Virtual Trial Features: Do They Create Biometric Privacy Issues for Retailers? – Privacy protection


Retailers’ virtual try-on features have recently been attacked by lawsuits alleging violations of consumer biometric privacy rights. The growing risk of litigation highlights a new area of ​​compliance concern for retailers, as online shopping has become the new normal for many consumers.

Typical lawsuits in this space relate to popular online virtual “try on” features offered by a variety of retailers, including eyewear, fashion and cosmetics brands, which allow consumers – from the comfort of their homes – to see what the products will look like on their face or body before making a purchase. Consumers upload an existing photo or use their phone or computer camera to see, for example, what a particular pair of glasses might look like on their face, or what a certain color of lipstick would look like once applied. Retailers are increasingly using these tools, which have become particularly popular during the pandemic, as a substitute for the traditional in-store experience, to allow shoppers to “try on” and purchase products virtually.

Recently, plaintiffs’ attorneys filed lawsuits alleging that these virtual tools undermine consumers’ biometric privacy rights because they use and collect consumers’ biometric information, such as facial geometry, and retailers do not disclose not properly to consumers that this information is collected and possibly stored. These lawsuits have primarily targeted optical and makeup retailers and test the scope of Illinois’ Biometric Information Privacy Act (BIPA) and other privacy laws to determine whether the safeguards of those laws on biometric privacy apply in this context.

Illinois became the first state to pass comprehensive and strongest biometric privacy legislation with the passing of BIPA in 2008. The law regulates the collection, use, storage, transmission and destruction of “ biometric identifiers” by private entities. defines as “a scan of the retina or iris, a fingerprint, a voiceprint or a scan of the geometry of the hand or face”.

The law prohibits private entities from collecting biometric information without first informing the person from whom the data is collected “in writing” that the data is being collected, disclosing the “specific purpose and duration for which” the data is collected and stored and obtain written consent. BIPA further requires private entities in possession of biometric data to “develop a written policy, made available to the public, setting out a retention schedule and guidelines” for the prompt destruction of the data. The BIPA also restricts the sale and disclosure of biometric information. Significantly, BIPA provides a private right of action to any “person injured” by a violation of law and allows the recovery of statutory damages in the amount of $1,000 per negligent violation, $5,000 by intentional violation, actual damages, injunctive relief and attorneys. fees and expenses.

Courts in Illinois have interpreted BIPA broadly to allow class actions to proceed even when there have only been technical violations of the law, such as when the companies failed to not met the relevant disclosure and written consent requirements. Similarly, although BIPA excludes photographs (and information derived from photographs) from its scope, courts have also refused to exclude biometric information derived from photographs from the scope of the law given its coverage of geometric facial scans.

Beyond Illinois, a number of states and cities have biometric privacy laws that may apply to the use of virtual try-on technology. A growing number of states, including California, Maryland, and New York, are also considering comprehensive BIPA-inspired biometric privacy laws that could create additional reporting and storage requirements for biometric data and provide consumers with private rights of action.

In the face of these lawsuits, some retailers have argued that biometric data is not stored or that claims are subject to arbitration agreements included in the terms of service applicable to the use of their websites and marketing tools. virtual test. In a lawsuit against several eyewear and makeup retailers, one of the companies argued that consumers were accepting arbitration simply by visiting its website because the website displays “visible” hyperlinks to its terms of service. on each page. The lawsuit was dismissed before the court could decide this issue. Thus, it remains to be seen whether these terms of service would apply and whether notice of the terms provided to consumers would comply with BIPA’s informed consent requirements.

In addition to their popularity, virtual fitting tools are also advancing rapidly and, in some contexts, can be combined with artificial intelligence (AI) technology to generate recommendations based on consumer preferences and their individual biometric profiles. , such as face shapes and body types. . Since this practice involves the storage and analysis of biometric data collected from consumers, it could trigger the application of biometric privacy or other privacy laws.

Key points to remember

Retailers using virtual try-on technology may wish to review their practices and policies to determine whether they store or use biometric information (or information derived therefrom) to generate recommendations or link preferences to customers’ shopping profiles. consumers, and if so, take appropriate steps to ensure compliance with applicable biometric privacy and other privacy laws. They may also consider updating their website terms of service to provide notice of biometric data collection and disclosure. To facilitate compliance and dispute resolution, retailers doing business online may also wish to evaluate alternative dispute resolution options and consider including pop-up notifications with disclosures that consumers must agree to before being permitted. to use virtual testing tools.

Ogletree Deakins will continue to monitor this wave of biometric privacy class action lawsuits and post updates on the Retail and Cybersecurity and Privacy blogs. Important information for employers is also available through the firm’s webinar and podcast programs.

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.


Comments are closed.