Privacy & Cybersecurity Law Blog

On February 10, 2023, an Illinois federal district court ordered the dismissal of a putative class action lawsuit alleging that an online tool that allowed users to virtually try on sunglasses violated the Illinois Biometric Privacy Act (“BIPA”).

In Delma Warmack-Stillwell v. Christian Dior Inc., the plaintiff sued French luxury brand Dior, and alleged that it violated (1) Section 15(b) of BIPA by failing to provide notice and to obtain consent when collecting her biometric information; (2) Section 15(a) of BIPA by failing to institute, maintain and adhere to a publicly available biometric information retention and destruction policy; and (3) Section 15(d) of BIPA by disclosing or otherwise disseminating her biometric information to third parties without consent.

Dior moved to dismiss the case based on the “health care” exemption in the statute. BIPA excludes “information captured from a patient in a health care setting” from the statute’s definition of “biometric identifier.” 740 ILCS 14/10. Dior argued that, because sunglasses—including the non-prescription sunglasses at issue in the plaintiff’s complaint—are Class I medical devices under the Food & Drug Administration’s regulations, the facial geometry information collected from the patient was captured “in a health care setting” and thus was exempt from BIPA’s application.

U.S. District Judge Elaine E. Bucklo agreed, finding that Dior’s virtual try-on tool “facilitates the provision of a medical device that protects vision.” Judge Bucklo concluded that the health care exemption applied because the virtual tool “facilitates the purchase of sunglasses to wear on one’s face—which is exactly the use that fulfills that product’s medical purpose.”

Because BIPA does not define what constitutes a “health care setting,” this case provides significant guidance on the scope of the health care exemption.