With high-end fashion and beauty sales holding strong despite fears of an economic downturn, some brands are turning to virtual try-on, or VTO, technology to optimize consumers' online shopping experiences.
By allowing consumers to virtually try on products, brands not only can recreate the real-world shopping experience, but also deepen their investment in Web3 consumers, for whom the virtual and physical worlds are increasingly interchangeable.
But as illustrated by a series of recent federal court decisions under the Illinois Biometric Information Privacy Act, the use of VTO technology presents significant data privacy and legal risks.
This article explores the potential risks associated with high-technology fashion and the steps brands can take to mitigate these risks.
High-Tech Fashion and the Growth of VTO Tech
In its simplest form, VTO technology enables consumers to try on products by using a camera-enabled smart device, e.g., a smartphone, and facial recognition technology to capture the consumer's image.
Once that image has been captured, augmented reality technology overlays a virtual product over the image to show how it would look on the consumer.
While augmented reality applications have been around for years, the last two years have witnessed a sea change in the use of VTO technology. Post-pandemic, consumers are not only using VTO tools to sample products, but also participating in virtual experiences like makeup artistry tutorials or shade matching.[1]
Meanwhile, VTO technology has advanced beyond simple photographic overlays, using computer vision and artificial intelligence to allow consumers to visualize 3D models of themselves.[2]
Finally, traditional brands have embraced the commercial possibilities of the metaverse by establishing virtual spaces that not only sell products for use in real life, but distinctive virtual creations and highly personalized brand experiences.[3]
The result is a high-tech fashion and creative industry worth an estimated $31 billion.[4]
Biometric Data Privacy Concerns
Driving the growth of VTO technology is the collection and use of consumers' biometric data, a series of biologically unique physical identifiers, such as fingerprints, voiceprints, retina or iris scans, and face geometry.[5]
When combined with facial recognition software and augmented reality tools, biometric data enables hyperrealistic models of consumers. But biometric data also can be used for purposes of automated recognition and identification, and has become the focus of serious data privacy concerns.[6]
In 2008, Illinois became the first state to enact biometric data privacy legislation with the passage of the Biometric Information Privacy Act.[7]
BIPA regulates the collection, use, storage, transmission and destruction of biometric identifiers, defined as "fingerprints, voiceprints, retina or iris scans, and face geometry."[8] BIPA prohibits private entities from capturing biometric data without written notice and consent.
BIPA also requires that private entities in possession of biometric data develop, publish and comply with a written policy for retaining and destroying biometric data.[9]
Significantly, BIPA provides a private right of action and permits the recovery of statutory damages — $1,000 for each negligent violation and $5,000 for each reckless or willful violation — as well as fees and costs.[10]
The very first jury trial — Rogers v. BNSF Railway Co. in the U.S. District Court for the Northern District of Illinois — went to verdict in November under BIPA and resulted in a classwide award of $228 million. Consequently, BIPA has become one of the most heavily litigated statutes in the country.
Since 2019, numerous retailers have been sued for violating BIPA for their use of VTO technology and other digital tools to personalize consumer recommendations.[11]
This article will focus on three recent decisions involving allegations of BIPA violations arising out of VTO technology that are of particular relevance to fashion and beauty brands.
Theriot v. Louis Vuitton North America
On Dec. 5, in Theriot v. Louis Vuitton North America Inc., U.S. District Judge Denise Cote of the U.S. District Court for the Southern District of New York denied in part LVNA's motion to dismiss claims that its VTO tool, which allows users to visualize themselves in a particular pair of eyeglasses, violated BIPA.[12]
The plaintiffs, all Illinois residents, alleged that LVNA violated Section 15(b) of BIPA by capturing users' facial geometry without informing them how that data is collected, used or retained.[13]
The plaintiffs also alleged that LVNA lacked a publicly available policy establishing how long such data is retained and when it is destroyed, in alleged violation of Section 15(a) of BIPA.[14]
The court rejected several of LVNA's defenses, including LVNA's rationale that because its VTO tool was operated and developed by a third party, not named in the litigation, the plaintiffs pleaded themselves out of court by alleging that that the third party collected and processed users' facial geometry — not LVNA.[15]
Instead, the court concluded that the plaintiffs sufficiently alleged that Louis Vuitton took "active steps to collect users' facial scans ... such as inviting users to take advantage of the [VTO] tool."[16]
The court also rejected LVNA's defense that the events giving rise to the plaintiffs' claims did not occur primarily and substantially in Illinois where the plaintiffs were
Illinois residents who used the [VTO] Tool while in Illinois, and that there was no indication from [p]laintiffs' complaint that any other events relevant to their claims occurred elsewhere.[17]
Notably, however, the court dismissed the plaintiffs' Section 15(a) claim for lack of Article III standing.[18]
Relying on the U.S. Court of Appeals for the Seventh Circuit's 2020 decision in Bryant v. Compass Group USA Inc., in which it found no Article III injury where a company's duty was "owed to the public generally, not to particular persons whose biometric information the entity collects," the court reasoned that:
Plaintiffs' [Section] 15(a) claim is expressly based on the "failure to develop and make publicly available a written policy for retention and destruction of biometric identifiers," rather than on the unlawful retention of data after the initial purpose for collecting the data had been satisfied. As the court held in Bryant, because the duty to develop and disclose a retention policy is owed to the public generally, plaintiffs have failed to allege a particularized harm sufficient for Article III standing.[19]
The plaintiffs sought to analogize their case to another Seventh Circuit decision, Fox v. Dakkota Integrated Systems LLC, which found that the plaintiff had standing to pursue Section 15(a) claims where she alleged that the defendant not only failed to publish a retention policy, but unlawfully retained her biometric data.[20]
But the court rejected this comparison where the plaintiffs' complaint focused on LVNA's alleged failure to develop and publish policies governing data collection and retention, and not LVNA's retention of the data.[21]
The court also rejected the plaintiffs' claim that they were injured due to "the unknowing loss of control of … of biometric identifiers" and violations of their privacy as relevant to their Section 15(b) claim — not, as the plaintiffs alleged, a Section 15(a) claim.[22]
Kukovec v. The Estée Lauder Companies
Judge Cote's decision comes on the heels of another recent decision allowing BIPA claims arising out of VTO technology to proceed.
In Kukovec v. The Estée Lauder Companies Inc., U.S. District Judge Manish Shah of the U.S. District Court for the Northern District of Illinois denied in part Estée Lauder's motion to dismiss BIPA claims relating to the use of VTO tools across websites operated by cosmetic brands owned by the company.[23]
In Kukovec, the court rejected Estée Lauder's argument that it lacked personal jurisdiction where its VTO tool was geography-neutral, and the mere accessibility of the tool to Illinois consumers lacked a substantial connection to Estée Lauder's sale of cosmetics in Illinois.[24]
Describing this interpretation as overly narrow, the court concluded that Estée Lauder used its website and VTO tool as part of its cosmetics marketing and sales strategy to purposefully avail itself of Illinois consumers.[25]
Similarly, the court dismissed Estée Lauder's claim that the plaintiff lacked standing to sue on behalf of individuals that used VTO tools on Estée Lauder brand websites that the plaintiff herself did not use as premature where no class had been certified, and the plaintiff's injury was traceable to the same VTO tool that was used across multiple websites.[26]
The court also rejected Estée Lauder's defense that the plaintiff was required to arbitrate her dispute pursuant to its terms and conditions, of which Estée Lauder argued that the plaintiff had constructive knowledge.[27]
Here, the court distinguished between webpages that contained browsewrap terms and conditions, in which a consumer's continued browsing is considered assent, and clickwrap terms and conditions, in which a consumer clicks to indicate assent.[28]
Because the plaintiff visited only those webpages that contained browsewrap terms and conditions, the court concluded that the plaintiff could not be deemed to have constructive notice where the webpage's design made it possible for her to use the VTO tool without confronting the terms and conditions link.[29]
The court also concluded that the plaintiff sufficiently alleged enough information to infer that Estée Lauder captured the plaintiff's biometric identifiers.[30] However, the court rejected the plaintiff's claim that Estée Lauder acted negligently, recklessly or intentionally, noting that recklessness and intentionality require a specific state of mind, which the plaintiff failed to allege.[31]
The court dismissed the plaintiff's claims for reckless or intentional conduct without prejudice to repleading.[32]
Warmack v. Christian Dior: A Possible Defense to BIPA VTO Tech Claims?
Notably, earlier lawsuits involving BIPA claims and eyewear have been dismissed under the BIPA health care exemption, which exempts "information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996," including "prescription lenses, non-prescription sunglasses, and frames meant to hold prescription lenses."[33]
But the issue of whether courts will apply the BIPA health care exemption in more retail focused settings is pending in another case entitled Warmack v. Christian Dior Inc. in the Northern District of Illinois.
In Warmack, the plaintiff alleged that Christian Dior operated a VTO feature on its website that collected users' facial geometry data without first obtaining written consent or informing users of the purpose and length of time that their data was being collected, in violation of Section 15(b) of BIPA.[34]
The plaintiff also alleged that Dior failed to provide a publicly available data retention and destruction schedule, as required by Section 15(a) of BIPA.[35]
Dior moved to dismiss the plaintiff's complaint, alleging that the BIPA health care exemption applied to nonprescription sunglasses, such as the ones sold by Dior and which the plaintiff alleged that she tried on.[36] However, the plaintiff characterized the sunglasses as fashion accessories and that Dior's website was not a health care setting, nor were Dior's consumers patients.[37]
The plaintiff also distinguished prior decisions applying BIPA's health care exemption as focusing on the VTO technology being used for prescription glasses, akin to optometrist fittings, not in connection with the purchase of luxury sunglasses.[38]
Implications for Brands Using VTO Tech
The Thierrot and Kukovec decisions illustrate the continued risk for retailers from biometric data privacy lawsuits, as well as the resiliency of Section 15(b) claims.
While BIPA's health care exemption may provide a defense to claims involving eyewear — one of two main focuses of BIPA litigation — the court's decision is still pending in Warmack. Moreover, its applicability to cosmetics is questionable, and raises regulatory concerns for so-called cosmeceuticals and other skin care products.
In the meantime, brands should consider whether any biometric data is being collected by VTO tools, and if so, by whom, and whether biometric data is being solicited through invitations to use VTO tools.
They should also consider how consumers are notified about biometric data privacy policies — browsewrap terms and conditions, or links to privacy policies that are not readily apparent may not be enough to establish notice.
Brands should also consider how consumers are informed about the collection of biometric data. At minimum, consumers should be informed, in writing prior to the operation of any VTO tool, that their biometric data is being collected, of the purpose for which the data is being collected and of the duration for which the biometric data will be collected, stored and used.
Lastly, companies should consider how consumers are providing written consent.
Companies should also ensure that their privacy policies stay current with evolving legislation.
In addition to Illinois, Texas and Washington have enacted specific biometric laws — although they do not currently allow for a private right of action — while several other states have introduced biometric privacy laws based generally on BIPA, including providing for a private right of action and statutory damages for negligent or intentional violations.[39]
References
[1] See Fiona Ma, From Gimmick to Growth, Virtual Try-on Tech Fuels Beauty Sales, Provides Future Solutions, Beauty Inc. (Apr. 24, 2020); Adriana Lee, Google Brings Beauty AR Try-ons to Search, WWD (Dec. 17, 2020).
[2] See, e.g., Denise Incandela, Press Release: Walmart Levels Up Virtual Try-On for Apparel with Be Your Own Model Experience, Walmart (Sept. 15, 2022); Samantha Conti, Farfetch Pushes Personalization with Virtual Try On Experience, WWD (March 30, 2021).
[3] See, e.g., Madeleine Schultz, Vogue World Partners with Snap on AR Filters and Fashion Try-Ons, Vogue (Sept. 9, 2022); Madeleine Schultz, No longer just marketing, beauty is building worlds in the metaverse to drive sales,| Vogue Business (Aug. 30, 2022); Adriana Lee, Maisie Wilen Launches AR Fashion Try On in Zero10 Collab, WWD (June 30, 2022); Vanessa Friedman, What to Wear in the Metaverse, N.Y. Times (Jan. 20, 2022, updated Oct. 19, 2022).
[4] Business of Fashion and McKinsey & Company, The State of Fashion 2022, 58 (Apr. 7, 2022).
[5] Electronic Privacy Information Center, Surveillance Oversight: Face Surveillance and Biometrics (last visited Dec. 20, 2022).
[6] McKinsey & Co., Tech Trends Outlook 2022 at 10 (Aug. 2022) (noting that "[the] control, storage, and use of biometric data is a debated topic regarding privacy and ethics"); see also Biometric Information Privacy Act ("BIPA"), 740 Ill. Comp. Stat. 14/5(c) (specifying that "[b]iometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.").
[7] See 740 Ill. Comp. Stat. § 14 et seq. (2008).
[8] See at § 14/5(c).
[9] Id. at § 14/5(b).
[10] Id.
[11] See Jake Holland, As Virtual Try-On Fashion Technology Grows, So Do Legal Risks, Bloomberg Law (July 8, 2022).
[12] See Opinion and Order at 14-15, Theriot v. Louis Vuitton N. Am., Inc. 
, No. 1:22 Civ. 02944 (DLC) (S.D.N.Y. Dec. 5, 2022).
[13] Id. at 12.
[14] Id. at 8.
[15] Id. at 12.
[16] Id. at 12-13.
[17] Id. at 13-14.
[18] Id. at 10.
[19] Id. at 8.
[20] Id. at 9.
[21] Id. at 9-10.
[22] Kukovec v. The Estée Lauder Cos., Inc. , No. 22-CV-1988, 2022 WL 16744196, at *1 (N.D. Ill. Nov. 7, 2022).
[23] Kukovec, 2022 WL 16744196, at *8.
[24] Id. at *4.
[25] Id.
[26] Id. at *8.
[27] Id. at *5.
[28] Id. at *5.
[29] Id. at *5-6. Nor could ELC argue that plaintiff had constructive notice of ELC's arbitration provision because she recently filed two other BIPA lawsuits against TikTok and L'Oréal, noting that a website user "is not automatically on notice that any website she visits likely has terms and conditions just because she's visited other websites that have them." See id. at *6.
[30] Id. at 7.
[31] Id. at 7-8.
[32] Id. at 8.
[33] See, e.g., Svobova v. Frames for America, Inc., No. 21-CV-5509 (N.D. Ill. Sept. 8, 2022) (concluding that plaintiff was a "patient receiving a health care service in a health care setting); Vo v. VSP Retail Dev. Holding, Inc. , 19 C 7187, 2020 WL 1445605 (N.D. Ill. Mar. 25, 2020).
[34] See Compl. at 6-7, Warmack v. Christian Dior, Inc., No. 1:22-CV-04633 (N.D. Ill. Aug. 30, 2022).
[35] Id. at 7.
[36] See Mot. to Dismiss at 4-6 (Oct. 23, 2022).
[37] See Pl. Opp.to Mot. to Dismiss at 6-8 (Nov. 21, 2022).
[38] Id. at 8.
[39] See Bloomberg Law, The Evolution of Data Privacy Laws, (last visited Dec. 21, 2022).
Reprinted with permission of Law360.
