Applying BIPA’s Health Care Exemption to Virtual Try-On Technologies in Light of Dior Dismissal

A recent putative class action case against luxury brand Christian Dior sheds light on the health care exemption in the Illinois Biometric Privacy Act (BIPA). In Delma Warmack-Stillwell v. Christian Dior Inc., the plaintiff alleged Dior’s virtual try-on feature for sunglasses violated BIPA’s requirements to (1) provide notice and obtain informed consent before collecting an individual’s biometric data; (2) have a written retention and deletion policy for biometric data; and (3) not sell, lease, trade, or otherwise profit from an individual’s biometric data.[1] The Northern District of Illinois dismissed the case, finding that the feature fell within BIPA’s health care exemption.[2]

Background

Virtual try-on tools

Retailers are increasingly offering the ability to virtually try on clothes, makeup, and accessories through their websites and apps. Often this is done through collection and storage of a consumer’s biometric information, which allows the software to overlay and visualize products on the consumer. 

BIPA and its health care exemption

As a refresher, BIPA is the most comprehensive biometric data privacy law in the United States.  BIPA applies to biometric information “based on an individual’s biometric identifier used to identify an individual,” and defines a “biometric identifier” as a “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”[3] 

Under the statute, before collecting and/or possessing an individual’s biometric identifier or information, a company must (1) provide notice and obtain consent prior to collecting or otherwise obtaining biometric data; (2) not sell or lease the data for profit, or disclose it, except under limited circumstances; (3) maintain a written policy on the length and purpose of its retention of biometric data; and (4) protect such data as it would protect any other sensitive data. With its private right of action for any “person aggrieved” by a violation of the law, BIPA lawsuits have exploded in recent years. Within the fashion retail space, Estée Lauder and Louis Vuitton are defending their own virtual try-on features in BIPA litigation.[4] 

BIPA’s health care exemption provides that “[b]iometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.”[5]  

Warmack v. Christian Dior, Inc.

Dior offers a virtual try-on tool on its website that allows a consumer to visualize how a pair of sunglasses will look by accessing the consumer’s web camera and displaying a real-time image of the glasses on the user’s face.[6] To do this, Dior scans the user’s face, captures the user’s facial geometry, and then collects that data and transfers it to a third-party application, which stores the data.[7]

The plaintiff alleged that these activities violated BIPA because facial geometry is a biometric identifier protected by BIPA and Dior failed to (1) “inform its website users in writing” that their biometric data would be collected through Dior’s try-on tool; (2) secure express consent for the data’s use; and

(3) “develop, possess, publish to its website users, or comply” with a written retention and destruction policy.[8] She also alleged the company was improperly profiting from biometric data by using the data to increase sales of its sunglasses.

Dior moved to dismiss the complaint, arguing in part that the try-on tool fell within BIPA’s health care exemption,[9] which covers “information captured from a patient in a health care setting.”  Dior argued that because sunglasses are medical devices, its users were “patients” and therefore the biometric information collected in the try-on process was “captured from a patient in a health care setting.”[10] 

The plaintiff argued that she could not be considered a “patient” within the meaning of the statute because she sought non-prescription sunglasses.[11] The Court disagreed, finding that because non-prescription sunglasses “protect one’s eyes from the sun and are Class I medical devices under the Food & Drug Administration’s regulations,”[12]  by using Dior’s software, the plaintiff was an individual seeking medical care and qualified as a “patient.”[13] The Court concluded that Dior’s provision of virtual try-on tool constituted “health care” under BIPA regardless of whether it was used for stylistic or protective reasons.[14]  The Court consequently granted Dior’s motion to dismiss on 12(b)(6) grounds.[15]  

Implications and Litigation Risks

The Warmack decision represents a significant win for retailers that may similarly be able to apply BIPA’s health care exemption.  Companies that use try-on tools that leverage facial scans for dermatology and skincare needs, or full-body scans for clothing, might be better positioned to defend against BIPA class actions using this exemption.

Even if a company may have grounds to rely on the health care exemption, it is still important to carefully review virtual try-on technology for BIPA applicability and compliance. Companies should carefully consider their notice and consent processes and biometric storage approaches, notwithstanding the recent Dior decision. 

[1] Warmack v. Christian Dior, Inc., No. 1:22-cv-04633, Dkt. No. 29 at 3 (Feb. 10, 2023).

[2] Id. at 12.

[3] See 740 ILCS 14/  Biometric Information Privacy Act. (ilga.gov).

[4] See Estée Lauder Must Face Bulk Of Makeup Try-On BIPA Suit - Law360; Louis Vuitton Must Face BIPA Suit Over Virtual Try-On Tool - Law360.

[5] See 740 ILCS 14/  Biometric Information Privacy Act. (ilga.gov).

[6] See Warmack v. Christian Dior, Inc., No. 1:22-cv-04633, Dkt. No. 29 at 1-2 (Feb. 10, 2023).

[7] Id. at 2.

[8] See Warmack v. Christian Dior, Inc., No. 1:22-cv-04633, Dkt. No. 1 at 25-30 (Feb. 10, 2023).

[9]See Warmack v. Christian Dior, Inc., No. 1:22-cv-04633, Dkt. No. 19 at 4-6 (Feb. 10, 2023).

[10] Id.

[11] See Warmack v. Christian Dior, Inc., No. 1:22-cv-04633, Dkt. No. 29 at 8 (Feb. 10, 2023).

[12] Id.

[13] Id.

[14] Id. at 8-9.

[15] Id. at 12.