Kelly A. Bonner – Class Action Defense

February 14, 2023 by Kelly A. Bonner

Dior Dismissed From Illinois BIPA Class Action Lawsuit Challenging Virtual Try-On Technology

By Kelly A. Bonner, Alex W. Karasik, Gerald L. Maatman, Jr., and Jennifer A. Riley

Duane Morris Takeaways: In a significant win for fashion and beauty retailers in the privacy class action space, in Warmack-Stillwell v. Christian Dior Inc., No. 1:22-CV-04633, 2023 U.S. Dist. LEXIS 22926 (N.D. Ill. Feb. 10, 2023), an Illinois federal court held that an exemption to the Illinois Biometric Information Privacy Act (“BIPA”) for data captured from a patient in a health care setting barred proposed class action claims alleging that luxury giant Christian Dior Inc.’s (“Dior”) virtual try-on tool (“VTOT”) violated the BIPA.

Businesses in Illinois, particularly online fashion and beauty retailers, can use this ruling to attack BIPA claims involving VTOT technology.

Case Background

As discussed in our previous publications, lawsuits involving BIPA claims and eyewear have been dismissed under one of BIPA’s statutory exemptions, which in relevant part excludes from its definitions of biometric identifiers and biometric information: (1) information captured from a patient in a health care setting; or (2) information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996, including prescription lenses, non-prescription sunglasses, and frames meant to hold prescription lenses.

Plaintiff alleged that Dior maintained a VTOT feature on its website that collected users’ facial geometry data without first obtaining written consent or informing users of the purpose and length of time that their data was being collected in violation of Section 15(b) of BIPA. Plaintiff also alleged that Dior failed to provide a publicly available data retention and destruction schedule, as required by Section 15(a) of BIPA.

Dior moved to dismiss Plaintiff’s complaint on the basis that the BIPA’s health care exemption applied to non-prescription sunglasses, such as the ones sold by Dior and which the plaintiff alleged that she tried on with the VTOT technology, and thus precluded Plaintiff’s claims.

Plaintiff countered that the sunglasses were fashion accessories; Dior’s website was not a health care setting; and Dior’s consumers were not patients. Plaintiff also sought to distinguish prior decisions applying the BIPA’s health care exemption as focusing on the VTOT technology being used for prescription glasses, akin to optometrist fittings, and not in connection with the purchase of luxury sunglasses. Id. at *8.

The Court’s Decision

The Court granted Dior’s motion to dismiss under Rule 12(b)(6). First, the Court explained that Plaintiff qualified as a “patient in a health care setting” under the dictionary definition of the term “patient,” and that Dior’s VTOT feature “facilitates the provision of a medical device that protects vision.” Id. at *8. Similarly, the Court held that use of the VTOT technology constituted “health care,” which the dictionary defined as “efforts made to maintain or restore physical, mental, or emotional well-being especially by trained and licensed professionals.” Id. at *9.

In addition, the Court reasoned that the relevant test was “not a user’s subjective understanding, but rather an objective application of the text of the exemption.” Id. at *8-9. The Court opined that the outcome of the analysis should not change if a consumer uses the VTOT in search of primarily stylish sunglasses rather than protective ones.

Plaintiff attempted to distinguish Dior’s website from a “health care setting” by arguing that “[a]n artist prepping a canvas is not providing a health care service if they use a scalpel instead of an Xacto knife.” Id. at *9. As to that point, the Court concluded that the VTOT feature facilitated the purchase of sunglasses to wear on one’s face and protect one’s eyes, thus performing the product’s intended medical function rather than an unconventional purpose.

Similarly, the Court rejected Plaintiff’s attempts to analogize her case to BIPA suits against blood plasma centers, in which courts rejected application of the health care exemption. Even if the cases applied the same definitions of “health care” and “patient,” the Court concluded that the removal of plasma for commercial purposes is not “health care because the purpose — at least from the plasma donors’ perspectives — was not to ‘maintain or restore physical, mental or emotional well-being’; it was to get paid.” Id. at *11.

Finally, the Court notably denied Dior’s motion to dismiss under Rule 12(b)(1), rejecting Dior’s argument that Plaintiff failed to allege an injury-in-fact sufficient for Article III standing. The Court concluded that Plaintiff sufficiently alleged an injury-in-fact under Section 15(a) “because “unlawful retention of a person’s biometric data is as concrete and particularized an injury as an unlawful collection of a person’s biometric data.” Id. at *11.

Accordingly, the Court granted Dior’s motion to dismiss on Rule 12(b)(6) grounds, but rejected Dior’s Article III standing argument and denied its motion based on Rule 12(b)(1).

Implications for Retailers

The Court’s decision in Warmack is a solid victory for fashion and apparel retailers, and indicates that courts are willing to expand the BIPA’s healthcare exemption to more retail-oriented environments, and adopt a plain reading of the statue rather than seeking to discern legislative intent. This ruling could have significant implications for personal care products retailers, especially those who utilize VTOT features to assess skin complaints such as aging, hyperpigmentation, and recommend treatments, and whether those defenses will draw regulatory scrutiny for purposed “drug” claims.

In the meantime, retailers should stay abreast of biometric data privacy laws in Illinois and beyond, and ensure that their privacy policies stay current with evolving nationwide legislation.

December 12, 2022 by Gerald L. Maatman, Jr.

Federal Court In New York Rejects Louis Vuitton’s Motion To Dismiss BIPA Suit Over Virtual Try-On Tool

By Kelly Bonner, Gerald L. Maatman, Jr., and Gregory Tsonis

Duane Morris Takeaway – In another blow to retailers utilizing virtual try-on technology to enhance shopping experiences this holiday season, Judge Denise Cote for the U.S. District Court for the Southern District of New York recently denied in part Defendant Louis Vuitton North America, Inc.’s motion to dismiss proposed class action claims that its “Virtual Try-On” tool violated the Illinois Biometric Information Privacy Act (“BIPA”). In Theriot v. Louis Vuitton North America, Inc., Case No. 1:22 Civ. 02944, the Court rejected Defendant’s extraterritoriality argument, as well as claims that a third party not named in the lawsuit operated the “Virtual Try-On” tool and collected users’ biometric data. However, the Court dismissed Plaintiffs’ Section 15(a) claim that Defendant failed to develop and make publicly available a written policy for retaining and destroying biometric data on the grounds that Plaintiffs lacked Article III standing. The Court’s ruling in Theriot illustrates the continued risk for retailers from biometric data privacy lawsuits invoking the BIPA.

Case Background

Louis Vuitton North America (“Defendant”), a subsidiary of French luxury conglomerate LVMH, operates a website that features a “Virtual Try-On” tool, which allows users to visualize themselves in a particular pair of eyeglasses. Id. at 2. When a user clicks on the words, “Try On”, the tool automatically activates the user’s computer or phone camera to depict a live image of that user “wearing” the selected glasses in real-time, or allows the user to upload a photograph of his or her face. Id. at 2-3. While the tool is featured on Defendant’s website, it is operated by an application created by a third-party company, which was not named in this case, and incorporates that company’s proprietary technology to collect and process a user’s facial geometry. Id. at 3.

Plaintiffs, residents of Illinois, alleged that Defendant violated Section 15(b) of the BIPA by capturing users’ facial geometry without informing them how that data is collected, used, or retained. Plaintiffs also alleged that Defendant lacked a publicly-available written policy establishing how long such data is retained and when it is destroyed, in alleged violation of Section 15(a) of the BIPA. Plaintiffs filed a putative class action lawsuit against Defendant, alleging jurisdiction based on diversity and the Class Action Fairness Act, and seeking to represent a class of individuals that used the “Virtual Try-On” tool. Defendant moved to dismiss Plaintiffs’ amended complaint.

The Court’s Ruling On Defendant’s Motion To Dismiss

Defendant sought to dismiss Plaintiffs’ BIPA claims on three grounds, two of which the Court rejected.

The Court dismissed Plaintiffs’ Section 15(a) claim on the grounds that Plaintiffs lacked Article III standing. Id. at 8. Relying on the Seventh Circuit’s decision in Bryant v. Compass Group, which remanded Section 15(a) claims to state court because the company’s statutory duty was to the public generally, the Court concluded that because the company’s duty was not to the specific individuals whose biometric information is collected, but to the public generally, Plaintiffs failed to allege any particularized, individual harm. Id. The Court reasoned that “Plaintiffs’ § 15(a) claim is expressly based on the ‘failure to develop and make publicly available a written policy for retention and destruction of biometric identifiers,’ rather than on the unlawful retention of data after the initial purpose for collecting the data had been satisfied …. As the court held in Bryant, because the duty to develop and disclose a retention policy is owed to the public generally, plaintiffs have failed to allege a particularized harm sufficient for Article III standing.” Id.

Plaintiffs sought to analogize their case to another decision by the Seventh Circuit — Fox v. Dakkota Integrated Systems, LLC, in which the Seventh Circuit found that the plaintiff had standing to pursue her Section 15(a) claims where she alleged that the defendant not only failed to publish a retention policy, but unlawfully retained her biometric data, and such allegations were sufficient to allege an injury in fact for Article III standing. Id. at 9. But the Court rejected this comparison, noting that Plaintiffs’ amended complaint centered on Defendant’s alleged failure to develop and publish policies governing data collection and retention — not Defendant’s retention of the data. Id. The Court also rejected Plaintiffs’ alleged injury due to “the unknowing loss of control of …of biometric identifiers” and “violations of their privacy” as relevant to Plaintiffs’ Section 15(b) claim — not a Section 15(a) claim. Id. at 9-10.

However, the Court rejected both of Defendant’s arguments to dismiss Plaintiffs’ Section 15(b) claims.

First, the Court rejected Defendant’s argument that Plaintiffs “pleaded themselves out of court” by alleging that Defendant’s “Virtual Try On” tool was powered by a third party not party to the litigation, and that that third party is the entity that collects users’ biometric identifiers. Id. at 12. Instead, the Court concluded that Plaintiffs’ complaint sufficiently alleged that Defendant “collects detailed and sensitive biometric identifiers and information, including complete facial scans, of its users” and “takes active steps to collect users’ facial scans …. such as inviting users to take advantage of the Virtual Try-On tool.” Id. at 12-13.

Second, the Court found no basis to dismiss Plaintiffs’ Section 15(b) claim on extraterritoriality grounds even though, as Defendant argued, the events giving rise to Plaintiffs’ claims did not occur “primarily and substantially” in Illinois. Id. at 14. Instead, the Court concluded that Plaintiffs were “Illinois residents who used the Virtual Try-On Tool while in Illinois, and that there was no indication from Plaintiffs’ complaint that any other events relevant to their claims occurred elsewhere. Id.

Implications for Companies Using Biometric Equipment

The Court’s ruling in Theriot illustrates the continued risk for retailers from biometric data privacy lawsuits invoking the BIPA, and the resiliency of Section 15(b) claims despite efforts to dismiss at the pleading stage.

Notably, earlier lawsuits involving BIPA claims and eyewear have been dismissed under BIPA’s health care exemption, which exempts “information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996,” including “prescription lenses, non-prescription sunglasses, and frames meant to hold prescription lenses.” See Opinion and Order at 7, Svobova v. Frames for America, Inc., No. 21-CV-5509 (N.D. Ill. Sept. 8, 2022) (concluding that plaintiff was a “patient receiving a health care service in a health care setting). But the issue of whether courts will apply BIPA’s health care exemption to luxury sunglasses is currently pending in the U.S. District Court for the Northern District of Illinois in Warmack v. Christian Dior, Inc., Case No. 1:22-CV-04633, while its application with respect to so-called “cosmeceuticals” and other luxury skincare products raises significant FDA regulatory concerns.

In the meantime, companies should implement proper safeguards and consent processes for the collection and retention of biometric data — particularly with respect to Illinois consumers or states considering similar legislation — and consider how they notify users and obtain consent regarding biometric data.

December 7, 2022December 7, 2022 by Kelly A. Bonner

Anti-Aging Claims Can Be a Legal Risk as Highlighted by L’Oreal Case

Duane Morris Takeaways: In Lopez, et al. v. L’Oréal USA Inc., Case No. No. 21 Civ. 7300 (S.D.N.Y. Sept. 27, 2022), Judge Andrew Carter of the U.S. District Court for the Southern District of New York denied L’Oréal’s motion to dismiss putative class claims that it misled consumers regarding nature of the collagen ingredients and their effects in its products. Companies should heed this ruling as a cautionary tale for the potential for liability when making anti-aging claims that can be misconstrued by consumers as overbroad.

It is a truth universally acknowledged that a woman over 30 must be in want of an eye cream. Or a serum. Or anything, really, so long as it recreates the appearance of youth, vitality or an actual night’s sleep.

The global market for anti-aging cosmetics is expected to reach $93.1 billion by 2027. But as illustrated by a recent decision from the U.S. District Court for the Southern District of New York, Lopez v. L’Oréal USA Inc., promises that a product can turn back time by “restoring skin” or “promot[ing] cell regeneration” can prove costly for brands looking to capitalize on this growing market.

Brands should be mindful of litigation and regulatory risk when making certain anti-aging claims.

To read the full text of this article by Duane Morris associate Kelly Bonner, which was originally published in Law360, please visit the firm website.

November 11, 2022November 14, 2022 by Gerald L. Maatman, Jr.

Illinois Federal Court Rejects Efforts To Dismiss BIPA Claims Involving Virtual Try-On Technology

By Gerald L. Maatman, Jr., Gregory Tsonis, and Kelly Bonner

Duane Morris Takeaways – In a significant decision for retailers, Judge Manish Shah of the U.S. District Court for the Northern District of Illinois recently denied in part Defendant Estée Lauder’s motion to dismiss proposed class action claims that its consumer “try-on” technology violated the Illinois Biometric Information Privacy Act (“BIPA”). The Court rejected Defendant’s personal jurisdiction argument, as well as claims that its website terms and conditions required Plaintiff to arbitrate her dispute, and that Plaintiff lacked standing to sue on behalf individuals that used websites Plaintiff herself did not visit. In a decision entitled Kukovec v. The Estée Lauder Companies, Inc., Case No. 22-CV-1988 (N.D. Ill.), the Court determined, however, that Plaintiff did not sufficiently plead that the cosmetics giant intentionally or recklessly violated consumers’ biometric privacy rights, and thereby dismissed those claims. The ruling in Kukovec illustrates the ongoing legal risks for retailers in using “try-on” tech to enhance customer service.

Case Background

Too Faced Cosmetics, a cosmetics brand owned by Defendant Estée Lauder, operates a website featuring a try-on function to allows shoppers to virtually test its products. When a shopper clicks a “Try It On” button, a pop-up box appears containing a disclaimer informing the shopper that their “image will be used to provide you with the virtual try-on experience” and a link to a privacy policy. Id. at 4. If the shopper selects the “Live Camera” option, the user’s computer camera is activated and the product is overlaid on part or all of the user’s face. Id.

Plaintiff, an Illinois resident, alleged that Defendant’s try-on tool violated Section 15(b) of the BIPA by capturing users’ facial geometry without informing them how that data is collected, used, or retained. Id. at 6. Plaintiff also alleged that Defendant lacked a publicly-available written policy establishing how long such data is retained and when it is destroyed, in violation of Section 15(a) of the BIPA. Id. Plaintiff filed a putative class action lawsuit against Defendant, seeking to represent a class of individuals that used the virtual try-on tool not just on the Too Faced website, but also four other websites for Defendant’s other brands. Id. Defendant removed the case to federal court based on diversity jurisdiction and the Class Action Fairness Act, then moved to dismiss the complaint.

The Court’s Ruling On Defendant’s Motion To Dismiss

Defendant sought to dismiss Plaintiffs’ claims on four grounds, three of which the Court fully rejected.

First, Defendant argued that the Court lacked personal jurisdiction over it since its “Try On” tool was “geography neutral,” did not target Illinois consumers, and the mere accessibility of the tool to Illinois consumers lacked the substantial connection to Defendant’s sale of cosmetics and employees in Illinois. Id. at 8. The Court rejected this “overly narrow” interpretation of personal jurisdiction. It held that “[t]he try-on tool is part of [Defendant’s] cosmetics marketing and sales strategy,” since those that use the tool are also presented with buttons to add the products to their cart or send as a gift. Id. at 9.

Second, Defendant argued that venue was improper because Plaintiff’s claims were subject to arbitration pursuant to a provision in its website’s terms and conditions. Id. at 11. Central to the issue of whether Plaintiff had constructive knowledge of the arbitration agreement was whether the terms and conditions were presented in “clickwrap” form, where a customer has to affirmatively check a box to assent (as courts generally uphold such assent), or “browsewrap” form, where a customer’s continued use of a website is taken as passive assent (and which require more detailed analysis). Defendant’s website contained both clickwrap and browsewrap forms, but the Plaintiff only visited pages with browsewrap forms. Id. at 12. Users of the virtual try-on tool received a pop-up notification that had Too Faced’s privacy policy, not its terms and conditions, though the privacy policy contained a link to the terms and conditions. Id. On other pages, the terms and conditions were presented at the bottom of webpages “in the middle of fifteen links to other pages on the site and six links to social media platforms. . .” Id. The Court held such a website design insufficient to provide constructive notice, since a customer “could easily try the tool without once confronting the terms-and-conditions link.” Id. at 14. Further, the Court rejected Defendant’s argument that the Plaintiff had constructive notice because she recently filed two other BIPA-related lawsuits against TikTok and L’Oréal, noting that a website user “is not automatically on notice that any website she visits likely has terms and conditions just because she’s visited other websites that have them.” Id. at 15. Accordingly, the Court held that Plaintiff lacked constructive knowledge and that the arbitration clause could not be enforced against her.

Third, Defendant also sought to dismiss the complaint on the basis that it provided only “conclusory legal statements” and lacked sufficient facts establishing that Defendant captured users’ facial geometry, collected biometric data, or acted negligently, recklessly, or intentionally under the BIPA. Id. at 16. The Court disagreed. It found that the complaint “alleged enough to infer” that Defendant captured Plaintiff’s biometric information and “no intermediary separated the defendant from the collection of plaintiff’s facial geometry.” Id. at 17. However, since recklessness and intentionality require a specific state of mind that Plaintiff did not allege, the Court dismissed Plaintiff’s claims for reckless or intentional conduct, but allowed Plaintiff an opportunity to amend her complaint. Id. at 18.

Finally, Defendant contended that since Plaintiff did not use the websites of its four other brands that utilize the virtual try-on tool, she lacked standing to sue on their behalf. The Court noted that because no class had been certified, yet Defendant’s argument was premature. The Court reasoned that plaintiff “alleges an injury from a technology deployed across multiple websites” and that standing exists because Plaintiff’s injury “can be redressed by a decision in her favor.” Id. at 20.

Implications For Companies Using Biometric Equipment

By allowing consumers to “try-on” products in a virtual environment, retailers increasingly rely on biometric data to provide hyper-personalized services and recreate the real-world shopping experience for the virtual world. But as the popularity of try-on technology grows, so too does the legal risk from biometric data privacy lawsuits. Since 2019, numerous retailers have been sued for violating the BIPA and other state biometric privacy laws for their use of try-on tech and other digital tools to personalize consumer recommendations. The Kukovec decision highlights how new technologies expose companies to costly litigation, even when they take steps to notify consumers or mandate arbitration. Companies should consider how they notify customers regarding try-on technology, ensure that their privacy policies stay current with evolving legislation and competing definitions of “biometric data,” and implement proper safeguards and consent processes.