A virtual “try-on” tool for sunglasses offered by Louis Vuitton collected customers’ facial scan data without their consent, violating the Illinois Biometric Privacy Protection Act, a new lawsuit against the luxury brand alleges. The proposed class-action suit, filed April 8, claims the LVMH corporation’s North America unit took biometric data from online shoppers when they used their webcams to try out eyewear products and then translated the data into computer code and sent it to an outside server, Bloomberg reported.
The lawsuit accuses Louis Vuitton of violating the privacy act “each and every time” a shopper in Illinois used the online try-on tool, according to reports. Violations of the Illinois Biometric Privacy Protection Act can carry fines of between $1,000 to $5,000 each.
“With a large, niche retailer that probably has plenty of traffic on their site, we could be talking about thousands of individuals affected,” said Ryan Ascenzo, Senior Broker, Professional Liability, Burns & Wilcox Brokerage, New York, New York. “The fines could be pretty substantial.”
These penalties are among the costs that can be covered by a retailer’s Cyber and Privacy Liability Insurance, which can respond to data breaches and cyberattacks and usually extends to violations of federal and state privacy laws.
Lawsuits over biometric data collection on the rise
From face and retina scans to fingerprints and voiceprints, biometric data is used in a variety of applications and industries and is growing at a rapid pace, with the global biometrics market expected to reach $44.1 billion by 2026, according to a study on the global biometrics industry released in February. A privacy study released in April by consumer website Comparitech noted increasing biometric use in many countries and ranked the U.S. among the worst-scoring countries for biometrics collection.
The U.S. Department of Homeland Security reports using biometrics to prevent illegal entry and enforce federal laws, among other uses, and the Canadian Broadcasting Corporation reported in January that Canadian officials were planning to use more facial recognition cameras to help speed up border crossings.
In the U.S., lawsuits that allege violations of the Illinois Biometric Privacy Protection Act are becoming more common, Bloomberg reported earlier this year. In February, McDonald’s agreed to pay up to $50 million to settle a lawsuit brought by employees in Illinois who claimed the company required them to submit biometric information without obtaining their consent. In June of 2021, Topgolf agreed to pay $2.6 million to workers who claimed the company collected their fingerprint data without their permission, Law360 reported. In February of 2020, Facebook was ordered to pay $650 million to settle a class-action suit over its use of facial recognition to tag users in photos without their consent, TechCrunch reported.
[The virtual sunglasses try-on tool] could seem like a really innovative service to offer customers, especially in a low-touch environment during a pandemic, but someone should have realized this is information that is being stored and they could be liable for it.
“In this day and age, companies and websites are looking to become more secure and they are turning to more advanced methods of identification,” Ascenzo said.
The use of biometrics is an “ever-evolving situation,” Rangel said, and informing customers of any change in data collection is a crucial step. “If they are not asking for consent when they are doing this, that is part of the problem,” she said.
Situations like the recent Louis Vuitton lawsuit over its virtual sunglasses try-on tool underscore the importance of notifying customers about data collection and managing the risks that come with it. “That could seem like a really innovative service to offer customers, especially in a low-touch environment during a pandemic, but someone should have realized this is information that is being stored and they could be liable for it,” Ascenzo said. “The internal risk management may not have been as cutting-edge as it should have been when they rolled out this offering.”
[Biometrics] could be the next wave of what cyber breaches are going to come to. The more data that we are providing, the more it can be manipulated and used against us.
Beyond privacy concerns over a lack of consent for data collection, the greater risk is that the more personal data a company stores, the more damaging a potential cyberattack could be. “Hackers may want to get that biometric information because they could possibly use it to access a more secure, lucrative site,” he explained. “If Louis Vuitton was hacked and those face capture data files were stolen, hackers could then go through those images and try to find a match to a website they are trying to break into. The bottom line is, there is definitely value to that information.”
With facial scans and fingerprints giving many individuals access to their phones, bank accounts and even the buildings where they work, biometrics “could be the next wave of what cyber breaches are going to come to,” Rangel said. “The more data we are providing, the more it can be manipulated and used against us,” she said.
Insurance can cover notifying customers, hiring specialized attorneys
The potential liability companies face when collecting biometric data makes Cyber and Privacy Liability Insurance indispensable. This type of insurance can provide cybersecurity resources to companies rolling out new technologies and help pay for expenses in the event of a lawsuit, such as legal defense, regulatory penalties, and settlements. Any company collecting the personal information of consumers, vendors or employees should carry it, Ascenzo said.
Depending on the circumstances, a company’s Directors & Officers (D&O) Insurance or Employment Practices Liability (EPL) Insurance could also be triggered by a biometrics-related lawsuit. For example, D&O Insurance can respond to allegations against a company’s board of directors over the decision to move into biometric applications, while EPL Insurance could respond to discrimination claims from employees or, in some cases, third parties.
“Companies should check their D&O Insurance and EPL Insurance because it might be outright excluded on those policies,” Ascenzo said. “There could be elements of an allegation that have components of Cyber and Privacy Liability Insurance, D&O Insurance and EPL Insurance.”
Biometric exclusions may become increasingly common as more lawsuits are filed over this type of data collection, Rangel added. “Insurance carriers are now seeing that it can affect a lot of different policies,” she said. “Make sure your broker is looking at the exclusions.”
While Cyber and Privacy Liability Insurance can cover regulatory fines, there may be specific limits for these penalties. “Most policies have a regulatory limit available, and then you have to work with your broker to figure out whether it is a separate limit or a combined limit,” Ascenzo said. “Working with an experienced broker to determine what you have available to comply with regulatory issues is important.”
Caution needed when starting, expanding data collection
As debate continues over the use and regulation of biometric data in both the U.S. and Canada, companies using any biometric tools need to ensure they stay up to date with the latest local and national regulations on it, Rangel pointed out. “They should know what the possible consequences are and what they need to have in place to gather that information legally,” she said. “They should also be aware of the penalties. These can get into the millions of dollars if it becomes a class-action lawsuit.”
They should know what the possible consequences are and what they need to have in place to gather that information legally. They should also be aware of the penalties. These can get into the millions of dollars if it becomes a class-action lawsuit.
They can also utilize the resources included in their Cyber and Privacy Liability Insurance, including access to breach response coaches and experts who can help advise them on regulatory developments. “These resources can help keep them in the know so they can better protect themselves,” Rangel said.
Ascenzo agreed, encouraging business owners to work with an experienced insurance broker who understands the risks involved with biometrics and to take risk management steps like updating their privacy statements.
Anytime a company is going to be launching a new product, feature, application or platform and there is the possibility of capturing any sort of data, they should talk it over with their internal risk management team, their external attorney, and ask if they need to be putting in any additional safeguards.
“Anytime a company is going to be launching a new product, feature, application or platform and there is the possibility of capturing any sort of data, they should talk it over with their internal risk management team, their external attorney, and ask if they need to be putting in any additional safeguards. I think sometimes that gets overlooked,” he said. “It could be something as easy as adding language to their disclaimers that they might also be collecting biometric data, and I think it would be wise for companies to start doing that.”
The liability associated with biometric data collection is an evolving area of risk for companies and these issues often present a “slippery slope,” Ascenzo said. “It is definitely a newer exposure,” he said. “I do not think this will be the last we hear of it.”