Illinois State Flag

A federal judge in Illinois recently ruled that online shoppers cannot sustain claims that a virtual try-on (VTO) tool that allegedly scans facial geometry to preview the look of sunglasses on their face violates the Biometric Information Privacy Act (BIPA or Privacy Act) because it falls into an exemption for “information captured from a patient in a health care setting.”

On February 10, 2023, U.S. District Judge Elaine Bucklo ruled in Warmack-Stillwell v. Christian Dior, Inc. that whether or not a consumer is using VTO tools for styling purposes, the Privacy Act’s “healthcare exemption” applies to the use of such tools to shop for sunglasses because sunglasses are medical devices that protect eyes from the sun.

The decision is at least the third federal court decision in recent years to dismiss claims under the Privacy Act—which regulates a private entity’s collection, use, storage, transmission, and destruction of “biometric identifier” and “biometric information”—that concern virtual try-on technology commonly used by online eyewear sellers under the Privacy’s Act’s healthcare exemption.

Background

An online shopper filed a putative BIPA class action against fashion company Christian Dior over its alleged use of a VTO tool on its website that allowed online consumers to see how sunglasses would look on their faces. The VTO tool allegedly used a third-party application that scanned consumers’ facial geometry and purportedly sent that information to a server where it was stored some amount of time.

The consumer alleged violations of the Privacy Act’s provisions that require an entity that collects biometric information, including a “scan of … face geometry,” to make publicly available a written policy for the retention and destruction of such data, obtain informed consent before capturing such data, and not profit from that data.

Healthcare Exemption

Judge Bucklo rejected the argument that the claims lacked subject-matter jurisdiction, but agreed with Christian Dior that the claims fell within the Privacy Act’s healthcare exemption. The act excludes “information captured from a patient in a health care setting” from the definitions of “biometric identifier” and “biometric information.”

The judge stated that “sunglasses, even if non-prescription, protect one’s eyes from the sun and are Class I medical devices under the Food & Drug Administration’s regulations.” Further, the judge stated that even if users may be “surprised” to learn that shopping for sunglasses online is a healthcare setting, the “relevant test” is not whether they subjectively understand but whether the test is an “objective application of the text of the exemption.” This is true regardless of “whether a consumer uses the [virtual try-on tool] in search of sunglasses mainly for style” or if it is used “to purchase sunglasses as protection from the sun’s rays.”

The judge further held that the exemption applied even though she only sought to purchase nonprescription sunglasses, not prescription sunglasses or eyeglasses. The judge stated that prior cases looking at VTO tools to sell eyewear, which involved companies that sold prescription and nonprescription products, had “recognized that the virtual try-on tools were also used for non-prescription sunglasses.”

Bodily Fluids Donation Cases

Notably, Judge Bucklo further distinguished the virtual try-on eyewear cases from cases that have found that the healthcare exemption was inapplicable to other Privacy Act claims involving situations where individuals involved were donating bodily fluids for compensation. In those cases, courts have concluded that any biometric information allegedly collected was in relation to the sale of their fluids. Judge Bucklo stated that “the purpose—at least from the donors’ perspectives—was not” to seek healthcare but “to get paid,” whereas in eyewear cases consumers are seeking “to protect their physical health.”

While those distinguished cases may have applied the healthcare exemption too narrowly as a donor plainly undergoes a healthcare procedure which may benefit his or her “emotional well-being,” the distinction made by Judge Bucklo is significant. The distinction shows that claims over virtual try-on tools in the eyewear context are clearly covered by the healthcare exemption as such claims involve the collection of consumers’ facial geometry in order to fit medical devices in the form of eyewear to the consumers’ faces and the “patients” are not paid directly.

Key Takeaways

The Christian Dior case reinforces the applicability of the Privacy Act’s healthcare exemption to data collected from online tools that allow shoppers to virtually try on both prescription and nonprescription eye glasses and sunglasses. The ruling is further significant as it suggests that similar online tools that collect biometric information from shoppers for other health and wellness products might also fit into the exemption.

Ogletree Deakins will continue to monitor and report on developments with respect to the Privacy Act cases before the Supreme Court of Illinois and will post updates on the firm’s Class Action, Cybersecurity and Privacy, Illinois, Retail, and Technology blogs. Important information for employers is also available via the firm’s webinar and podcast programs.

Authors


Browse More Insights

Fingerprint Biometric Authentication Button. Digital Security Concept
Practice Group

Technology

Ogletree Deakins is uniquely situated to provide tech employers and users (the “TECHPLACE™”) with labor and employment advice, compliance counseling, and litigation services that embrace innovation and mitigate legal risk. Through our Technology Practice Group, we support clients in the exploration, invention, and/or implementation of new and evolving technologies to navigate the unique and emerging labor and employment issues present in the workplace.

Learn more
Modern dark data center, all objects in the scene are 3D
Practice Group

Cybersecurity and Privacy

The attorneys in the Cybersecurity and Privacy Practice Group at Ogletree Deakins understand that data now accumulates quickly and transmits easily. As the law adapts to technical advancements, we effectively advise our clients as they work to comply with new developments and best practices for protecting the privacy of the data that their businesses collect and retain.

Learn more
four businesspeople with suitcases walking across a concrete plaza
Practice Group

Class Action

Our class action lawyers are veterans. We have decades of experience handling numerous types of federal and state law class and collective actions, such as those arising under Title VII, the Age Discrimination in Employment Act, the Employee Retirement Income Security Act, and the Fair Labor Standards Act.

Learn more
Midsection of senior woman and female healthcare worker with hands stacked at retirement home
Industry Group

Healthcare

The attorneys in Ogletree Deakins’ Healthcare Industry Group understand the unique legal challenges facing healthcare industry clients that must balance vital and demanding work with numerous compliance regimes and heavy regulation.

Learn more
Inside a large shopping mall in Almaty
Industry Group

Retail

Ogletree Deakins is a retail industry leader with clients ranging from brick-and-mortar retailers to online merchants, and small businesses to Fortune 500 corporations. We represent companies in a range of retail sectors, including but not limited to: discount stores, department stores, luxury retailers, home goods and specialty stores, home improvement centers, grocers, pharmacies, online retailers…

Learn more

Sign up to receive emails about new developments and upcoming programs.

Sign Up Now