Online shopping has come a long way in providing consumers with a vision of how products might look on them. Product pages show the clothing on models of different sizes and cosmetics on models in a variety of skin tones. The trend toward using AR to offer virtual try-on features suggests that people still want to see how a product looks on them.
In a 2019 (read, pre-pandemic) NielsenIQ global survey, 51% of consumers expressed willingness to use AR/VR to assess products. In 2020, a Shopify report found that enabling consumers to interact with products virtually led to a 94% higher conversion rate.
How Can Businesses Bring Virtual Try-Ons to Their Customers?
Retailers can offer virtual try-ons within their own ecommerce channels or partner with an ecommerce platform that offers virtual try-on as a feature.
Retailers can license AR software to build their own virtual try-on features. For example, Warby Parker’s eyewear try-on feature is built on Apple’s AR Kit. Other technology providers offer solutions that design some or all of a virtual try‑on experience. Beauty-focused AR tech provider Modiface designed virtual try-ons for Sephora and Essie. Hapticmedia generates 3D configurations of products and is used by Baume & Mercier and Van Cleef & Arpels to power their virtual try-on features.
Increasingly, brands can work with online shopping platforms to add virtual try-on as a feature. For example, Instagram Shops has partnered with a few brands to offer virtual try‑ons to consumers already sharing, discovering and shopping for products on their platforms.
What to Look Out For
Virtual try-on technology introduces important privacy obligations. In particular, where virtual try-ons collect data about consumers’ hands or faces, state biometric laws may come into play.
A growing number of states regulate the use of biometric data, with Illinois and Texas having two of the most notable biometric laws. While restrictions and requirements vary somewhat between the two states, both require providing notice and obtaining consent before any collection of biometric identifiers and impose restrictions on retention and sharing. “Biometric identifiers” are defined slightly differently under each law but generally include retina or iris scans, fingerprints, voiceprints and scans (in Illinois), or records (in Texas) of hand or face geometry.
Virtual try-ons are likely to collect some information about a consumer’s hands or face, but exactly what constitutes a scan or record of hand or face geometry is far from a settled question. “Geometry” isn’t defined under either of the laws. Broad dictionary definitions and limited case law mean that it’s not always straightforward to assess when the collection of a face or hand, or parts of a face or hand, might amount to a biometric identifier.
What is clear is that the Illinois Biometric Information Privacy Act, or “BIPA,” introduces real risks of litigation. The law allows private parties to sue for violations, and over 1,500 class actions have been filed in the last six years. In the previous year, a number of retailers offering virtual cosmetics and eyewear try-ons, including Giorgio Armani, Estée Lauder, 1-800 Contacts and GlassesUSA.com have been on the receiving end of BIPA lawsuits alleging, in part, that data collected by the virtual try-ons include biometric identifiers and that the retailers failed to comply with BIPA. Texas’s Capture or Use of Biometric Identifier, or “CUBI,” can only be enforced by the Texas attorney general, who only recently brought its first action under the law.
Washington State also has a biometric law, though it only applies when enrolling a biometric identifier in a database for commercial purposes. Certain state consumer privacy laws call out biometric data as sensitive information requiring additional protections, such as opt-in consent and the opportunity to opt out of further collections. These laws include the California Consumer Privacy Rights Act, which goes into effect on January 1, 2023, and will amend the state’s California Consumer Privacy Act.
Given the ambiguity around biometric identifiers and the potential for litigation or regulatory enforcement, it’s worth consulting with a biometric law attorney to assess legal risk before rolling out any virtual try-on feature. Regardless of the likelihood that a virtual try-on feature will trigger BIPA or CUBI, the following are best practices to consider:
1. Be transparent about your data practices.
Businesses that collect personal data or on whose behalf personal data is collected have an obligation to provide consumers with notice of how their personal data is collected, used, stored and shared. BIPA also requires privacy notices to include (1) collection of a biometric identifier; (2) the purpose of the collection; (3) the period retained (no more than the sooner of when the initial purpose for collection has been satisfied or three years); and (4) third parties with whom the information will be shared. BIPA also requires the publication of retention schedule and deletion guidelines.
2. Carefully review data sharing.
BIPA prohibits sharing biometric identifiers without consent except in limited circumstances, such as if sharing completes a financial transaction requested or authorized by the consumer. CUBI is more restrictive and prohibits sharing even with consent, including to service providers. State consumer privacy laws impose obligations on sharing personal data without imposing use restrictions. So it’s important to closely review contracts obtaining or providing virtual try-on solutions to understand exactly how data will flow between parties and how each is permitted to use and keep data.
3. Keep customer data safe.
Biometric laws, if they apply, require physical and digital security measures to safeguard biometric data. And any sensitive information, regardless of whether it triggers a biometric law, should be protected by security measures that are reasonably high and consider relevant industry standards and practices. Businesses that share their customer data should flow down security standards contractually and closely evaluate third-party security practices, paying attention to the operational and contractual measures that apply in the event of a security breach to protect the business and its consumers, such as uptime and support commitments, limitations of liability and indemnity obligations.
4. Establish good data hygiene practices.
It’s important for businesses to maintain strong data policies and processes, particularly when it comes to more sensitive information such as biometric data. Poor data hygiene can erode customer trust, and increasingly, data minimization, purpose limitation and data retention are becoming legal requirements. Businesses should have checkpoints in place throughout their product launch and new initiative processes to consider whether the collection of customer data is reasonably needed for the purpose of collection or whether a new use is compatible with the original purpose of collection, and to establish when data is no longer needed for the purpose it was collected and should be deleted.
As retailers look for more ways to engage with consumers where they are, offer more interactive online shopping, and reduce ecommerce returns, adoption of virtual try-ons is sure to grow. If the risks are appropriately managed, virtual try-ons are poised to revolutionize ecommerce for businesses and the online shopping experience for consumers.
Perkins Coie Associate Bipasana Joshee counsels clients on a wide range of issues related to privacy and product counseling. Her experience includes matters relating to biometric information, use of data for machine learning and artificial intelligence development, and global product launches. Partner Miriam Farhi is firmwide Co-Chair, Privacy and Security Practice, and firmwide Vice Chair, Technology Transactions & Privacy Practice. Partner Andrew Grant focuses on developing innovative and cost-effective legal solutions to business challenges for the Artificial Intelligence and Machine Learning, interactive entertainment, software-as-a-service (SaaS), software, platform-as-a-service (PaaS), Internet of Things (IoT), outdoor and retail industries.