SEPHORA’S BIOMETRIC SCANDAL: AN ANALYSIS OF DATA PRIVACY CRISIS MANAGEMENT IN THE BEAUTY INDUSTRY
Background: Sephora and ModiFace
In a market filled with a mixture of new direct-to-consumer influencer brands gaining traction, brick and mortar drug stores providing cheaper options known as “dupes”, and high-end retailers investing in both their online and in stores, one major player dominates: Sephora. Founded in 1970, Sephora is a French multinational retailer of beauty and personal care products. Today, Sephora is owned by LVMH Moët Hennessy Louis Vuitton (“LVMH”) and operates 2,300 stores in 33 countries worldwide, with over 430 stores in America alone.
LVMH attributes much of Sephora’s success to its “self-service” concept. Unlike its department store competitors who stock beauty products behind a counter, Sephora allows consumers to touch and test is product with the mediation of a salesperson. This transformation of a store to an interactive experience underscores Sephora’s main value proposition: providing customers with a unique, interactive, and personalized shopping experience.1 Keeping with its customer experience-centric business model, Sephora has utilized technology to continue providing its customers with a personalized beauty experience.
The tension created by two separate growing marketplaces puts significant pressure on Sephora to replicate the online shopping experience in-store and vice versa. For make-up, having a perfect complexion match for face products and flattering color of lipstick and blush requires an understanding of the undertones and overtones of the make-up shades. Typically, this color match inquiry is what makes or breaks the sale—if a shopper is not confident the make-up is a match, they are less likely to purchase. To address this friction in the customer purchase journey, Sephora rolled out “Find My Shade,” an online tool designed to help shoppers find a foundation product after inputting their preferences and prior product use. This tool provides the in-store feel of viewing multiple products at once, while providing some assurance on a color match. For Sephora, the online sale provides ample customer data: which products were searched, considered, and ultimately purchased all against a backdrop of a user’s name, geography, preferences, and purchase history. The resulting customer data is the backbone of Sephora’s digital strategy: facilitating customer purchases online by reducing friction, while mining data to inform predictions on customer preferences.
In line with its innovative in-store strategy, in 2014 Sephora announced a partnership with Modiface to launch a Visual Artist Kiosk to provide augmented reality mirrors in its brick-and-mortar stores. First introduced in Milan, Sephora sought to make testing make-up easier for customers by simulating makeup products on a user’s face in real time without requiring a photo upload.2 To begin their session at the kiosk, users provide their e-mail address and contact information either tied to their pre-existing customer account with Sephora or to provide Sephora with new customer information. Using facial recognition technology, the ModiFace 3-D augmented reality mirror uses a live capture of a user’s face and then shows the user how to apply make-up products overlaid onto the live capture user’s face. This allows users to test thousands of products tailored to the user’s unique features. Without opening a real product, users are able to see whether the product is suitable to their skin tone, thus bringing personalization and tailored options typically available only online to the store while providing Sephora with valuable consumer data. At the end of their use of the ModiFace mirror, the user receives follow-up information about the products tested via the e-mail address provided or via their Sephora account.
At the time of Visual Artist Kiosk’s introduction to stores in the United States in 2014, Sephora did not need to consider federal privacy laws—there were none to consider. Consumer data privacy laws were in their infancy, with the Federal Trade Commission (FTC) at the helm of most cases aimed to provide consumers protection from data breach and identity theft and to hold corporations accountable to their respective privacy policies.3 Significantly, however, Sephora did not consider the state-specific laws at play. Specifically, Sephora did not consider the Illinois Biometric Information Privacy Act (BIPA) which applied to all Sephora locations in the state of Illinois (IL).
In December 2018, Auste Salkauskaite (Plaintiff) brought a class action suit against Sephora and ModiFace Inc. (Modiface) claiming that both violated the Illinois Biometric Information Privacy Act (BIPA) by using ModiFace’s technology to collect biometric information about customer facial geometry at a Virtual Artist Kiosk in a Sephora store in Illinois. Plaintiff further alleged that her biometric information, cell phone number, and other personal information were collected and disseminated by both Sephora and ModiFace in an attempt for Sephora to sell products to the plaintiff.4 Plaintiff further alleged that Sephora did not inform her in writing that her biometrics were being collected, stored, used, or disseminated. Sephora allegedly did not get Plaintiff’s written or verbal consent, provide any notice that Plaintiff’s biometric information was being collected, or if it would be retained and/or sold. In pursuing a class action lawsuit, Plaintiff sought to include individuals who had their biometrics “captured, collected, stored, used, transmitted or disseminated by ModiFace’s technology in Illinois”, with an additional subclass of those who experienced the same treatment from Sephora in Illinois.”5
BIPA “governs how private entities handle biometric identifiers and biometric information (“biometrics”) in the state of IL.”6 By including a private right of action, residents of the state of IL are able to file suit against private entities who allegedly violate the law. In this case, Plaintiff claimed that Sephora and ModiFace violated three provisions of BIPA: 1) requiring a private entity in possession of biometrics to release a publicly accessibly written policy describing its use of the collected biometrics, 2) forbidding a private entity from “collecting, capturing, purchasing, receiving, or otherwise obtaining biometrics without informing the subject that biometrics are being collected and stored,” and 3) “disclosing or disseminating biometrics of a subject without consent.”7
In the immediate aftermath of the suit, Sephora did not release any statements on the pending litigation. In Sephora’s answers to the Plaintiff’s complaints filed in January 2019, Sephora denied all claims by 1) pointing to its publicly available privacy statement, and 2) denying taking, collecting, using, storing or disseminating Plaintiff’s biometrics. Specifically, Sephora claimed that by using its mobile application and/or website, users agree to accept Sephora’s terms of service which releases Sephora from liability. This included the Virtual Artist Kiosk, which required users to sign and accept Sephora’s terms of service before prompting users to provide any contact information.
Sephora and the Plaintiffs (once class action status was granted) reached a settlement agreement in December 2020, which allowed for anyone who interacted with the Virtual Artist Kiosk in a Sephora store in IL since July 2018 to file a claim for a share of the settlement—which allows for claimants to get up to $500 each. As of April 2020, 10,500 notices were sent to potential claimants. Hundreds of claims were filed by potential class members, which could result in just under $500,000 in total claims. Sephora has never officially commented on the suit, despite some media coverage in IL.8
ModiFace, on the other hand, successfully moved to dismiss the claim for lack of personal jurisdiction in June 2020. The Court reasoned that ModiFace did not purposefully avail itself of the privilege of conducting business in IL. The Court cited a declaration of ModiFace’s CEO which stated that ModiFace never had property, employees, or operations in Illinois and is not registered to do business there. He further stated that ModiFace’s businesses is focused on selling augmented-reality products to beauty brand companies and does not participate in marketing, sales, or commercial activity in Illinois. ModiFace claimed that its business relationship with Sephora did not occur in Illinois, and that Sephora never discussed the use of ModiFace technology in Illinois: there was no agreement in place regarding Illinois and no transmission of biometric information between the companies. Overall, the Court found that Sephora’s use of ModiFace technology in Illinois did not establish minimum contacts.
Despite the lawsuit, ModiFace was acquired by L’Oreal in March 2018. L’Oreal is the world’s biggest cosmetics company, and, unlike Sephora, designs, manufactures, and sells its own products. L’Oreal and ModiFace worked together for about seven years before the acquisition. Like Sephora, L’Oreal ramped up investment in virtual try-on technology in an effort to decrease customer barriers to purchase. Since the acquisition, L’Oreal’s Global Chief Digital Officer has said that conversion rates from search to purchase has tripled.(citation)? At the time of the ModiFace acquisition, L’Oreal spent about 38% of its media budget on digital campaigns like virtual try-one. It’s estimated that this investment has grown significantly as L’Oreal strategizes around minimizing friction in the customer experience. More recently, Estee Lauder was also sued for alleged violation of BIPA for collecting biometric data via virtual “try-on” of make-up through a similar technology as ModiFace.9
Lessons Learned for Future: CCPA and Beyond
Sephora’s settlement is the first official non-breach related settlement under the CCPA. Many legal analysts argue that the California Office of the Attorney General (OAG) intends to be more aggressive in enforcing CCPA, which they are signaling in a significant manner via their settlement with Sephora. Specifically, the OAG is expected to focus on businesses that engage in sharing or selling of information to third parties for the purpose of targeting advertising.10 Importantly, under the California Privacy Rights Act (CPRA) which goes into effect on January 1, 2023, companies will no longer benefit from the 30-day notice to remedy their alleged violations.