The COVID-19 pandemic created high demand for at-home shopping solutions, including virtual tools to see what a certain item might look like on a shopper. These virtual tools, often used for trying on sunglasses or eyeglasses, or swatching a makeup sample, have led to lawsuits regarding the biometric data that these companies could be collecting. Attorneys allege that their clients’ biometric privacy rights have been violated by virtual try-on software by (1) collecting consumers’ biometric data and (2) failing to disclose to consumers how that data is handled once it is collected. Some states, such as Illinois, have created laws specifically protecting biometric data. This law, the Biometric Information Privacy Act (BIPA) requires the informed, written consent of users before the capture, use, and storage of biometric information. The law also mandates disclosure about an entity’s data collection practices and provides for a private cause of action. Other biometric data privacy laws around the country similarly require that companies get consumers’ explicit consent before collecting or using their biometric data. This means that retailers must inform consumers when and how their biometric data is being collected and provide them with an opportunity to decline collection.
More than fifteen virtual try-on cases have been filed since 2021, with most of the cases having to do with sunglass and eyeglass retailers. However, in the case of eyewear retailers specifically, BIPA may not apply. BIPA includes a “general health exemption” under which information captured from a patient in a health care setting, or information used or collected for health care treatment, payment, or operations is excluded from protection.
BIPA will continue to be an attractive vehicle for litigation. Companies should take action to protect themselves and should familiarize themselves with the biometric data privacy laws in their jurisdictions in addition to conducting a review of their existing language to make sure it complies with local laws and BIPA’s requirements. Companies should also consider implementing a user agreement prompt that must be agreed upon before accessing the virtual try-on feature and includes language of where the biometric data is being stored and for how long.