By Kelly Bonner, Gerald L. Maatman, Jr., and Gregory Tsonis
Duane Morris Takeaway – In another blow to retailers utilizing virtual try-on technology to enhance shopping experiences this holiday season, Judge Denise Cote for the U.S. District Court for the Southern District of New York recently denied in part Defendant Louis Vuitton North America, Inc.’s motion to dismiss proposed class action claims that its “Virtual Try-On” tool violated the Illinois Biometric Information Privacy Act (“BIPA”). In Theriot v. Louis Vuitton North America, Inc., Case No. 1:22 Civ. 02944, the Court rejected Defendant’s extraterritoriality argument, as well as claims that a third party not named in the lawsuit operated the “Virtual Try-On” tool and collected users’ biometric data. However, the Court dismissed Plaintiffs’ Section 15(a) claim that Defendant failed to develop and make publicly available a written policy for retaining and destroying biometric data on the grounds that Plaintiffs lacked Article III standing. The Court’s ruling in Theriot illustrates the continued risk for retailers from biometric data privacy lawsuits invoking the BIPA.
Case Background
Louis Vuitton North America (“Defendant”), a subsidiary of French luxury conglomerate LVMH, operates a website that features a “Virtual Try-On” tool, which allows users to visualize themselves in a particular pair of eyeglasses. Id. at 2. When a user clicks on the words, “Try On”, the tool automatically activates the user’s computer or phone camera to depict a live image of that user “wearing” the selected glasses in real-time, or allows the user to upload a photograph of his or her face. Id. at 2-3. While the tool is featured on Defendant’s website, it is operated by an application created by a third-party company, which was not named in this case, and incorporates that company’s proprietary technology to collect and process a user’s facial geometry. Id. at 3.
Plaintiffs, residents of Illinois, alleged that Defendant violated Section 15(b) of the BIPA by capturing users’ facial geometry without informing them how that data is collected, used, or retained. Plaintiffs also alleged that Defendant lacked a publicly-available written policy establishing how long such data is retained and when it is destroyed, in alleged violation of Section 15(a) of the BIPA. Plaintiffs filed a putative class action lawsuit against Defendant, alleging jurisdiction based on diversity and the Class Action Fairness Act, and seeking to represent a class of individuals that used the “Virtual Try-On” tool. Defendant moved to dismiss Plaintiffs’ amended complaint.
The Court’s Ruling On Defendant’s Motion To Dismiss
Defendant sought to dismiss Plaintiffs’ BIPA claims on three grounds, two of which the Court rejected.
The Court dismissed Plaintiffs’ Section 15(a) claim on the grounds that Plaintiffs lacked Article III standing. Id. at 8. Relying on the Seventh Circuit’s decision in Bryant v. Compass Group, which remanded Section 15(a) claims to state court because the company’s statutory duty was to the public generally, the Court concluded that because the company’s duty was not to the specific individuals whose biometric information is collected, but to the public generally, Plaintiffs failed to allege any particularized, individual harm. Id. The Court reasoned that “Plaintiffs’ § 15(a) claim is expressly based on the ‘failure to develop and make publicly available a written policy for retention and destruction of biometric identifiers,’ rather than on the unlawful retention of data after the initial purpose for collecting the data had been satisfied …. As the court held in Bryant, because the duty to develop and disclose a retention policy is owed to the public generally, plaintiffs have failed to allege a particularized harm sufficient for Article III standing.” Id.
Plaintiffs sought to analogize their case to another decision by the Seventh Circuit — Fox v. Dakkota Integrated Systems, LLC, in which the Seventh Circuit found that the plaintiff had standing to pursue her Section 15(a) claims where she alleged that the defendant not only failed to publish a retention policy, but unlawfully retained her biometric data, and such allegations were sufficient to allege an injury in fact for Article III standing. Id. at 9. But the Court rejected this comparison, noting that Plaintiffs’ amended complaint centered on Defendant’s alleged failure to develop and publish policies governing data collection and retention — not Defendant’s retention of the data. Id. The Court also rejected Plaintiffs’ alleged injury due to “the unknowing loss of control of …of biometric identifiers” and “violations of their privacy” as relevant to Plaintiffs’ Section 15(b) claim — not a Section 15(a) claim. Id. at 9-10.
However, the Court rejected both of Defendant’s arguments to dismiss Plaintiffs’ Section 15(b) claims.
First, the Court rejected Defendant’s argument that Plaintiffs “pleaded themselves out of court” by alleging that Defendant’s “Virtual Try On” tool was powered by a third party not party to the litigation, and that that third party is the entity that collects users’ biometric identifiers. Id. at 12. Instead, the Court concluded that Plaintiffs’ complaint sufficiently alleged that Defendant “collects detailed and sensitive biometric identifiers and information, including complete facial scans, of its users” and “takes active steps to collect users’ facial scans …. such as inviting users to take advantage of the Virtual Try-On tool.” Id. at 12-13.
Second, the Court found no basis to dismiss Plaintiffs’ Section 15(b) claim on extraterritoriality grounds even though, as Defendant argued, the events giving rise to Plaintiffs’ claims did not occur “primarily and substantially” in Illinois. Id. at 14. Instead, the Court concluded that Plaintiffs were “Illinois residents who used the Virtual Try-On Tool while in Illinois, and that there was no indication from Plaintiffs’ complaint that any other events relevant to their claims occurred elsewhere. Id.
Implications for Companies Using Biometric Equipment
The Court’s ruling in Theriot illustrates the continued risk for retailers from biometric data privacy lawsuits invoking the BIPA, and the resiliency of Section 15(b) claims despite efforts to dismiss at the pleading stage.
Notably, earlier lawsuits involving BIPA claims and eyewear have been dismissed under BIPA’s health care exemption, which exempts “information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996,” including “prescription lenses, non-prescription sunglasses, and frames meant to hold prescription lenses.” See Opinion and Order at 7, Svobova v. Frames for America, Inc., No. 21-CV-5509 (N.D. Ill. Sept. 8, 2022) (concluding that plaintiff was a “patient receiving a health care service in a health care setting). But the issue of whether courts will apply BIPA’s health care exemption to luxury sunglasses is currently pending in the U.S. District Court for the Northern District of Illinois in Warmack v. Christian Dior, Inc., Case No. 1:22-CV-04633, while its application with respect to so-called “cosmeceuticals” and other luxury skincare products raises significant FDA regulatory concerns.
In the meantime, companies should implement proper safeguards and consent processes for the collection and retention of biometric data — particularly with respect to Illinois consumers or states considering similar legislation — and consider how they notify users and obtain consent regarding biometric data.