On September 8, 2022, an Illinois federal judge dismissed with prejudice a Biometric Information Privacy Act (Privacy Act or BIPA) class action against an online eyewear retailer over its virtual try-on (VTO) tool, which consumers used to try-on eyewear. It held that the Privacy Act did not regulate the virtual try-on tool because it falls under the Privacy Act’s “health care exemption.”
Frames for America, Inc. sells both prescription and non-prescription eyewear and sunglasses through its website FramesDirect.com. The website offered consumers a feature that allowed them to virtually try on glasses or sunglasses. According to the complaint, the VTO tool used software to scan a consumer’s facial geometry from a photograph uploaded by the consumer and then to digitally place the eyewear over the consumer’s face.
Tanya Svoboda, who used the VTO in January 2018, filed a class action in September 2021, which alleged that Frames for America collected and used scans of her facial geometry without first complying with the Privacy Act’s policy and informed consent requirements. The Privacy Act regulates a private entity’s collection, use, storage, transmission, and destruction of “biometric identifiers” and “biometric information.” Biometric identifiers include “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” while biometric information is “information … based on an individual’s biometric identifier used to identify an individual.” The Privacy Act contains an exemption for “information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.”
U.S. District Judge Harry Leinenweber granted Frames for America’s motion to dismiss, finding that Svoboda “was a patient receiving a health care service in a health care setting” when she used the VTO tool even though she alleged that she did not request any medical treatment, consult an eye doctor, or ultimately purchase any eyewear. The judge emphasized that “prescription lenses, non-prescription sunglasses, and frames meant to hold prescription lenses are all Class I medical devices. 21 C.F.R. §§ 886.5842-50.” He explained that seeking prescription or non-prescription eyewear is a form of health care because it maintains or restores physical well-being by correcting or protecting vision. The judge added that the virtual try-on tool provided fit and evaluation services similar to that offered in optometrists’ offices.
The case is only the second time a Privacy Act claim has been dismissed under the health care exemption in a suit involving virtual try-on technology. The ruling suggests that the health care exemption could be applicable in other Privacy Act lawsuits involving VTO or similar technology, particularly those against retailers that sell health or well-being products.
Ogletree Deakins represented the defendant Frames for America in the case and will continue to monitor this wave of biometric privacy class action litigation. Look for posts or updates to our Retail, Technology, and Cybersecurity and Privacy blogs. Important information for employers is also available via the firm’s webinar and podcast programs.