A federal judge in Illinois recently ruled that online shoppers cannot sustain claims that a virtual try-on (VTO) tool that allegedly scans facial geometry to preview the look of sunglasses on their face violates the Biometric Information Privacy Act (BIPA or Privacy Act) because it falls into an exemption for “information captured from a patient in a health care setting.”

On February 10, 2023, U.S. District Judge Elaine Bucklo ruled in Warmack-Stillwell v. Christian Dior, Inc. that whether or not a consumer is using VTO tools for styling purposes, the Privacy Act’s “healthcare exemption” applies to the use of such tools to shop for sunglasses because sunglasses are medical devices that protect eyes from the sun.

The decision is at least the third federal court decision in recent years to dismiss claims under the Privacy Act—which regulates a private entity’s collection, use, storage, transmission, and destruction of “biometric identifier” and “biometric information”—that concern virtual try-on technology commonly used by online eyewear sellers under the Privacy’s Act’s healthcare exemption.

Background

An online shopper filed a putative BIPA class action against fashion company Christian Dior over its alleged use of a VTO tool on its website that allowed online consumers to see how sunglasses would look on their faces. The VTO tool allegedly used a third-party application that scanned consumers’ facial geometry and purportedly sent that information to a server where it was stored some amount of time.

The consumer alleged violations of the Privacy Act’s provisions that require an entity that collects biometric information, including a “scan of … face geometry,” to make publicly available a written policy for the retention and destruction of such data, obtain informed consent before capturing such data, and not profit from that data.

Healthcare Exemption

Judge Bucklo rejected the argument that the claims lacked subject-matter jurisdiction, but agreed with Christian Dior that the claims fell within the Privacy Act’s healthcare exemption. The act excludes “information captured from a patient in a health care setting” from the definitions of “biometric identifier” and “biometric information.”

The judge stated that “sunglasses, even if non-prescription, protect one’s eyes from the sun and are Class I medical devices under the Food & Drug Administration’s regulations.” Further, the judge stated that even if users may be “surprised” to learn that shopping for sunglasses online is a healthcare setting, the “relevant test” is not whether they subjectively understand but whether the test is an “objective application of the text of the exemption.” This is true regardless of “whether a consumer uses the [virtual try-on tool] in search of sunglasses mainly for style” or if it is used “to purchase sunglasses as protection from the sun’s rays.”

The judge further held that the exemption applied even though she only sought to purchase nonprescription sunglasses, not prescription sunglasses or eyeglasses. The judge stated that prior cases looking at VTO tools to sell eyewear, which involved companies that sold prescription and nonprescription products, had “recognized that the virtual try-on tools were also used for non-prescription sunglasses.”

Bodily Fluids Donation Cases

Notably, Judge Bucklo further distinguished the virtual try-on eyewear cases from cases that have found that the healthcare exemption was inapplicable to other Privacy Act claims involving situations where individuals involved were donating bodily fluids for compensation. In those cases, courts have concluded that any biometric information allegedly collected was in relation to the sale of their fluids. Judge Bucklo stated that “the purpose—at least from the donors’ perspectives—was not” to seek healthcare but “to get paid,” whereas in eyewear cases consumers are seeking “to protect their physical health.”

While those distinguished cases may have applied the healthcare exemption too narrowly as a donor plainly undergoes a healthcare procedure which may benefit his or her “emotional well-being,” the distinction made by Judge Bucklo is significant. The distinction shows that claims over virtual try-on tools in the eyewear context are clearly covered by the healthcare exemption as such claims involve the collection of consumers’ facial geometry in order to fit medical devices in the form of eyewear to the consumers’ faces and the “patients” are not paid directly.

Key Takeaways

The Christian Dior case reinforces the applicability of the Privacy Act’s healthcare exemption to data collected from online tools that allow shoppers to virtually try on both prescription and nonprescription eye glasses and sunglasses. The ruling is further significant as it suggests that similar online tools that collect biometric information from shoppers for other health and wellness products might also fit into the exemption.

Ogletree Deakins will continue to monitor and report on developments with respect to the Privacy Act cases before the Supreme Court of Illinois and will post updates on the firm’s Class Action, Cybersecurity and Privacy, Illinois, Retail, and Technology blogs. Important information for employers is also available via the firm’s webinar and podcast programs.