Cosmetics, eyewear, and apparel companies are using virtual reality to enable consumers to try on their products. Virtual try-on technology provides a highly realistic way for consumers to see how a product will look. It allows customers to make more-informed buying decisions, reducing the number of products that are returned.
Virtual or augmented reality try-on technology took off during the pandemic, when brick-and-mortar stores were closed and more people were shopping online. However, an increasing number of biometric privacy lawsuits cast doubt on the technology’s long-term viability.
For products such as glasses, jewelry, and makeup, virtual try-on tools use images of customers’ faces to recreate the in-person shopping experience. Customers upload a photo or use the camera on their phone or computer to see how the product would look.
Plaintiffs contend that these tools violate the Illinois Biometric Information Privacy Act (BIPA) and other states’ privacy laws. The lawsuits allege that retailers failed to inform consumers that they were collecting biometric information and to obtain written permission to do so. Retailers also failed to provide a written policy regarding the handling of biometric information and to post it conspicuously.
Protecting Biometric Privacy
The term “biometric” has a number of meanings, all relating to unique physical and behavioral characteristics that can be used to identify an individual. “Biometrics” refers to the measurement and analysis of these characteristics and technologies that automate identification. These technologies are used to secure buildings, authenticate users for device and network access, and identify users in a wide range of applications. Facial recognition is increasingly used because it requires no physical contact with the individual.
If biometric data were stolen, it could be used for identity theft or to defeat security controls. In light of that, three states have passed biometric privacy laws, and five are actively considering legislation.
Illinois was the first with the passage of the BIPA in 2008. The law requires companies to:
Inform individuals in writing that they’re collecting biometric data.
State the purpose of the data collection and how long the data will be held.
Obtain the consumer’s written consent before collecting the data.
Unlike other privacy statutes that limit enforcement to the state’s attorney general, the BIPA creates a private right of action allowing consumers to seek monetary relief for violations.
Penalties for the BIPA violations are stiff — the greater of $1,000 or actual damages for each negligent violation and $5,000 or actual damages for each willful violation, plus attorneys’ fees and costs. Furthermore, the Illinois Supreme Court held in Rosenbach v. Six Flags Entertainment Corp. that consumers have standing to sue under the BIPA even if they don’t suffer actual damages. This application of statutory damages and fee shifting to technical violations of the law puts companies offering virtual try-on tools at significant risk.
So does the fact that most e-commerce companies are subject to every state’s jurisdiction. On May 20, 2022, plaintiffs filed a class action lawsuit in the Southern District of New York against Estée Lauder Companies Inc. for BIPA violations. The lawsuit alleges that the company engaged in “undisclosed collection of consumers’ biometric facial scans in Illinois.”
Christian Dior used a novel argument to win dismissal of similar claims: the BIPA’s exemption for “information captured from a patient in a health care setting.” Plaintiffs had sued Christian Dior alleging that its virtual try-on feature for sunglasses violated the BIPA. The court agreed that a virtual tool for trying on sunglasses counted as a health care setting and noted that the FDA regulates non-prescription sunglasses as Class I medical devices.
Some e-tailers have argued that the BIPA does not apply because they don’t store biometric data. However, virtual try-on tools are emerging that use artificial intelligence to recommend products based upon customers’ preferences and biometric profiles. In this scenario, biometric data would need to be stored and analyzed, likely triggering the BIPA and other privacy laws.
More states are likely to implement biometric privacy laws modeled on the BIPA, although there could be nuances in the definition of “biometrics” and notification requirements. These regulations and the inevitable lawsuits will have a chilling effect on the use of virtual try-on technology if e-tailers don’t take action.
Companies should consider updating their website terms and conditions to include disclosure of any biometric data collection. If they store biometric information, e-tailers should review their policies and business practices and take steps to ensure compliance with the BIPA and other privacy laws. To avoid claims that consumers did not have constructive knowledge of disclosure, companies should consider using popup notifications and “clickwrap” agreements that consumers must accept before accessing virtual try-on tools.
Keep Current on New Legal Developments
As e-tailers deal with challenges to data collection, it is critical to keep up with the latest changes. Purdue Global Law School keeps students informed on legal developments in California and throughout the United States.
Purdue Global Law School provides an online Juris Doctor degree if you wish to become a licensed California attorney. If you want to obtain an advanced legal education but do not wish to practice law, an online Executive Juris Doctor may be for you.