By: Penny Pathanaporn

Introduction

Have you ever had a shade match done at Sephora by a sales associate or used a virtual try-on tool on a cosmetics website to visualize how a certain lipstick might look on your features? These tools are integral to the shopping experience; they help shoppers like you and me decide which products to add to our carts and which products to skip. But what if I told you that these tools could also raise important legal questions relating to biometric data collection? 

Overview of U.S. Biometric Privacy Laws 

In the United States, only state-level legislation that specifically addresses biometric privacy has been enacted; no federal law currently does so. Since 2023, at least eleven states have introduced legislation to regulate the collection of biometric data by private companies. However, only three states—Washington, Texas, and Illinois—have enacted legislation that governs the regulation of biometric privacy. Out of the four laws, Illinois’ Biometric Information Privacy Act (BIPA) is the most robust as it allows plaintiffs to bring private lawsuits for BIPA violations and claim statutory damages. 

While Washington’s My Health My Data Act (MHMDA) also allows plaintiffs to bring private lawsuits, plaintiffs can only claim actual damages. Actual damages are calculated by the degree of loss or harm a plaintiff experiences. Unfortunately, in cases of non-consensual data collection, actual damages can be fairly difficult to prove. Texas’ biometric privacy law—namely, the Capture or Use of Biometric Identifier Act (CUBI)—is also fairly limited in scope. CUBI only covers the collection of biometric information for commercial use and does not provide a private right of action to individuals. 

What is BIPA?

Private entities that conduct business in Illinois–whether they are incorporated or headquartered in the state–are subject to BIPA. While “person[s], partnership[s], corporation[s], limited liability compan[ies] . . . [and] other group[s]” constitute private entities under BIPA, state and local governments, governmental agents, and government contractors do not. Under BIPA, the following identifiers constitute biometric information: “fingerprints, voice prints, retina scans, hand scans, or face geometry.” 

Generally, BIPA prohibits private entities from selling or deriving profits from individuals’ biometric data. Additionally, before collecting biometric information, BIPA requires private entities to (1) inform individuals of the type of data being obtained, (2) provide individuals with written information on why the data is being collected and the duration for which the data will be stored, and (3) acquire individuals’ consent in writing. 

Charlotte Tilbury Beauty Class Action Lawsuit

From 2019 and 2023, Charlotte Tilbury Beauty—a cosmetics company—offered virtual try-on tools such as “Foundation Shade Finder,” “Highlight Shade Finder,” and “Blush Finder” on their website. When using the virtual try-on tools, consumers were prompted to enable camera access and allow the website to scan their face in real time before digital makeup effects were rendered.  

In 2022, consumers with ties to Illinois filed a class action lawsuit against Charlotte Tilbury Beauty, alleging that the company violated BIPA by collecting biometric information without prior consent. Plaintiffs claimed that when using the virtual try-on tools, the cosmetics company’s website failed to inform or disclose to them that their facial geometry scans were being captured, archived, and used. 

In 2024, Charlotte Tilbury Beauty reached a $2.925 million settlement. As part of the settlement, individual plaintiffs may be entitled to compensation ranging from $700 to $1,100. Interestingly, settlement amounts for biometric data privacy cases can reach as high as $650 million, as seen in the class action lawsuit against Facebook.

E.L.F. Beauty Class Action Lawsuit

Similar to Charlotte Tilbury Beauty, another cosmetics company, E.L.F. Beauty, has also recently come under legal scrutiny for their virtual try-on tool. Consumers of E.L.F. Beauty filed a class action lawsuit against the company in 2024. Plaintiffs alleged that the beauty company collected, saved, and used their facial geometry through the virtual try-on tool without obtaining consumer consent. The District Court for the Northern District of Illinois Eastern Division allowed the lawsuit to proceed by denying E.L.F. Beauty’s request to compel arbitration. 

Although the outcome of this case remains uncertain, the class action lawsuits filed against both Charlotte Tilbury Beauty and E.L.F Beauty show that cosmetics companies must proceed with caution when conducting business in states with robust biometric privacy laws.

BIPA Amendment: A Silver Lining? 

Class action lawsuits arising from BIPA violations can be quite costly for private companies, especially if statutory damages are calculated per violation. The Illinois legislature alleviated this concern by amending BIPA in August 2024. Under the amendment, BIPA violations are calculated per individual rather than per instance of data collection. This means that, in all circumstances, each plaintiff is only entitled to one award of statutory damages. Statutory damages amounts are set by statutes and are not determined by the degree of loss or harm a plaintiff experiences.  

Although the amendment provides a silver lining for private entities such as Charlotte Tilbury Beauty and E.L.F. Beauty, significant uncertainties still remain when it comes to BIPA-related litigation. Judges in the Northern District of Illinois have expressed contrasting views on whether the terms of the BIPA amendment should be enacted retroactively. 

For many private entities, BIPA-related litigation still poses many risks. Companies that violated BIPA before the amendment may be liable for each individual instance of biometric data collection. This uncertainty could perhaps be one of the key factors that pushed Charlotte Tilbury Beauty to enter into a hefty settlement agreement.

The Future of the Cosmetics Industry

Given how expensive litigation can be, private companies operating in states with robust biometric privacy laws should tread carefully before implementing tools that capture or archive consumers’ biometric information. Many websites already use scrollable Terms and Conditions that require consumers to check a box or provide an electronic signature to confirm that they consent to the terms. Because virtual try-on tools are integral to the beauty industry, cosmetics companies might consider implementing consent mechanisms to continue offering these services. Such mechanisms will not only protect companies from potential liability but will also enable consumers to make informed choices when shopping for beauty products.  

#BeautyIndustry #BiometricPrivacy #BIPA