Augmented Reality Makeup Tools Serve as Foundation for BIPA Class Actions

BIPA, the frequently used basis for class action lawsuits in connection with facial recognition, fingerprint, and other technologies is once again serving as the basis for two recently filed suits.

What to Know

Class action lawsuits have been filed in Illinois state court, alleging that cosmetics company, Mary Kay, and beauty retailer, Ulta, violated Illinois’ Biometric Information Privacy Act (“BIPA”).
The complaints allege that the companies collected consumers’ facial geometry without obtaining informed consent.

The Alleged Biometric Data Collection

BIPA, the frequently used basis for class action lawsuits in connection with facial recognition, fingerprint, and other technologies is once again serving as the basis for two recently filed suits. The complaints claim that Mary Kay and Ulta, two beauty brands, scanned and collected consumers’ geometric facial data without consent through the companies’ respective online augmented reality tools. Specifically, Mary Kay’s “MirrorMe” program and Ulta’s “Foundation Shade Matcher,” “GLAMlab®,” and “Skin Analysis” tools offer users a way to virtually to “try on” different cosmetics and beauty products prior to purchase. The tools allegedly function by scanning images and videos of consumers’ faces and virtually applying particular products to the scanned images and videos. While both websites host a privacy policy, BIPA requires very specific notice and consent procedures prior to collection. The two lawsuits allege that such consent was not obtained.

The Class Actions

Namely, for informed consent, BIPA requires business that collect biometric information (as the term is defined under the law) to provide written notice that (i) biometric data is being collected and stored; (ii) the specific purposes for the collection, storage, and use of the information; and (iii) the length of time for which the biometric data is being stored. A consumer must then provide written consent for the collection, storage, and use of the individual’s biometric data. The complaints allege that the companies did not satisfy any of the BIPA consent requirements. Rather, the companies allegedly failed to inform consumers about the particular purposes for which their data is collected, nor the length of time this data is stored, and failed to promulgate a publicly available policy regarding their biometric data collection protocols. The complainants seek class action certification, statutory damages, injunctive relief, and attorneys’ fees.

Takeaways

As we have previously reported, companies considering the use of biometric technologies must be prepared for a continued rise of class actions in this space. Biometric data is particularly sensitive and has accordingly attracted the attention of class action litigants and regulators alike. As new privacy laws incorporate provisions protecting biometric privacy, the claims by consumers and regulators are likely to increase. This case serves as a good reminder to review collection practices tied to collection of biometric data for compliance with BIPA and similar standards.

Our team is continuing to monitor cases in this space.