Virtual Try-On Tools: Can you stop brands trying it on with consumers?

Virtual try-on tools, also known as virtual fitting rooms, are becoming more prevalent in the world of fashion, accessories and cosmetics. 

Using augmented reality and artificial intelligence, they enable customers to upload a photo of themselves – or allow a website or app access to the customer's device camera to take a photo – to digitally render how a certain garment, accessory or cosmetic will look on their own face or body. The aim of these virtual try-on tools is to improve and streamline the customer shopping experience, boost sales, and reduce the number of returns made by customers who, having tried on an item after they have purchased it, decide it does not suit or fit them. Virtual try-on tools can be used from the comfort of a customer's home or in-store - a particular perk in the cosmetics industry, which has historically relied on the dreaded 'tester' product - a Covid nightmare.

New disruptive innovations spark litigation

New technology, however, comes with new risks. In the US, four individuals have filed a class action complaint in the US District Court for the Northern District of Illinois against Estée Lauder, Bobbi Brown, Smashbox and Too Faced, alleging that the virtual make-up try-on tools of these brands collect facial scans without user consent as required under the State of Illinois’ Biometric Information Privacy Act of 2008 (BIPA). Illinois has among the strictest laws in the world around the collection of biometric data—i.e., unique physical characteristics, such as facial patterns, hand geometry, and iris—and gives individuals a right of action in the courts for violations. 

Under BIPA, businesses cannot "collect, capture, purchase, receive through trade, or otherwise obtain" an individual's biometric data without first notifying the individual in writing of the business's collection, retention and storage practices and obtaining written consent. The claimants in this case say that customers can use the virtual-try on tools for make-up and cosmetics by enabling access to their device camera, allowing the brands' websites to create a live video feed of that customer's face using biometric data and, using augmented reality, overlay the relevant cosmetic product. 

The problem here, however, is that the claimants allege that, unbeknownst to users of the tool, the brands collect biometric data, specifically facial geometry, without first obtaining consent or informing them that such data is being collected. The claimants say that while users are informed that their image will be used for the virtual try-on tool and a link to the privacy policy is included, the brands do not ask users to agree to or otherwise state that they will be bound by the site's terms. Additionally, the claimants allege that the brands do not have the requisite publicly available written guidelines for retention and destruction of biometric data. In addition to seeking an injunction, the claimants have asked for damages of over $5,000,000 USD.

The importance of complying with global data privacy rules

While the outcome of this case is yet to be seen, it raises a very important issue for emerging and established fashion, accessories and cosmetics brands alike. The benefits of virtual try-on tools are clear, but data protection obligations must always be borne in mind. The aforementioned case concerns Illinois, but this is not the only place where processing of biometric data can cause problems. In the EU and UK, GDPR classes biometric data as special category data, meaning it is afforded even greater protection than standard personal data. Companies collecting biometric data, whether for virtual try-on tools or otherwise, must, among other obligations, ensure they have compliant data protection policies and procedures, conduct a data protection impact assessment to the extent required, have in place security measures to protect the integrity and privacy of the collected data, and provide data protection training to relevant employees.

Breach of data protection laws can land companies with massive fines and serious reputational damage. By adhering to data protection obligations (and other applicable laws), brands can be at the forefront of emerging technologies whilst still protecting the integrity of their customers' personal data.