Illinois Federal Court Rejects Efforts To Dismiss BIPA Claims Involving Virtual Try-On Technology

By Gerald L. Maatman, Jr., Gregory Tsonis, and Kelly Bonner

Duane Morris Takeaways – In a significant decision for retailers, Judge Manish Shah of the U.S. District Court for the Northern District of Illinois recently denied in part Defendant Estée Lauder’s motion to dismiss proposed class action claims that its consumer “try-on” technology violated the Illinois Biometric Information Privacy Act (“BIPA”).  The Court rejected Defendant’s personal jurisdiction argument, as well as claims that its website terms and conditions required Plaintiff to arbitrate her dispute, and that Plaintiff lacked standing to sue on behalf individuals that used websites Plaintiff herself did not visit. In a decision entitled Kukovec v. The Estée Lauder Companies, Inc., Case No. 22-CV-1988 (N.D. Ill.), the Court determined, however, that Plaintiff did not sufficiently plead that the cosmetics giant intentionally or recklessly violated consumers’ biometric privacy rights, and thereby dismissed those claims.  The ruling in Kukovec illustrates the ongoing legal risks for retailers in using “try-on” tech to enhance customer service.

Case Background

Too Faced Cosmetics, a cosmetics brand owned by Defendant Estée Lauder, operates a website featuring a try-on function to allows shoppers to virtually test its products.  When a shopper clicks a “Try It On” button, a pop-up box appears containing a disclaimer informing the shopper that their “image will be used to provide you with the virtual try-on experience” and a link to a privacy policy.  Id. at 4.  If the shopper selects the “Live Camera” option, the user’s computer camera is activated and the product is overlaid on part or all of the user’s face.  Id.

Plaintiff, an Illinois resident, alleged that Defendant’s try-on tool violated Section 15(b) of the BIPA by capturing users’ facial geometry without informing them how that data is collected, used, or retained.  Id. at 6.  Plaintiff also alleged that Defendant lacked a publicly-available written policy establishing how long such data is retained and when it is destroyed, in violation of Section 15(a) of the BIPA.  Id.  Plaintiff filed a putative class action lawsuit against Defendant, seeking to represent a class of individuals that used the virtual try-on tool not just on the Too Faced website, but also four other websites for Defendant’s other brands.  Id.  Defendant removed the case to federal court based on diversity jurisdiction and the Class Action Fairness Act, then moved to dismiss the complaint.

The Court’s Ruling On Defendant’s Motion To Dismiss

Defendant sought to dismiss Plaintiffs’ claims on four grounds, three of which the Court fully rejected.

First, Defendant argued that the Court lacked personal jurisdiction over it since its “Try On” tool was “geography neutral,” did not target Illinois consumers, and the mere accessibility of the tool to Illinois consumers lacked the substantial connection to Defendant’s sale of cosmetics and employees in Illinois.  Id. at 8.   The Court rejected this “overly narrow” interpretation of personal jurisdiction. It held that “[t]he try-on tool is part of [Defendant’s] cosmetics marketing and sales strategy,” since those that use the tool are also presented with buttons to add the products to their cart or send as a gift.  Id. at 9.

Second, Defendant argued that venue was improper because Plaintiff’s claims were subject to arbitration pursuant to a provision in its website’s terms and conditions.  Id. at 11.  Central to the issue of whether Plaintiff had constructive knowledge of the arbitration agreement was whether the terms and conditions were presented in “clickwrap” form, where a customer has to affirmatively check a box to assent (as courts generally uphold such assent), or “browsewrap” form, where a customer’s continued use of a website is taken as passive assent (and which require more detailed analysis).  Defendant’s website contained both clickwrap and browsewrap forms, but the Plaintiff only visited pages with browsewrap forms.  Id. at 12.  Users of the virtual try-on tool received a pop-up notification that had Too Faced’s privacy policy, not its terms and conditions, though the privacy policy contained a link to the terms and conditions.  Id.  On other pages, the terms and conditions were presented at the bottom of webpages “in the middle of fifteen links to other pages on the site and six links to social media platforms. . .”  Id.  The Court held such a website design insufficient to provide constructive notice, since a customer “could easily try the tool without once confronting the terms-and-conditions link.”  Id. at 14.  Further, the Court rejected Defendant’s argument that the Plaintiff had constructive notice because she recently filed two other BIPA-related lawsuits against TikTok and L’Oréal, noting that a website user “is not automatically on notice that any website she visits likely has terms and conditions just because she’s visited other websites that have them.”  Id. at 15.  Accordingly, the Court held that Plaintiff lacked constructive knowledge and that the arbitration clause could not be enforced against her.

Third, Defendant also sought to dismiss the complaint on the basis that it provided only “conclusory legal statements” and lacked sufficient facts establishing that Defendant captured users’ facial geometry, collected biometric data, or acted negligently, recklessly, or intentionally under the BIPA.  Id. at 16.  The Court disagreed. It found that the complaint “alleged enough to infer” that Defendant captured Plaintiff’s biometric information and “no intermediary separated the defendant from the collection of plaintiff’s facial geometry.”  Id. at 17.  However, since recklessness and intentionality require a specific state of mind that Plaintiff did not allege, the Court dismissed Plaintiff’s claims for reckless or intentional conduct, but allowed Plaintiff an opportunity to amend her complaint.  Id. at 18.

Finally, Defendant contended that since Plaintiff did not use the websites of its four other brands that utilize the virtual try-on tool, she lacked standing to sue on their behalf.  The Court noted that because no class had been certified, yet Defendant’s argument was premature. The Court reasoned that plaintiff “alleges an injury from a technology deployed across multiple websites” and that standing exists because Plaintiff’s injury “can be redressed by a decision in her favor.”  Id. at 20.

Implications For Companies Using Biometric Equipment

By allowing consumers to “try-on” products in a virtual environment, retailers increasingly rely on biometric data to provide hyper-personalized services and recreate the real-world shopping experience for the virtual world.  But as the popularity of try-on technology grows, so too does the legal risk from biometric data privacy lawsuits.  Since 2019, numerous retailers have been sued for violating the BIPA and other state biometric privacy laws for their use of try-on tech and other digital tools to personalize consumer recommendations.  The Kukovec decision highlights how new technologies expose companies to costly litigation, even when they take steps to notify consumers or mandate arbitration.  Companies should consider how they notify customers regarding try-on technology, ensure that their privacy policies stay current with evolving legislation and competing definitions of “biometric data,” and implement proper safeguards and consent processes.

Illinois Federal Court Holds Private University Is Exempt From BIPA Regulations

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Alex W. Karasik

 Duane Morris Takeaway:  In an important ruling for higher education entities, Judge Robert Gettleman of the U.S. District Court for the Northern District of Illinois recently dismissed a student’s proposed class action alleging that Defendant’s remote test-proctoring software violated the Illinois Biometric Information Privacy Act (“BIPA”). The Court determined that Defendant DePaul University qualified as a financial institution exempt from the statute. Powell v. DePaul University, No. 21-C-3001, 2022 U.S. Dist. LEXIS 201296 (N.D. Ill. Nov. 4, 2022). Employers in the higher education space who are confronted with biometric privacy class actions can tuck this ruling away for potential use at the pleading stage.

Case Background

Plaintiff alleged that Defendant’s use of the Respondus Monitor, an online remote proctoring tool, violated the BIPA by capturing, using, and storing students’ facial recognition and other biometric identifiers and biometric information. Plaintiff specifically asserted that Defendant did not “disclose or obtain written consent before collecting, capturing, storing, or disseminating user’s biometric data, and failed to disclose what it does with that biometric data after collection, in violation of BIPA’s retention and destruction requirements. Id. at *2.

Defendant moved to dismiss the action pursuant to Rule 12(b)(6) for failure to state a claim. It argued that the BIPA’s express terms specify that it does not apply to financial institutions that are subject to Title V of the Gramm-Leach-Bliley Act (“GLBA”). Id. Defendant contended that since it was a participant in the U.S. Department of Education’s Federal Student Aid Program, it is considered a financial institution subject to Title V of the GLBA.  Defendant contended that both the Federal Trade Commission (“FTC”) and the Department of Education (“DOE”) have recognized that universities are considered financial institutions under the GLBA. Defendant also asserted that Title V rulemaking authority lies with the Consumer Financial Protection Bureau (“CFPB”), which adopted and republished the privacy rules originally promulgated by the FTC.  The FTC rules state that any institution “significantly engaged in financial activities” is a financial institution. Id. at *5.

Plaintiff argued that Defendant was not a financial institution, but rather was in the business of higher education. Thus, Plaintiff contended that Defendant was not subject to Title V, and therefore subject to the BIPA.

The Court’s Decision

The Court granted Defendant’s motion to dismiss.  First, the Court noted that at least five other district courts have ruled on the same issue and rejected Plaintiff’s argument, and have determined that the BIPA’s section 25(c) exemption for financial institutions applies to institutions of higher education. Id.

In support of its conclusion, the Court found that the guidance provided by the CFPB included examples demonstrating the word “significantly” means something less than “primary.” Id. at *8. Accordingly, the Court rejected Plaintiff’s argument that the exemption should not apply was because Defendant was not primarily in the financial business. Id.

The Court further explained that the DOE provided issued public guidance in 2020 reiterating that the GLBA required financial institutions to have information privacy protections, and that the FTC “has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA.” Id. at *4-5.

Additionally, the Court opined that the FTC’s rule, made in 2000 when it had enforcement and rulemaking authority under the GLBA, also considered universities to be financial institutions if they “appear to be significantly engaged in lending funds to consumers.” Id. at *6. The Court reasoned that the consistent interpretation of the statute by multiple entities was particularly persuasive in finding that the claims should be dismissed. For these reasons, the Court granted Defendant’s motion to dismiss Plaintiff’s claims with prejudice.

Implications For Employers

In the BIPA class action landscape, federal and state courts in Illinois have rejected many potential affirmative defenses that employers have used to try and stave off these massive cases. However, even though the exemption is somewhat narrow, higher education institutions now have a blueprint to attack BIPA class actions at the pleading stage.  Finally, to the extent states beyond Illinois enact similar privacy statutes, this ruling may be of use to higher education institutions in those states that are confronted with class actions.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress