Sephora store. Sephora store.

The Illinois Biometric Privacy Act is the gift that keeps on giving—to litigators, that is. 

The 2008 state law—uniquely expansive—allows individuals to sue companies for failing to follow rules on collecting and retaining biometric data such as fingerprints, retina scans and facial geometry. 

The latest in a long line of recent putative class actions invoking the law involves makeup retailer Sephora—and it illustrates why the complaints can be…how shall I put this… less than compelling. Because rather than protecting privacy, the suits often feel more like attempts at "gotcha."

Here, a woman named Auste Salkauskaite went to a Sephora store in Chicago which featured a "Visual Artist Kiosk." It scans your face and lets you digitally superimpose Sephora cosmetics to see how they look. Or as Sephora puts it, customers can "try thousands of lipstick shades, eyeshadows and false lashes…Try, shop and share unique looks created by Sephora."

Jenna GreenePersonally, I think that sounds like fun, and a lot more effective than dabbing a lipstick on the back of your hand to test the color. (Also, I'm quite sure that if I ever got a turn in one of those kiosks, I wouldn't stop until I achieved full-on Tammy Faye Bakker.)

The kiosks use biometric technology by Ontario, Canada-based ModiFace's. According to the complaint, which was filed by lawyers from Chicago's McGuire Law in Illinois state court and then removed U.S. District Court for the Northern District of Illinois in late 2018, Sephora and ModiFace violated the biometric act. 

The plaintiffs' lawyers point to their "invasive biometric face scanning program that relied on the illegal collection of consumers' biometrics, thereby invading their substantive privacy rights."

I certainly understand how some people might not want their faces scanned, but here, Salkauskaite chose to have it done. And then she voluntarily provided her cellphone number and other personal information so that she could get a text with a scan of her face, all digitally made-up with Sephora's beauty products. 

If she was so worried about her privacy, she could have, I dunno, not done that.

In her complaint, Salkauskaite alleged that the defendants violated several specific provisions of the Illinois biometric law. First, she said, they didn't inform her in writing that her biometrics "were being collected, stored, used, or disseminated, or publish any policy specifically about the collection, retention, use, deletion, or dissemination of her biometrics."

Nor, she said, did they seek her written consent for the scan or for "any dissemination and disclosure of her biometrics to third parties." 

ModiFace, represented by Mark Pollack and Adam Michael Reich of Paul Hastings, dodged liability when U.S. District Judge Andrea Wood last week dismissed the claims against it with prejudice, ruling that the court lacked jurisdiction over the Canadian company.

"That the technology was used in Illinois does not establish minimum contacts," Wood wrote. "Without evidence that ModiFace intended to avail itself of the right to do business in Illinois or purposefully aimed its conduct at Illinois, the use of ModiFace's technology in the forum is at most a random, fortuitous, or attenuated contact."

Sephora, however, is still on the hook, at least for now.  The company is represented by lawyers from Barack Ferrazzano Kirschbaum & Nagelberg, who did not immediately respond to a request for comment.

In court papers, they argued that the plaintiff and members of the putative class "were aware of and consented to Sephora Virtual Artist." 

They did so "by specifically requesting that or permitting the Virtual Artist Kiosk to take their photograph or record their image, by posing in front of the Virtual Artist Kiosk's camera while the screen counted down before the photograph or gif was taken, and by then selecting an option for the photograph or gif to be sent to a phone number of their choice."

The defense lawyers also said that Sephora makes its privacy policy publicly available to all customers, and that by using the Sephora app, the plaintiffs consented to Sephora's terms of service.

Pollack, who chairs the litigation practice in Paul Hastings' Chicago office, said that firm lawyers have been seeing "more and more" biometric privacy cases. "It's become a favored statute for plaintiffs' lawyers," he said.

Last month, Paul Hastings nabbed litigation partner Aaron Charfoos from Jones Day in Chicago to deepen its privacy and cybersecurity bench.

"We've been aggressively expanding the practice," Pollack said.