New virtual reality technologies and the aftermath of the COVID-19 pandemic have combined to create a market for virtual try-on tools in the fashion and beauty business. But these brands must take care, as Estée Lauder, Louis Vuitton and Pandora Jewelry, among others, have been hit with lawsuits alleging that their virtual try-on tools violate biometric privacy laws. Before launching a virtual try-on tool, seek out the advice of a qualified privacy law attorney in order to best position the brand for success – and not a lawsuit.
What is biometric data?
Biometric data is a person’s unique physical characteristics. Biometric data includes fingerprints, voiceprints, retina scans, hand scans and face scans. When using a virtual try-on tool, a person typically must either capture or upload a photo of their face, hand, or body (depending on the item being virtually “tried on”), into the company’s website or mobile application. Because that photograph contains the user’s biometric data, the company needs to comply with the relevant biometric privacy laws.
What is a biometric privacy law?
Generally, biometric privacy laws require any company that collects or uses biometric data to maintain policies and procedures to use this data securely and transparently. The goal of these laws is to prevent the misuse of biometric identifiers, as there is a high potential for identity theft among other serious data privacy concerns.
Currently, there is no federal biometric privacy law. Instead, certain states have put biometric privacy laws into place. To date, Illinois, Texas and Washington are the only states that have enacted biometric privacy laws. Arizona, Hawaii, Maryland, Massachusetts, Minnesota, New York, Tennessee and Vermont have all proposed biometric privacy laws.
The issue with biometric privacy laws is that companies have to comply if the person using the try-on tool lives in a state that has these laws. In other words, even if the company does not have an office in the state, the company must comply with the biometric privacy law if just one person who lives in that state uses the try-on tool.
For example, Estée Lauder was recently sued by an Illinois woman after she uploaded a photo of her face to their website and used their virtual make-up tool, because the cosmetics company did not have a public data retention policy as required by BIPA. Even though Estée Lauder never specifically targeted Illinois residents in advertising campaigns, and despite the fact the company has no offices or employees in Illinois, the judge held that Estée Lauder must comply with BIPA because its general marketing strategy to sell cosmetics includes Illinois residents. See Kukovec v. Estée Lauder Companies, Inc., No. 22 CV 1988, 2022 WL 16744196 (N.D. Ill. Nov. 7, 2022).
As that case illustrates, in the age of online shopping, fashion and beauty brands don’t always know where their customers are located. Brands should take care to comply with state biometric privacy laws in case a person logs on to their website, uses a virtual try-on tool and lives in a state with this type of law.
How can my virtual try-on tool comply with the law?
Typically, a biometric privacy law will require that any company collecting biometric data must publicly publish a written policy establishing guidelines for maintaining and permanently destroying that information. Also, these laws usually prohibit a company from collecting a person’s biometric data unless the company informs the person that the data is being collected, how long the data will be stored and receives written consent from the person. These laws frequently prohibit the company from selling or profiting from individuals’ biometric information.
The important thing for fashion and beauty brands to understand is that any virtual try-on tool must comply with the biometric privacy laws before you launch the try-on tool. This means that the company needs to have a public written data retention policy and capacity to receive consent from the users prior to launching the try-on tool, otherwise, risk a lawsuit.
These companies should keep in mind that only one user from Illinois, Texas or Washington would be enough to trigger a biometric privacy lawsuit if the company is not compliant with those state laws.
- In Illinois, a violation of the biometric privacy law carries a penalty of up to $5,000 per violation.
- In Texas, a violation of the biometric privacy law carries a penalty of up to $25,000.
- In Washington, the biometric privacy law does not have a limit on the penalty for a violation.
Conclusion
The takeaway for fashion and beauty companies is not to shy away from virtual try-on technology, but rather to appreciate the importance of careful data privacy maintenance. Fashion and beauty brands should ensure compliance with biometric privacy laws prior to collecting, processing, storing or sharing that data – no matter where their company is located – in case a user in a state with such a law accesses the tool. If you would like to discuss biometric privacy laws further, reach out to a member of our team.