A Class Action That Cleared a Critical Legal Hurdle
A US federal court has allowed a proposed class action lawsuit against MAC Cosmetics to proceed, with the retailer accused of collecting consumers' facial geometry data through its virtual makeup try-on technology without obtaining the consent required under Illinois biometric privacy law. The class action lawsuit was first filed in August last year by Illinois resident Fiza Javid, who claims she used MAC Cosmetics' in-store virtual try-on device, which used facial scanning technology, as well as a similar feature on MAC Cosmetics' website.
For Indian cosmetics brands, manufacturers, and importers deploying or considering AR-based virtual try-on, AI skin diagnostic scanning, or similar facial recognition technologies, this ruling matters well beyond US borders. Multiple international beauty brands now using virtual try-on technology — including those with Indian operations or sourcing relationships — face comparable legal exposure wherever similar biometric privacy frameworks exist or emerge.
What the Lawsuit Actually Alleges
According to court documents seen by Cosmetics Business, the lawsuit alleges that MAC Cosmetics did not tell Javid that it would "capture, collect, otherwise obtain, store and use her facial geometry through its virtual try-on mechanisms." The lawsuit alleges that MAC's in-store and online virtual try-on tools scan users' facial features to create digital makeup simulations. According to the complaint, the technology captures and uses facial geometry data without providing written disclosures, obtaining informed written consent, or publishing a biometric data retention and destruction policy as required under the Illinois Biometric Information Privacy Act (BIPA).
The lawsuit alleges that MAC was in violation of BIPA by capturing the plaintiff's biometric data without her prior written consent, and that MAC could use the collected biometric data to later identify her. By storing face templates, the company allegedly sought to boost sales and reduce product returns — a commercially sensible business rationale that nonetheless does not exempt the company from consent requirements under the relevant statute.
Why This Ruling Matters More Than a Typical Dismissal Denial
An Illinois judge ruled MAC's biometric privacy claims are plausible enough to proceed. This procedural step — surviving a motion to dismiss — is significant because it means the court found the allegations sufficiently credible to warrant full litigation, rather than dismissing the case at an early stage. Unlike Estée Lauder's 2024 win in a comparable case, MAC failed to secure dismissal here.
MAC has now been ordered to provide internal documentation regarding its data storage protocols by June 2026 — meaning the company must produce evidence of exactly how it collected, stored, and used the biometric data in question. This discovery obligation is itself a meaningful compliance lesson: companies deploying facial scanning technology should assume that, in the event of a legal challenge, they will need to produce complete documentation of their data handling practices, not merely assert good intent.
The Broader Legal Pattern Affecting Beauty Retail
MAC is not alone in this legal exposure. Throughout 2024 and 2025, several Estée Lauder-owned brands, including Bobbi Brown and Too Faced, have faced comparable biometric privacy claims. Beyond beauty specifically, haircare brand Living Proof is accused of secretly scanning users' faces through an online "Hair Quiz" — a direct parallel to the AI skin diagnostic and hair analysis tools increasingly deployed across the beauty industry, including tools comparable to L'Oréal's Noli and Haut.AI's various skin-scanning partnerships already covered in recent industry developments.
This pattern confirms that the legal risk extends to any facial or biometric scanning mechanism used for personalisation, recommendation, or virtual simulation purposes — not solely to dedicated "virtual try-on" features narrowly defined. Like Texas and Washington, Illinois has strict biometric information privacy legislation prohibiting companies from capturing, collecting, obtaining, storing, and using biometric information without an individual's prior informed written consent. Companies operating across multiple US states face a patchwork of varying biometric privacy requirements, several of which carry statutory damages provisions that make class action litigation commercially significant even without proof of actual harm.
The Direct Relevance for Indian Brands and Manufacturers
Indian beauty brands increasingly deploy AR-based virtual try-on technology, AI skin diagnostic tools, and facial scanning features — whether built in-house, licensed from third-party providers (Perfect Corp, ModiFace, and comparable platforms), or accessed through retail partner platforms like Nykaa and Tira's virtual consultation features. Several converging compliance considerations apply.
India's Digital Personal Data Protection (DPDP) Act, 2023 classifies biometric data as a category requiring heightened protection, with consent and purpose-limitation requirements that parallel — though are not identical to — US state-level biometric privacy statutes like BIPA. Indian brands deploying facial scanning technology domestically should verify their consent mechanisms meet DPDP Act requirements specifically, not merely assume that general privacy policy language is sufficient.
Indian brands exporting to or operating in the US market face direct BIPA-equivalent exposure. Any Indian-origin brand selling into the US through e-commerce, with a website or app accessible to US consumers offering virtual try-on or facial scanning features, faces the same legal exposure MAC currently faces — regardless of where the company is headquartered.
Third-party technology licensing does not eliminate liability. Brands that license virtual try-on or facial scanning technology from external providers (rather than building it in-house) remain legally responsible for ensuring the deployed technology meets consent and disclosure requirements in the jurisdictions where it operates. Contractual indemnification from a technology vendor does not substitute for the brand's own compliance verification.
What Indian Brands and Manufacturers Should Do Now
Audit every facial scanning, AR try-on, or AI skin diagnostic feature currently deployed across your digital and in-store touchpoints. Confirm whether each instance collects biometric or facial geometry data, and verify that explicit, informed, written consent is obtained before any such collection occurs — not merely implied through continued use of the feature.
Publish a clear biometric data retention and destruction policy, and make it genuinely accessible to consumers. The MAC lawsuit specifically alleges the absence of a published retention and destruction policy as a compliance failure. Indian brands should ensure such a policy exists, is clearly written, and is presented to users before data collection — not buried in a lengthy general privacy policy.
Review third-party technology vendor contracts for compliance representations and indemnification scope. If your virtual try-on or AI diagnostic features are licensed rather than built in-house, request explicit documentation from your vendor confirming the technology's consent mechanisms meet the relevant jurisdictional requirements, and clarify indemnification terms in the event of a compliance challenge.
Treat DPDP Act compliance for biometric data as a near-term priority, not a future consideration. As India's data protection framework matures and enforcement infrastructure develops, brands deploying facial scanning and biometric technology domestically should not assume current data handling practices will remain unscrutinised indefinitely.
The MAC Cosmetics case demonstrates that biometric privacy litigation around beauty industry technology — AR try-on, AI skin scanning, facial diagnostic tools — is no longer a theoretical risk confined to a handful of jurisdictions. As Indian brands increasingly adopt these technologies domestically and pursue export markets where biometric privacy law is well-established, building genuine consent and disclosure infrastructure now is materially cheaper than retrofitting compliance after a legal challenge surfaces.