“When consumers shop for products, they expect that companies will follow the law in promoting and advertising those products” and that if they are “sharing their data with companies in connection with a potential transaction, the companies will be transparent about what data is being collected, how it is being used, and by whom.” That is what a pool of plaintiffs asserts in a lawsuit filed last month against Estée Lauder Companies, Bobbi Brown Professional Cosmetics, Smashbox Beauty, and Too Faced Cosmetics, accusing the beauty brands of violating a state biometric data law by way of their virtual try-on tools.
In the complaint that they filed in an Illinois federal court on October 18, Plaintiffs Celia Castelaz, Brittanie Nalley, Northa Johnson, and Lori Carter assert that “in response to the ever-increasing prevalence and proliferation of biometric information collection (whether lawful or not),” Illinois passed the Biometric Information Privacy Act (‘BIPA’) of 2008,” a state law that prohibits businesses from “collect[ing], captur[ing], purchas[ing], receiv[ing] through trade, or otherwise obtain[ing]” a person’s biometric data without first providing written notice of the company’s data collection, retention, and storage practices and obtaining written consent.
“Despite consumer concerns regarding facial-scanning technology, and BIPA’s clear mandate,” Castelaz and co. allege that Estée Lauder Companies, Bobbi Brown Professional Cosmetics, Smashbox Beauty, and Too Faced Cosmetics have – and continue to – run afoul of BIPA. Specifically, the plaintiffs assert that in furtherance of their quest to “sell the image of glamour and beauty to consumers, inviting them to virtually ‘try on’ makeup through the ‘Virtual Try-On’ feature found on each of the brand websites,” the defendants enable consumers to “view themselves with various makeup products on their face.” All a consumer needs to do is “enable their computer camera or phone camera, after which the technology embedded and running on the brand websites creates a live video feed of the user’s face using biometric data, with the selected makeup products applied on top of the live feed.”
The plaintiffs that that “unbeknownst to their website users,” including themselves and fellow class members, the beauty brand defendants “collect users’ detailed and sensitive biometric identifiers and information, including complete facial scans, through the Virtual Try-On tool on each of the brand websites, and … do this without first obtaining users’ consent, or informing them this data is being collected.” (Here, the plaintiffs claim that the biometric identifiers at play include their “facial geometry.”)
As such, “Each and every time a website visitor based in Illinois uses the [brands’] Virtual Try-On tool found on the brand websites … including, as relevant here, toofaced.com, smashbox.com, esteelauder.com, and bobbibrowncosmetics.com,” the defendants are violating BIPA.
In addition to allegedly failing to alert consumers that their biometric data is being collected and failing to get their consent to do so, the beauty brands are also violating BIPA. The plaintiffs assert that BIPA “requires private entities, like the defendants, in possession of biometric identifiers or biometric information to develop and comply with a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information.” Yet, the defendants “have not and do not comply with BIPA’s permanent destruction guidelines that biometric information and identifiers in [their] possession must be permanently destroyed either when the initial purpose for collecting or obtaining such identifiers or information has been satisfied, or within 3 years of the consumer’s last interaction with [the] Virtual Try-On tools, whichever comes first.”
The defendants’ “failure to develop the required retention and destruction policies [has] placed the plaintiffs’ and class members’ sensitive biometric identifiers at risk of compromise or illicit use by the defendants and others,” Castelaz and her fellow plaintiffs contend.
With the foregoing in mind, the plaintiffs set out three causes of action, accusing the beauty brand defendants of violating BIPA by: (1) failing to inform consumers in writing and obtain written release from users prior to capturing, collecting, or storing biometric identifiers; (2) failing to develop and make publicly available a written policy for retention and destruction of biometric identifiers; and (3) running afoul of BIPA’s prohibition against “selling, leasing, trading, or otherwise profiting from a person’s biometric identifiers or biometric information.”
In addition to requesting that the court certify their proposed class action, the plaintiffs are seeking injunctive relief to permanently bar the defendants from violating BIPA, and monetary damages, which the plaintiffs argue “exceed $5,000,000, exclusive of interest, attorneys’ fees, and costs.”
THE BIGGER PICTURE: An increasing number of brands and retailers have introduced virtual try-on tools that use biometric technology to recreate the fitting room experience or makeup testing in an e-commerce scenario. “As the popularity of these tools grow, so does the legal risk from the growing number of biometric data privacy lawsuits,” according to Steptoe & Johnson LLP’s Stephanie Sheridan, Meegan Brooks and Surya Kundu.
Not limited to Estée Lauder and co., other brands are facing off against such lawsuits, with Louis Vuitton, for instance, being named in a BIPA lawsuit this spring over a virtual try-on tool on its website. According to a complaint filed against it in April, Louis Vuitton enables consumers to virtually “try on” its eyewear, prompting consumers to provide the brand with “detailed and sensitive biometric identifiers and information, including complete facial scans,” which Louis Vuitton allegedly collects and stores “without first obtaining their consent, or informing them that this data is being collected.” Before that, H&M was named in a similar lawsuit back in 2019 for allegedly “requiring [its] hourly employees to scan their fingertips in its biometric time clock in order to clock in and out of their shifts, and sharing the biometric information at issue with a third-party time-keeping vendor.
Estée Lauder Companies did not respond to a request for comment.
The case is Celia Castelaz, et al., v. Estèe Lauder Cos., Inc., et al., 1:22-cv-05713 (N.D. Ill.)