Federal Court In New York Rejects Louis Vuitton’s Motion To Dismiss BIPA Suit Over Virtual Try-On Tool

By Kelly Bonner, Gerald L. Maatman, Jr., and Gregory Tsonis

Duane Morris Takeaway – In another blow to retailers utilizing virtual try-on technology to enhance shopping experiences this holiday season, Judge Denise Cote for the U.S. District Court for the Southern District of New York recently denied in part Defendant Louis Vuitton North America, Inc.’s motion to dismiss proposed class action claims that its “Virtual Try-On” tool violated the Illinois Biometric Information Privacy Act (“BIPA”).  In Theriot v. Louis Vuitton North America, Inc., Case No. 1:22 Civ. 02944, the Court rejected Defendant’s extraterritoriality argument, as well as claims that a third party not named in the lawsuit operated the “Virtual Try-On” tool and collected users’ biometric data.  However, the Court dismissed Plaintiffs’ Section 15(a) claim that Defendant failed to develop and make publicly available a written policy for retaining and destroying biometric data on the grounds that Plaintiffs lacked Article III standing.  The Court’s ruling in Theriot illustrates the continued risk for retailers from biometric data privacy lawsuits invoking the BIPA.

Case Background

Louis Vuitton North America (“Defendant”), a subsidiary of French luxury conglomerate LVMH, operates a website that features a “Virtual Try-On” tool, which allows users to visualize themselves in a particular pair of eyeglasses.  Id. at 2.  When a user clicks on the words, “Try On”, the tool automatically activates the user’s computer or phone camera to depict a live image of that user “wearing” the selected glasses in real-time, or allows the user to upload a photograph of his or her face.  Id. at 2-3.  While the tool is featured on Defendant’s website, it is operated by an application created by a third-party company, which was not named in this case, and incorporates that company’s proprietary technology to collect and process a user’s facial geometry.  Id. at 3.

Plaintiffs, residents of Illinois, alleged that Defendant violated Section 15(b) of the BIPA by capturing users’ facial geometry without informing them how that data is collected, used, or retained.  Plaintiffs also alleged that Defendant lacked a publicly-available written policy establishing how long such data is retained and when it is destroyed, in alleged violation of Section 15(a) of the BIPA.  Plaintiffs filed a putative class action lawsuit against Defendant, alleging jurisdiction based on diversity and the Class Action Fairness Act, and seeking to represent a class of individuals that used the “Virtual Try-On” tool.  Defendant moved to dismiss Plaintiffs’ amended complaint.

The Court’s Ruling On Defendant’s Motion To Dismiss

Defendant sought to dismiss Plaintiffs’ BIPA claims on three grounds, two of which the Court rejected.

The Court dismissed Plaintiffs’ Section 15(a) claim on the grounds that Plaintiffs lacked Article III standing.  Id. at 8.  Relying on the Seventh Circuit’s decision in Bryant v. Compass Group, which remanded Section 15(a) claims to state court because the company’s statutory duty was to the public generally, the Court concluded that because the company’s duty was not to the specific individuals whose biometric information is collected, but to the public generally, Plaintiffs failed to allege any particularized, individual harm.  Id.  The Court reasoned that “Plaintiffs’ § 15(a) claim is expressly based on the ‘failure to develop and make publicly available a written policy for retention and destruction of biometric identifiers,’ rather than on the unlawful retention of data after the initial purpose for collecting the data had been satisfied …. As the court held in Bryant, because the duty to develop and disclose a retention policy is owed to the public generally, plaintiffs have failed to allege a particularized harm sufficient for Article III standing.”  Id.

Plaintiffs sought to analogize their case to another decision by the Seventh Circuit — Fox v. Dakkota Integrated Systems, LLC, in which the Seventh Circuit found that the plaintiff had standing to pursue her Section 15(a) claims where she alleged that the defendant not only failed to publish a retention policy, but unlawfully retained her biometric data, and such allegations were sufficient to allege an injury in fact for Article III standing.  Id. at 9.  But the Court rejected this comparison, noting that Plaintiffs’ amended complaint centered on Defendant’s alleged failure to develop and publish policies governing data collection and retention — not Defendant’s retention of the data.  Id.  The Court also rejected Plaintiffs’ alleged injury due to “the unknowing loss of control of …of biometric identifiers” and “violations of their privacy” as relevant to Plaintiffs’ Section 15(b) claim — not a Section 15(a) claim.  Id. at 9-10.

However, the Court rejected both of Defendant’s arguments to dismiss Plaintiffs’ Section 15(b) claims.

First, the Court rejected Defendant’s argument that Plaintiffs “pleaded themselves out of court” by alleging that Defendant’s “Virtual Try On” tool was powered by a third party not party to the litigation, and that that third party is the entity that collects users’ biometric identifiers.  Id.  at 12.  Instead, the Court concluded that Plaintiffs’ complaint sufficiently alleged that Defendant “collects detailed and sensitive biometric identifiers and information, including complete facial scans, of its users” and “takes active steps to collect users’ facial scans …. such as inviting users to take advantage of the Virtual Try-On tool.”  Id. at 12-13.

Second, the Court found no basis to dismiss Plaintiffs’ Section 15(b) claim on extraterritoriality grounds even though, as Defendant argued, the events giving rise to Plaintiffs’ claims did not occur “primarily and substantially” in Illinois.  Id. at 14.  Instead, the Court concluded that Plaintiffs were “Illinois residents who used the Virtual Try-On Tool while in Illinois, and that there was no indication from Plaintiffs’ complaint that any other events relevant to their claims occurred elsewhere.  Id.

Implications for Companies Using Biometric Equipment

The Court’s ruling in Theriot illustrates the continued risk for retailers from biometric data privacy lawsuits invoking the BIPA, and the resiliency of Section 15(b) claims despite efforts to dismiss at the pleading stage.

Notably, earlier lawsuits involving BIPA claims and eyewear have been dismissed under BIPA’s health care exemption, which exempts “information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996,” including “prescription lenses, non-prescription sunglasses, and frames meant to hold prescription lenses.”  See Opinion and Order at 7, Svobova v. Frames for America, Inc., No. 21-CV-5509 (N.D. Ill. Sept. 8, 2022) (concluding that plaintiff was a “patient receiving a health care service in a health care setting). But the issue of whether courts will apply BIPA’s health care exemption to luxury sunglasses is currently pending in the U.S. District Court for the Northern District of Illinois in Warmack v. Christian Dior, Inc., Case No. 1:22-CV-04633, while its application with respect to so-called “cosmeceuticals” and other luxury skincare products raises significant FDA regulatory concerns.

In the meantime, companies should implement proper safeguards and consent processes for the collection and retention of biometric data — particularly with respect to Illinois consumers or states considering similar legislation — and consider how they notify users and obtain consent regarding biometric data.

Illinois Federal Court Rejects Efforts To Dismiss BIPA Claims Involving Virtual Try-On Technology

By Gerald L. Maatman, Jr., Gregory Tsonis, and Kelly Bonner

Duane Morris Takeaways – In a significant decision for retailers, Judge Manish Shah of the U.S. District Court for the Northern District of Illinois recently denied in part Defendant Estée Lauder’s motion to dismiss proposed class action claims that its consumer “try-on” technology violated the Illinois Biometric Information Privacy Act (“BIPA”).  The Court rejected Defendant’s personal jurisdiction argument, as well as claims that its website terms and conditions required Plaintiff to arbitrate her dispute, and that Plaintiff lacked standing to sue on behalf individuals that used websites Plaintiff herself did not visit. In a decision entitled Kukovec v. The Estée Lauder Companies, Inc., Case No. 22-CV-1988 (N.D. Ill.), the Court determined, however, that Plaintiff did not sufficiently plead that the cosmetics giant intentionally or recklessly violated consumers’ biometric privacy rights, and thereby dismissed those claims.  The ruling in Kukovec illustrates the ongoing legal risks for retailers in using “try-on” tech to enhance customer service.

Case Background

Too Faced Cosmetics, a cosmetics brand owned by Defendant Estée Lauder, operates a website featuring a try-on function to allows shoppers to virtually test its products.  When a shopper clicks a “Try It On” button, a pop-up box appears containing a disclaimer informing the shopper that their “image will be used to provide you with the virtual try-on experience” and a link to a privacy policy.  Id. at 4.  If the shopper selects the “Live Camera” option, the user’s computer camera is activated and the product is overlaid on part or all of the user’s face.  Id.

Plaintiff, an Illinois resident, alleged that Defendant’s try-on tool violated Section 15(b) of the BIPA by capturing users’ facial geometry without informing them how that data is collected, used, or retained.  Id. at 6.  Plaintiff also alleged that Defendant lacked a publicly-available written policy establishing how long such data is retained and when it is destroyed, in violation of Section 15(a) of the BIPA.  Id.  Plaintiff filed a putative class action lawsuit against Defendant, seeking to represent a class of individuals that used the virtual try-on tool not just on the Too Faced website, but also four other websites for Defendant’s other brands.  Id.  Defendant removed the case to federal court based on diversity jurisdiction and the Class Action Fairness Act, then moved to dismiss the complaint.

The Court’s Ruling On Defendant’s Motion To Dismiss

Defendant sought to dismiss Plaintiffs’ claims on four grounds, three of which the Court fully rejected.

First, Defendant argued that the Court lacked personal jurisdiction over it since its “Try On” tool was “geography neutral,” did not target Illinois consumers, and the mere accessibility of the tool to Illinois consumers lacked the substantial connection to Defendant’s sale of cosmetics and employees in Illinois.  Id. at 8.   The Court rejected this “overly narrow” interpretation of personal jurisdiction. It held that “[t]he try-on tool is part of [Defendant’s] cosmetics marketing and sales strategy,” since those that use the tool are also presented with buttons to add the products to their cart or send as a gift.  Id. at 9.

Second, Defendant argued that venue was improper because Plaintiff’s claims were subject to arbitration pursuant to a provision in its website’s terms and conditions.  Id. at 11.  Central to the issue of whether Plaintiff had constructive knowledge of the arbitration agreement was whether the terms and conditions were presented in “clickwrap” form, where a customer has to affirmatively check a box to assent (as courts generally uphold such assent), or “browsewrap” form, where a customer’s continued use of a website is taken as passive assent (and which require more detailed analysis).  Defendant’s website contained both clickwrap and browsewrap forms, but the Plaintiff only visited pages with browsewrap forms.  Id. at 12.  Users of the virtual try-on tool received a pop-up notification that had Too Faced’s privacy policy, not its terms and conditions, though the privacy policy contained a link to the terms and conditions.  Id.  On other pages, the terms and conditions were presented at the bottom of webpages “in the middle of fifteen links to other pages on the site and six links to social media platforms. . .”  Id.  The Court held such a website design insufficient to provide constructive notice, since a customer “could easily try the tool without once confronting the terms-and-conditions link.”  Id. at 14.  Further, the Court rejected Defendant’s argument that the Plaintiff had constructive notice because she recently filed two other BIPA-related lawsuits against TikTok and L’Oréal, noting that a website user “is not automatically on notice that any website she visits likely has terms and conditions just because she’s visited other websites that have them.”  Id. at 15.  Accordingly, the Court held that Plaintiff lacked constructive knowledge and that the arbitration clause could not be enforced against her.

Third, Defendant also sought to dismiss the complaint on the basis that it provided only “conclusory legal statements” and lacked sufficient facts establishing that Defendant captured users’ facial geometry, collected biometric data, or acted negligently, recklessly, or intentionally under the BIPA.  Id. at 16.  The Court disagreed. It found that the complaint “alleged enough to infer” that Defendant captured Plaintiff’s biometric information and “no intermediary separated the defendant from the collection of plaintiff’s facial geometry.”  Id. at 17.  However, since recklessness and intentionality require a specific state of mind that Plaintiff did not allege, the Court dismissed Plaintiff’s claims for reckless or intentional conduct, but allowed Plaintiff an opportunity to amend her complaint.  Id. at 18.

Finally, Defendant contended that since Plaintiff did not use the websites of its four other brands that utilize the virtual try-on tool, she lacked standing to sue on their behalf.  The Court noted that because no class had been certified, yet Defendant’s argument was premature. The Court reasoned that plaintiff “alleges an injury from a technology deployed across multiple websites” and that standing exists because Plaintiff’s injury “can be redressed by a decision in her favor.”  Id. at 20.

Implications For Companies Using Biometric Equipment

By allowing consumers to “try-on” products in a virtual environment, retailers increasingly rely on biometric data to provide hyper-personalized services and recreate the real-world shopping experience for the virtual world.  But as the popularity of try-on technology grows, so too does the legal risk from biometric data privacy lawsuits.  Since 2019, numerous retailers have been sued for violating the BIPA and other state biometric privacy laws for their use of try-on tech and other digital tools to personalize consumer recommendations.  The Kukovec decision highlights how new technologies expose companies to costly litigation, even when they take steps to notify consumers or mandate arbitration.  Companies should consider how they notify customers regarding try-on technology, ensure that their privacy policies stay current with evolving legislation and competing definitions of “biometric data,” and implement proper safeguards and consent processes.

Illinois Federal Court Holds Private University Is Exempt From BIPA Regulations

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Alex W. Karasik

 Duane Morris Takeaway:  In an important ruling for higher education entities, Judge Robert Gettleman of the U.S. District Court for the Northern District of Illinois recently dismissed a student’s proposed class action alleging that Defendant’s remote test-proctoring software violated the Illinois Biometric Information Privacy Act (“BIPA”). The Court determined that Defendant DePaul University qualified as a financial institution exempt from the statute. Powell v. DePaul University, No. 21-C-3001, 2022 U.S. Dist. LEXIS 201296 (N.D. Ill. Nov. 4, 2022). Employers in the higher education space who are confronted with biometric privacy class actions can tuck this ruling away for potential use at the pleading stage.

Case Background

Plaintiff alleged that Defendant’s use of the Respondus Monitor, an online remote proctoring tool, violated the BIPA by capturing, using, and storing students’ facial recognition and other biometric identifiers and biometric information. Plaintiff specifically asserted that Defendant did not “disclose or obtain written consent before collecting, capturing, storing, or disseminating user’s biometric data, and failed to disclose what it does with that biometric data after collection, in violation of BIPA’s retention and destruction requirements. Id. at *2.

Defendant moved to dismiss the action pursuant to Rule 12(b)(6) for failure to state a claim. It argued that the BIPA’s express terms specify that it does not apply to financial institutions that are subject to Title V of the Gramm-Leach-Bliley Act (“GLBA”). Id. Defendant contended that since it was a participant in the U.S. Department of Education’s Federal Student Aid Program, it is considered a financial institution subject to Title V of the GLBA.  Defendant contended that both the Federal Trade Commission (“FTC”) and the Department of Education (“DOE”) have recognized that universities are considered financial institutions under the GLBA. Defendant also asserted that Title V rulemaking authority lies with the Consumer Financial Protection Bureau (“CFPB”), which adopted and republished the privacy rules originally promulgated by the FTC.  The FTC rules state that any institution “significantly engaged in financial activities” is a financial institution. Id. at *5.

Plaintiff argued that Defendant was not a financial institution, but rather was in the business of higher education. Thus, Plaintiff contended that Defendant was not subject to Title V, and therefore subject to the BIPA.

The Court’s Decision

The Court granted Defendant’s motion to dismiss.  First, the Court noted that at least five other district courts have ruled on the same issue and rejected Plaintiff’s argument, and have determined that the BIPA’s section 25(c) exemption for financial institutions applies to institutions of higher education. Id.

In support of its conclusion, the Court found that the guidance provided by the CFPB included examples demonstrating the word “significantly” means something less than “primary.” Id. at *8. Accordingly, the Court rejected Plaintiff’s argument that the exemption should not apply was because Defendant was not primarily in the financial business. Id.

The Court further explained that the DOE provided issued public guidance in 2020 reiterating that the GLBA required financial institutions to have information privacy protections, and that the FTC “has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA.” Id. at *4-5.

Additionally, the Court opined that the FTC’s rule, made in 2000 when it had enforcement and rulemaking authority under the GLBA, also considered universities to be financial institutions if they “appear to be significantly engaged in lending funds to consumers.” Id. at *6. The Court reasoned that the consistent interpretation of the statute by multiple entities was particularly persuasive in finding that the claims should be dismissed. For these reasons, the Court granted Defendant’s motion to dismiss Plaintiff’s claims with prejudice.

Implications For Employers

In the BIPA class action landscape, federal and state courts in Illinois have rejected many potential affirmative defenses that employers have used to try and stave off these massive cases. However, even though the exemption is somewhat narrow, higher education institutions now have a blueprint to attack BIPA class actions at the pleading stage.  Finally, to the extent states beyond Illinois enact similar privacy statutes, this ruling may be of use to higher education institutions in those states that are confronted with class actions.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress