced significant public backlash, particularly where devices can capture images, route data to cloud systems, or permit automated or human review. Recent reporting has highlighted the sensitivity of footage collected through wearable devices, including images and recordings that may reveal private spaces, financial information, health-related details, or other highly personal activity.

TechTarget recently warned that smart glasses expand cyber, compliance, and operational risk because they can capture what is in view and transmit that data elsewhere even if the user is not actively recording, “If a wearer were present in places such as boardrooms, R&D labs or factory floors, the list of enterprise and workplace risks would be lengthy. Leaks of sensitive conversations or IP, violations of GDPR compliance or biometric privacy regulations, and even HIPAA violations all become very real possibilities.” ¹

Developers at the Privacy Frontline

In response to consumer privacy concerns, independent developers are building phone-based companion apps and privacy layers for smart glasses to blur faces, manage consent, and even contemplate automatic recording shutoffs in sensitive contexts.² Those in the software space know that a viral video or scathing article is only a visible symptom of a broader architecture of invisible data collection and review. The most important part of the story happens off-camera, in the systems that collect, route, store, and potentially expose personal data.

For developers hoping to build in this space, the key lesson is that the product is not just the app, headset, or glasses experience. It is the entire data trail the experience creates. If wearable devices can see, hear, infer, upload, and potentially expose sensitive bystander, workplace, or consumer information, then developers need to design around the full lifecycle of that data from the first permission prompt to final deletion.

At the platform level, virtual reality, augmented reality and mixed reality systems may analyze images of a user’s eyes, hands, face, and surroundings in real time to enable gaze, gesture, facial-expression, and scene-understanding features. Some systems process and delete raw images quickly, while retaining certain device-level measurements locally; apps may also be required to request runtime permission before accessing sensitive visual or biometric information. Developers need to treat these permissions for eye tracking, face tracking, hand tracking, scene understanding, and similar capabilities as high-risk design decisions.

Prioritizing privacy-by-design principles, studios should carefully consider:

• What data is actually necessary for a game or app to function.
• When and how often user data capture is requested.
• Whether processing can happen on-device instead of in the cloud.
• How long user data is retained.
• Whether any outside vendor, annotator, or cloud provider can access it.

Privacy as a Design Requirement

As of early 2026, lawmakers and regulators are increasingly focusing not only on data capture, but on design choices that differentiate consensual and nonconsensual recording or observation.

California is already considering rules specifically aimed at visible and personal data collected by wearable devices. As of the date of this alert’s publishing, SB 1130 has passed the Senate and moved to the Assembly.³ If passed, this bill would standardize a practice already present in most wearable devices by requiring a light or other indicator showing that when device is capturing sound or video. It would also prohibit operating a wearable recording device in areas where there is a reasonable expectation of privacy.

The California Consumer Privacy Act or “CCPA” gives consumers the right to know, delete, correct, and opt out of the sale or sharing of their personal data, and to limit the use of sensitive information. It also requires notice at collection and that data practices be reasonably necessary and proportionate.⁴ Because California defines personal information broadly, these requirements extend to much of the “invisible” data generated by smart glasses and companion apps, including geolocation, inferences, and biometric data. When that data is shared with cloud providers, analytics vendors, or contractors, the law requires agreements restricting its use, and any related apps or services must disclose their data practices and third-party sharing in a privacy policy.

Though the Golden State is often in the lead when it comes to passing laws that protect customers, they’re hardly the only ones. Several state-law developments suggest that regulators are increasingly targeting the same practices that make wearables feel unsettling to the public: opaque collection, sprawling data flows, and disclosures that don’t match what the technology is really doing. For example:

• Maryland’s Online Data Privacy Act took effect on October 1, 2025. ⁵ It gives consumers rights over their personal data, requiring businesses to tell people what they collect, why they process it, whether they share it with third parties, and to limit collection to what is reasonably necessary and proportionate to the product or service the consumer actually requested.
• Oklahoma’s governor approved a comprehensive privacy bill, SB 546, on March 20, 2026.⁶ The bill also addresses consumer rights, privacy notices, and data protection assessments.
• Washington’s My Health My Data Act requires clear opt-in consent before collecting or sharing consumer health data.⁷ The statute expressly says that consent cannot be obtained through acceptance of a general or broad terms of use document. Its definitions also sweep in biometric data such as imagery of the iris, retina, face, hand, palm, and vein patterns from which an identifier template can be extracted.
• Colorado’s attorney general takes a similarly strict view under the Colorado Privacy Act, stating that businesses must obtain affirmative consent before processing sensitive data, including biometric data used to identify an inpidual, and that acceptance of broad terms of service is not consent.⁸
• Connecticut’s Public Act 26-15, signed in 2026, shows how privacy concerns are now being addressed through product-design rules as well, including limits on notifications to minors outside specified hours, default-protective account settings, and parental-control mechanisms.⁹

At the federal level, Congress has repeatedly advanced bipartisan proposals like the Kids Online Safety Act (KOSA) and COPPA 2.0: both designed to reshape how platforms handle minors’ data and product design.

Building for Wearables Means Planning for Regulation

Opportunities to monetize wearable technology software are not slowing down. Major technology companies and device manufacturers continue to invest in AI-enabled eyewear, developer platforms, and companion applications, making privacy and data-governance planning a practical prerequisite for participating in this market.

To stay in compliance with the ever-changing patchwork of privacy laws, software studios need to understand the full scope of what information will be collected, how that information is collected, where it is processed, who can access it, and how long it is retained. Decisions around data collection, transfer, human review, vendor access, and secondary use should be carefully scoped, well documented, and defensible. If a studio’s business plan depends on collecting wearable data now and deciding later whether it can be monetized, sold, or repurposed, it should involve experienced counsel to advise on privacy and data security practices well before the product ships.

Footnotes

1. Smart glasses as an enterprise risk: What CIOs should know, TechTarget (2026), https://www.techtarget.com/searchcio/feature/Smart-glasses-as-an-enterprise-risk-What-CIOs-should-know

2. Examples include NoGlasshole, which describes itself as a “privacy layer for smart glasses”; the XR Privacy Framework, an open-source consent specification for XR data categories; and academic or prototype work on bystander privacy signaling and context-aware protections for camera-enabled wearables.

3. Cal. S.B. 1130, 2025–2026 Reg. Sess. (Cal. 2026), available at LegiScan.

4. California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act), Cal. Civ. Code §§ 1798.100–1798.199.

5. Maryland Online Data Privacy Act, Md. Code Ann., Com. Law §§ 14-4601 et seq.

6. Okla. S.B. 546, 60th Leg., 2d Reg. Sess. (Okla. 2026) (enacted Mar. 20, 2026) (Oklahoma Consumer Data Privacy Act).

7. Washington My Health My Data Act, Wash. Rev. Code §§ 19.373.010 et seq.

8. Colorado Privacy Act, Colo. Rev. Stat. §§ 6-1-1301 et seq.

9. Conn. Pub. Act No. 26-15 (Conn. 2026).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.