Embodied intelligent agents, as the physical form of artificial intelligence, possess core features such as perception interaction, autonomous decision-making, and trust matching. While driving a leap in productivity, they also bring about complex data privacy risks. These risks present a three-dimensional superimposition: In the technical dimension, the physical mobility of entities breaks through the boundaries of physical space, the integration of multiple sensors intensifies unauthorized data acquisition, and algorithm black boxes and distributed processing lead to data control failure; in the legal dimension, the traditional “informed consent” framework fails due to the absence of dynamic scene authorization, the right to data deletion is difficult to achieve due to fragmented edge storage, and the multi-party responsibility is trapped in the attribution dilemma due to the autonomy of algorithmic decision-making; in the ethical dimension, anthropomorphic appearance induces emotional dependence, leading users to disclose sensitive information irrationally, and emotional computing technology further deepens the mining of personality profiles.

The triple coupling characteristics of embodied intelligent agents—physical entity, data processing, and social interaction—make data risks evolve in a trend of penetrating from virtual to physical space, upgrading from passive collection to active intrusion, and spreading from the technical layer to psychological cognition. To address these data privacy risks and legal application dilemmas, it is necessary to make concerted efforts from multiple levels such as law and technology: At the level of rights and responsibilities, improve the supervision system for data use and the responsibility system for stakeholders, and form a “bundle of obligations” corresponding to the “bundle of rights”; at the market access level, establish an algorithm impact assessment mechanism in line with embodied ethics and an information protection certification mechanism meeting compliance elements, and form an access system in line with the risk prevention principle; at the technology embedding level, construct anonymous technology rules, data classification and grading rules, and dynamic user authorization management rules with industrial and institutional binding force, promoting the integration of technology and law.