Not Enough in Estee Lauder BIPA Suit: Chicago Federal Judge Rules Make-Up "Try On” Technology Doesn't Meet Definition of Biometric Information

January 25, 2024

By Marisa Polowitz

A Chicago federal judge has provided further insight into how Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”) claims will be reviewed. In a January 10th ruling, a U.S. District Court dismissed a proposed class action lawsuit against Estee Lauder which claimed the cosmetic company’s “virtual try-on” tool violated BIPA. The tool in question allows customers to “try on” products from the comfort of their own home. Similar technology has spawned a spate of BIPA cases in recent years.

In Castelaz v. Estee Lauder Companies, Inc., the Court held that a plaintiff must adequately connect the biometric information collected to the ability of defendants to use it alone, or in conjunction with other available methods or sources, to identify individuals.[1]

As BIPA continues to be one of the most highly litigated biometric privacy statute in the nation, recent rulings are rapidly establishing the statute’s requirements and applicability. This ruling continues that trend, providing further guidance on how courts are interpreting its requirements.

The Castelaz Dismissal

The Court in Castelaz signals another example of the newly establishing pleading standard for BIPA claims. Relying on a requirement outlined in two recent BIPA cases, that a plaintiff must plausibly allege that the collection of biometric data made the defendant capable of determining the individual’s identity,[2] the Court emphasized the importance of this requirement, calling it “the most foundational aspect of a BIPA claim.”[3]

In the referenced ruling, Daichendt v. CVS Pharmacy, Inc., the court forced the plaintiff to establish the “real-world” connection of the collected biometric information to other identifying information, such as names and e-mail address. In Daichendt II, the plaintiff returned with an amended complaint that linked the collected “real-world” information to an ability of the defendant to identify them with their biometric identifiers, and the judge denied the motion to dismiss.[4]

Combined, these cases lay out a clear framework for how courts will analyze BIPA claims moving forward, and shine a light on what elements are required to plausibly plead a claim under the statute.

Paul Hastings’ Data Privacy and Cybersecurity practice regularly advises on compliance with data privacy requirements at the federal, state, and international levels, including BIPA. If you have questions concerning BIPA compliance and emerging case law, please do not hesitate to contact a member of our team.

[1] Castelaz v. Estee Lauder Companies, Inc., No. 22 CV 5713, 2024 WL 136872 (N.D. Ill. Jan. 10, 2024) (“Plaintiffs fall short of providing any specific factual allegations that ELC is capable of determining Plaintiffs and members of the Illinois class members’ identities by using the collected facial scans, whether alone or in conjunction with other methods or sources of information available to ELC”)

[2] Clarke et al. v. Aveda Corp., No. 21-cv-4185 (N.D. Ill. Dec. 1, 2023) (dismissing the claim because plaintiff failed to allege that Aveda’s collection of biometric data made Aveda capable of determining their identities) relying on Daichendt v. CVS Pharmacy, Inc., 2022 WL 17404488, at *5 (N.D. Ill. Dec. 2, 2022).

[3] Celia Castelaz v. The Estee Lauder Companies., Inc., No. 22 CV 5713, 2024 WL 136872, at *7 (N.D. Ill. Jan. 10, 2024) quoting Daichendt v. CVS Pharmacy, Inc., 2023 WL 3559669, at *5 (N.D. Ill. May 4, 2023) (“Daichendt II”).

[4] Daichendt II, at *1.