Image: Dior

Christian Dior has beaten a proposed class action lawsuit in an outcome that will be of interest to a rising number of companies that are landing on the receiving end of privacy lawsuits that stem from virtual try-on tools. On the heels of Delma Warmack waging an Illinois Biometric Information Privacy Act (“BIPA”) complaint against Dior in August, Judge Elaine Bucklo of the U.S. District Court for the Northern District of Illinois granted the LVMH-owned brand’s motion to dismiss the complaint – which centered on the virtual eyewear try-on tool on Dior’s e-commerce site – on the basis that she failed to state a claim given that Dior’s conduct falls within the bounds of BIPA’s statutory “healthcare” exemption. 

Summarizing Warmack’s allegations in her February 10 memo and order, Judge Bucklo stated that she used the virtual try-on tool (“VTOT”) on Dior’s site, which scans a user’s face and collects data that is “transferred to [virtual try-on software provider] FittingBox’s server, and possibly [Dior’s] server, too, where it is stored for an uncertain amount of time.” Warmack alleged that Dior – which “profits from the process of collecting, storing, and using consumers’ facial geometry scans because it improves customers’ experiences in purchasing eyewear from [Dior] online” – ran afoul of BIPA by failing to: “develop or follow a retention policy” (as required by s. 15(a)) and to observe s. 15(c)’s mandate that private entities in possession of biometric data may not “sell, lease, trade, or otherwise profit from” that data. 

While Dior argued – in part – that Warmack did not allege an injury in fact sufficient to satisfy Article III for her section 15(a) and 15(c) claims, the court found that Warmack set out allegations that conferred standing. Worth noting: The court distinguishes the case at hand from previous BIPA case determinations … 

Section 15(a) – Primarily, Judge Bucklo pointed to Bryant v. Compass Group USA, Inc., in which the Seventh Circuit held that “merely alleging failure to publicly disclose a data-retention policy is insufficient … to plead an injury in fact under s. 15(a).” However, the Judge noted that the Seventh Circuit later clarified that that holding is narrow and held that “a plaintiff pleads injury in fact where she ‘accuses [a defendant] of violating the full range of its section 15(a) duties by failing to develop, publicly disclose, and comply with a data-retention schedule and guidelines for the permanent destruction of biometric data.’” 

Because Warmack alleged here that Dior violated “the full panoply of section 15(a)’s requirements,” the court found that her allegations confer standing, as “unlawful retention of a person’s biometric data is as concrete and particularized an injury as an unlawful collection of a person’s biometric data.” 

Section 15(c) – Distinguishing this case from the Seventh Circuit’s decision in Thornley v. Clearview AI, in which the appeals court held that pleading a bare violation of the s. 15(c) provision is not enough for standing purposes, Judge Bucklo noted that Warmack alleged that “by using her biometric data for its own profit, [Dior] impacted [her] ownership over and ability to control that data for her own purposes.” This type of allegation was missing in cases like Thornley, in which courts found plaintiffs lacked standing to bring a section 15(c) claim, according to the Judge.

With the foregoing in mind, the Judge determined that Warmack sufficiently alleged standing, but ultimately sided with Dior, which successfully argued that its alleged conduct falls under BIPA’s statutory exemption that excludes “information captured from a patient in a health care setting” from its definitions of “biometric identifiers” and “biometric information.” 

Though Warmack “may be right that VTOT users would be surprised to learn that ‘they were entering into a provider/patient relationship,’” Judge Bucklo stated that the relevant test is “an objective application of the text of the exemption.” Claiming that it is not “such a stretch to count the trying on and provision of sunglasses, even in a virtual setting, as ‘health care’ alongside … more specific provisions,” the Judge asserted that “this conclusion comports with the one reached by the other courts that have considered whether BIPA’s general health care exemption applies in the context of virtual try-on tools for eyewear.” (In September, for example, a federal judge in the N.D. of Illinois held in Svoboda v. Frames for America, Inc. that BIPA does not regulate a virtual try-on tool because it fell under the statute’s “health care exemption.”)

With the foregoing in mind, the court refused to dismiss Warmack’s complaint for lack of standing, but granted Dior’s motion to dismiss under Rule 12(b)(6).

The Bigger Picture

The win for Dior comes amid an influx of BIPA-centric cases, such as the ones that have been filed against Estée Lauder Companies and Louis Vuitton North America, as an increasing number of brands and retailers have introduced things like virtual try-on tools that use biometric technology to recreate the fitting room experience or makeup testing in an e-commerce scenario. 

A couple of noteworthy takeaways from other BIPA cases include … 

BIPA claims have a 5-year statute of limitations – This month, the Illinois Supreme Court determined in Tims v. Blackhorse Carriers, Inc. that all BIPA claims have a five-year statute of limitations. The court’s decision provides “private entities [with] more certainty about the statute of limitations for BIPA claims,” Troutman Pepper’s Molly DiRago, Robyn Lin, Jessica Ring and John Sample contend, particularly since BIPA does not specify a statute of limitations. However, such increased certainty comes with increased exposure, as the court’s ruling “substantially expands the timeframe within which litigants can assert BIPA claims, and in so doing, has increased the number of potential litigants, document retention costs, potential damages, and the scope of BIPA litigation generally.” 

A business may not be held liable under BIPA when biometric data is acquired outside of Illinois – In October, a U.S. District Court for the Western District of Washington judge granted summary judgment on BIPA claims waged against Microsoft in Vance v. Microsoft Corp. Siding with Microsoft, the court determined that because the biometric information was not captured or collected by Microsoft in Illinois, “any connection between Microsoft’s conduct and Illinois [was] too attenuated and de minimis for a reasonable juror to find that the circumstances underlying Microsoft’s alleged BIPA violation ‘occurred primarily and substantively in Illinois.’”

Seyfarth Shaw’s Danielle Kays and James Nasiri stated in a note at the time that “by dismissing the plaintiffs’ claims, the Court issued an important BIPA win for companies, and also set forth favorable precedent for out-of-state businesses hit with BIPA lawsuits.” 

BIPA claims accrue individually with each violation – In its decision in Cothron v. White Castle Sys., Inc., the Illinois Supreme Court confirmed that each separate violation of BIPA constitutes a distinct and separately actionable violation of the statute. “The decision exponentially increases liability exposure and the scope of damages that may be collected for alleged violations of BIPA,” Squire Patton Boggs’ Christina Lamoureux, Kristin Bryan, Kyle Fath, and David Oberly note.

The case is Warmack v. Christian Dior, Inc., 1:22-cv-04633 (N.D. Ill.)