A federal judge has determined eyeglass sellers have exemption from Illinois’ biometric privacy law because their virtual try-on software qualifies as provision of health care, even if customers are only shopping for sunglasses.
Her ruling follows the path of other federal judges who determined the Illinois Biometric Information Privacy Act doesn’t apply to websites where a user uploads a photo of their face, then places images of eyeglasses on the face photo to determine how they might look wearing the products. Judge Charles Kocoras dismissed a similar complaint in Vo vs. VSP Retail Development Holding in March 2020, and U.S. District Judge Harry Leinenweber dismissed a class action against Frames for America in September 2022.
According to Warmack-Stillwell, Dior’s virtual try-on tool uses FittingBox software and a customer’s web camera to display real-time images of the shopper’s face. During that process, she alleged, the software scans the shopper’s facial geometry and transfers the data to a FittingBox server without Dior following BIPA’s mandates to collect written consent for the use of personal data and without providing written data use, retention and destruction policies. She also alleged the company is improperly profiting off biometric data.
In arguing for dismissal, Dior said Warmack-Stillwell failed to allege a legal injury. Bucklo rejected that argument, pointing to a 2020 U.S. Seventh Circuit Court of Appeals opinion, Bryant v. Compass Group USA. Although that opinion did say the allegation of failing to publicly disclose a data retention policy can’t sustain a BIPA claim, Bucklo noted the court later clarified claims can survive when they allege violations of “the full range” of the data policy guidelines.
According to Bucklo, Warmack-Stillwell alleged “violation of the full panoply” of policy requirements, including that Dior neither developed nor followed a data collection and retention plan. Bucklo also said the complaint adequately alleged Dior used biometric data to increase sales of its sunglasses.
However, Dior won dismissal by invoking one of BIPA’s statutory exemptions. The law prevents lawsuits when the data in question is “captured from a patient in a health care setting” and excludes from protection any “information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.”
Dior only sought the general health care exemption, Bucklo wrote, and rejected Warmack-Stillwell’s contention she is not a “patient” because she only shopped for non-prescription lenses.
“Sunglasses, even if non-prescription, protect one’s eyes from the sun and are Class I medical devices under the Food & Drug Administration’s regulations,” Bucklo wrote. “By using the (virtual try-on tool) to try on sunglasses, plaintiff was ‘an individual awaiting … medical care,’ and therefore a ‘patient,’ because the tool facilitates the provision of a medical device that protects vision. Indeed, according to the complaint, using the VTOT is the ‘online equivalent’ of going to a brick-and-mortar location to get sunglasses.”
Bucklo agreed website users like Warmack-Stillwell might “be surprised to learn” the technology established a patient/provider relationship, she said her objective application of BIPA’s exemption shouldn’t change just because some customers might only be shopping for the purpose of fashion. She also said the fact BIPA specifically mentions other medical settings, such as organ donation and X-rays, doesn’t make it “a stretch” to count trying on and selling sunglasses as health care.
“This conclusion comports with the one reached by the other courts that have considered whether BIPA’s general health care exemption applies in the context of virtual try-on tools for eyewear,” she wrote, adding that both Judges Kocoras and Leinenweber “recognized that the virtual try-on tools were also used for nonprescription sunglasses.”
Bucklo further acknowledged lawsuits in which plasma collectors have been unable to end BIPA lawsuits but noted judges in those cases observed the intent of users wasn’t health care, but to get paid for selling blood. She did not consider Dior’s other arguments for dismissal.
The ruling in favor of Dior came squarely between two significant Illinois Supreme Court rulings cementing the ability of plaintiffs to seek financial damages under BIPA.
The first, a Feb. 2 opinion, established BIPA should be governed by a five-year, rather than one-year statute of limitations. The second, dated Feb. 17, held that each individual data collection event can constitute a separate actionable violation. That, for instance, could include customers like Warmack-Stillwell suing for each time they visited the Dior website, even if they used the technology the same way on each shopping trip. Such interpretation could have exposed a retailer like Dior to massive potential liability, potentially running into the hundreds of millions or even billions of dollars.
Warmack-Stillwell has been represented by attorneys Adam J. Levitt, Amy E. Keller, Nada Djordjevic and James Ulwick, of the firm of DiCello Levitt, of Chicago.
Dior has been represented by attorneys Robert E. Shapiro, Maile H. Solís, Connor T. Gants and David B. Lurie, of the firm of Barack Ferrazzano Kirschbaum & Nagelberg, of Chicago.