Biometric Privacy Class Actions Take Aim at Virtual “Try-On” Retailers
When it comes to products that go on or around a person’s face, such as makeup, jewelry, and eyeglasses, virtual try-on tools use images of customers’ faces, which can trigger compliance obligations in connection with, and litigation risk under, biometric privacy laws such as BIPA.
In each of the recent cases discussed below, the named plaintiffs allege that the retailer defendants violated BIPA by failing to: (1) inform plaintiffs (and other proposed class members) in writing that the retailers were collecting their biometric information; (2) obtain written releases permitting the retailers to do so; and (3) develop and make publicly available a written policy for the retention and destruction of biometric identifiers.
These cases highlight the risks involved in offering a virtual try-on service. Providers should ensure that they get proper consent under BIPA and have a written and publicly available record retention and destruction policy in compliance with the law. Providers who find themselves subject to a BIPA challenge should contact counsel to develop a legal strategy for a successful resolution.
Makeup Virtual Try-On
In November 2022, the US District Court for the Northern District of Illinois declined to dismiss a BIPA class action involving a makeup try-on tool deployed across websites owned by The Estée Lauder Companies. Kukovec v. Estée Lauder Companies, Inc., No. 22 CV 1988, 2022 WL 16744196, at *1 (N.D. Ill. Nov. 7, 2022).
Estée Lauder’s online tool allows shoppers to upload a photograph or activate the camera on their device to see how a product looks on their face. In a lengthy decision, the court rejected all but one of Estée Lauder’s defenses.
First, the court ruled that Estée Lauder is subject to jurisdiction in Illinois. Although the try-on tool is geographically neutral and does not specifically target Illinois customers, the court concluded the tool is connected to Estée Lauder’s strategy to market and sell cosmetics in Illinois.
Second, the court declined to enforce the arbitration provision in Estée Lauder’s website terms and conditions, finding that the named plaintiff did not assent to or have constructive knowledge of those terms. The court distinguished between “clickwrap” agreements, which require a customer to affirmatively assent by clicking or checking a box, and “browsewrap” agreements, which provide that use of the website is taken as assent, albeit passive. The plaintiff only accessed web pages with browsewrap agreements, so the court analyzed the design and content of the pages and, specifically, the conspicuousness and placement of the terms and conditions link. The court concluded the link was not sufficiently conspicuous because: (1) users cannot see it unless they scroll all the way to the bottom of the page; and (2) it is located in the middle of 15 links to other pages and social media sites.
Third, the court found it was reasonable to conclude that the tool collects customers’ biometric data based on the allegation that the tool uses facial geometry scans from pictures or cameras to identify the shape and features of customers’ faces and overlay virtual makeup products onto the images.
Finally, the court agreed with Estée Lauder that the plaintiff failed to allege facts to support that Estée Lauder recklessly or intentionally violated BIPA. The court permitted plaintiff to proceed only on the theory that Estée Lauder committed a negligent violation of the statute. The distinction is significant as BIPA provides for $1,000 in statutory damages for each negligent violation and $5,000 for each reckless or intentional violation.
Eyeglasses Virtual Try-on
In December 2022, the US District Court for the Southern District of New York declined to dismiss a BIPA class action brought against Louis Vuitton concerning a virtual eyeglass try-on tool. Theriot v. Louis Vuitton N.A., --- F. Supp. 3d ---, 2022 WL 17417261 (S.D.N.Y. Dec. 5, 2022).
The court rejected Louis Vuitton’s arguments for dismissal of the claims alleging non-compliance with BIPA’s notice and consent requirements. First, Louis Vuitton argued that the third-party operator of the virtual try-on tool, FittingBox, which was not a party to the litigation, collects and processes consumers’ facial geometry — not Louis Vuitton. The court disagreed, concluding that the complaint adequately alleged that Louis Vuitton takes active steps to collect users’ facial scans, such as inviting them to take advantage of the website’s virtual try-on technology. Second, Louis Vuitton argued plaintiffs could not bring a BIPA claim because the events giving rise to the claims did not occur “primarily and substantially” in Illinois. The court rejected this argument as well because the plaintiffs alleged they were Illinois residents who used the virtual try-on tool while in Illinois.
The court did, however, dismiss the plaintiffs’ claims alleging lack of a publicly available data retention and destruction policy on the grounds that the plaintiffs lacked Article III standing. The court found no injury to support standing because the company’s duty was owed to the public generally, and the plaintiffs alleged only a failure to develop and publish a data retention policy rather than unlawful retention of their data.
On February 10, 2023, the US District Court for the Northern District of Illinois dismissed similar claims against Christian Dior alleging that the virtual eyeglass try-on feature on the luxury fashion brand’s websites violated BIPA. Warmack v. Christian Dior, Case No. 1:22-CV-04633 (N.D. Ill.).
Dior prevailed on a defense not raised by Louis Vuitton in its motion to dismiss — a health care exemption under BIPA for “information captured from a patient in a health care setting.” Dior argued that the exemption applies to the retail sale of nonprescription sunglasses like those the plaintiff allegedly virtually tried on. The plaintiff argued that: (1) she could not reasonably be considered a “patient” because she only sought nonprescription sunglasses; and (2) the virtual try-on experience was “an online shopping experience for high-end accessories” rather than a “health care setting.”
The court sided with Dior, noting that “sunglasses, even if non-prescription, protect one’s eyes from the sun and are Class I medical devices under the Food & Drug Administration’s regulations.” The court concluded the plaintiff was “an individual awaiting medical care” and therefore a “patient” because “the tool facilitates the provision of a medical device that protects vision.” The court further concluded that “the trying on and provision of sunglasses, even in a virtual setting,” is enough to count as a “health care setting.”
Jewelry and Hair Care Virtual Try-On
In November 2022, an Illinois resident filed a putative BIPA class action against Pandora Jewelry, LLC, and Pandora Ecomm, LLC, in the Circuit Court for Cook County, Illinois. Gielow et al. v. Pandora Jewelry LLC et al., Case No. 22-CH-11181 (Circuit Ct. Cook County, Ill.).
According to the complaint, Pandora — the third largest jewelry retailer in the United States — offers a virtual try-on tool on its website that allows customers to take and upload photographs of themselves. Pandora’s try-on feature analyzes customers’ facial geometry to model how selected jewelry products look on them.
In December 2022, another virtual try-on case alleging BIPA violations was filed by a proposed class of Illinois residents against a hair care retailer, Wella Operations US LLC, in US District Court for the Northern District of Illinois. Shores v. Wella Operations US LLC, Case No. 1:22-cv-07152 (N.D. Ill. Dec. 20, 2022).
The complaint alleges Wella violated BIPA by inviting consumers to virtually ‘try on’ hair dye through a website “Virtual Try-On” feature. The complaint includes screenshots of Wella’s website, showing a “Tap & Try!” button that prompts customers to upload a photograph of themselves. Once the photograph is analyzed, the tool models how different hair colors look on the customer. The complaint asserts that the combined claims of the proposed class exceed $5 million.
Companies considering offering virtual try-on tools should prepare for a potential BIPA class action lawsuit and take steps to minimize litigation exposure, including adopting BIPA-compliant disclosure, consent, and data destruction policies and procedures. Where BIPA claims have been asserted, companies should promptly seek outside counsel to develop a legal strategy for a successful resolution.