Virtual Beauty Makeovers and Privacy Investigation

Selfie Face on Smartphone Screen

Have you used the virtual online beauty makeover apps in beauty-product stores or makeup-testing programs on cosmetic websites? Do you live in Illinois?

When these sites obtain an image of you that allows you to try on different cosmetics, they may be taking scans of your features and face. 

Illinois has a Biometric Information Privacy Act (BIPA) that regulates what private businesses must do before they collect your biometrics, how they must handle or use them once they have them, and a requirement that they must eventually destroy them. But it appears that many of these sites don’t come anywhere near meeting the legal requirements.

Do You Qualify?

Here are some companies whose store apps or websites that may not meet the legal requirements:

  • Estee Lauder
  • Nars
  • Laura Mercier
  • Maybelline
  • L’Oreal 
  • MAC
  • Nyx
  • Schwartzkopf
  • MaryKay
  • DailyMakeover.com
  • Sephora
  • GlamST (from Ulta Beauty)
  • LiftMagic.com (for plastic surgery)

If you live in Illinois and you used one of these virtual makeover or makeup testing features, and a scan was made of your face, live or from a photo, you may qualify to start a class action under BIPA.

The Problem with Biometrics

Biometrics are often used as identifiers for individuals. For example, some employees are required to clock in or out at work through a palm scan or fingerprint.

But the storage and use of biometrics present problems that other identifiers and personal information don’t. For example, if your driver’s license or credit card number is stolen, you can get a new driver’s license or credit card with a different number. But you cannot get a new set of fingers with a different set of prints.

Also, what happens if the company storing your biometrics is threatened with going out of business? Can it sell its databases, including those with your information, to another party?

What BIPA Does

BIPA is a first attempt at regulating private businesses’ use of biometrics. It requires a number of things of them, including that they inform people of the specific purpose for which their biometrics are being collected and that they get a written release from those people to collect their biometrics. 

BIPA requires that private businesses apply at least the same level of security to the biometrics they store as they do to other important personal information. 

Private businesses must also publish a written policy, made available to the public, that specifies how long the biometrics will be kept on file and a plan for destroying them eventually. At most, businesses can only retain biometrics for three years after their last use for the original purpose.

Importantly, it also forbids private businesses from selling biometric information.

BIPA applies to things like retinal scans and facial recognition information as well as to fingerprints and hand scans.

However, because BIPA is an Illinois law, it only applies to people who live in Illinois.

Class Actions Have Already Been Filed

A number of class actions have already been filed against companies that are believed to have violated BIPA. Some bring suit against employers who do not follow the law for employees in Illinois. Others have been brought against major companies like Apple, Facebook, and Instagram who may have scanned the faces in photos posted, either for facial recognition or to build databases that will help them develop or improve facial recognition programs.

We’re all aware of the unacceptably high number of data breaches occurring in recent years. Our individual biometrics should not be put at more risk than necessary.

What We’re Investigating 

It may be that the only way these programs can accurately position blush, eye makeup, or lipstick on an image of a face is to scan and analyze that face.

One company that supplies such software claims that it analyzes 99 different points on a face; another claims to cite 200 “facial landmarks.” Can they do this on a live image, where you are sitting in front of your computer camera, moving around? Or must they take and have a still image to analyze?

And what happens to this image and the facial analysis when you leave the website? 

If you’ve used one or more of these makeover or makeup programs, fill out the form on this page and let us know what your experience was. If you qualify, an attorney will call you to ask for more information. This consultation is free. Note, however, that only persons who used these programs while living in Illinois are eligible.

Article Type: Investigation
Topic: Consumer
No case events.
Tags: BIPA, Taking/Storing/Using Biometric Data, Your Privacy