Beauty & fashion tech tools: AI-driven hyper-personalization and rising data privacy litigation exposure

Alert
|
13 min read
Dr. Sonja Hoffmann |
Anna B. Naydonov |
Hope Anderson |
Dr. Sylvia Lorenz |
Anna-Lena Zimmermann |
Nathan Swire |
Rosie Norwood-Kelly

Advanced AI-driven technologies have become essential tools in the Beauty and Fashion industry. As e-commerce dominance grows, global brands are increasingly deploying individual size-fitting, virtual try-on tools for their products, and hyper-personalized recommendations for skincare, cosmetics, and fashion. While these digital solutions drive innovation and consumer engagement, they also introduce meaningful data privacy and litigation considerations warranting close attention for both established luxury brands and market entrants. In the U.S., data privacy litigation is already a high-stakes reality; in the EU, the transition toward collective redress has created comparable potential for large-scale consumer claims.

Introduction: From aesthetics to algorithms

The beauty and fashion industry has always been a driver for innovation. However, the latest transformation is not limited to aesthetics. Rather, it has turned the beauty and fashion industry into data-driven ecosystems, powered by Artificial Intelligence (AI), Augmented Reality (AR) and Virtual Reality (VR), collectively referred to as "Beauty & Fashion Tech Tools". The impact of these Beauty & Fashion Tech Tools is most visible at the customer interface, where AI-powered shopping assistants, virtual try-on solutions, and hyper-personalized skincare diagnostics are becoming mainstream. Luxury brands once defined by exclusive physical boutiques are now seeking to replicate and complement that high-touch in-store experience through immersive, online-first consumer journeys powered by AI and AR/VR.

While these tools offer significant commercial potential, they often rely on sensitive data, including biometric data, health data and granular behavioral profiles, creating heightened exposure to data privacy litigation, especially within the increasingly divergent data protection landscapes in the EU and the U.S.

Beauty & fashion tech tools

Among the most widely adopted Beauty & Fashion Tech Tools in modern e-commerce are intelligent size fitting, virtual try-on, and hyper-personalization. These three applications have become the foundation of modern, data-centric retail. By integrating advanced AI and AR/VR capabilities, they enable brands to deliver unprecedented levels of personalization while simultaneously navigating complex data processing requirements.

Data-driven intelligent size fitting

  • What it does: Getting the right size online has always been a gamble. Data-driven intelligent size fitting seeks to change that. By analyzing inputs such as photos, body scans, or simple manual measurements (height, weight, body dimensions), computer vision models detect body contours and key anatomical points to generate precise real-world measurements. This means these tools build a precise picture of a shopper's body and match it against brand-specific size charts. The result: a personalized size recommendation that takes the guesswork out of online shopping and significantly reduces the likelihood of returns. Machine learning makes the system smarter over time by refining recommendations based on past purchases and return patterns.
  • Who is using it: This tech tool primarily transforms the fashion retail market, especially for sportswear and lingerie, where getting the right size is critical to reducing returns. While online resellers and major retailers leverage historical return data to generate size recommendations, some platforms take it a step further with a cross-brand network that recognizes returning shoppers and automatically suggests the ideal size. In more specialized categories, e.g., athletic footwear and apparel, businesses use smartphone-based scans to deliver anatomy-precise recommendations.

AR-based virtual try-on tool

  • What it does: This AR-based virtual try-on tool makes it possible to try on a pair of sunglasses, a bold red lip, or a new outfit without leaving the couch. Using a device camera, a machine-learning model detects the face or relevant body parts (eye corners, nose bridge, lip contours, shoulders), and overlays digital products onto the live image, combining real-time facial/body tracking with AR. For beauty, graphical layers are mapped onto the skin while preserving natural texture. For fashion, it means seeing how a pair of sneakers or a designer coat looks on your body.
  • Who is using it: Beauty was one of the first to embrace virtual try-on at scale. Several luxury fashion houses with beauty product lines are among the frontrunners, letting shoppers test lip colors, eye looks, and full-face looks directly through their digital platforms. In fashion, high-end luxury brands offer AR-based shoe try-on and allow users to virtually try on sunglasses through Smart AR Mirrors in selected locations, though most of these tools are still maturing. Building on this trend, Google AI launched a general clothing try-on tool in 2025 and partnered with the release of The Devil Wears Prada 2 in 2026 to let users virtually wear the film's iconic high-fashion looks on their own bodies, illustrating how such tools can extend well beyond retail.

AI-based hyper-personalization

  • What it does: Finally, finding the perfect skincare routine or foundation shade has, until now, been a process of trial and error. AI-based hyper-personalization addresses this struggle through data analysis. Users typically start by submitting a selfie and answering a short questionnaire about their skin type, lifestyle, and environment. Computer vision models analyze the images for signs of redness, pigmentation, or dry patches, map the user's skin tone to the brand's shade range, and generate tailored product recommendations, covering texture, coverage, and finish. The recommendations also become more precise depending on user feedback.
  • Who is using it: In the skincare and beauty industry, hyper-personalization has evolved from generic skin typing to clinical-grade AI and AR analysis. Some brands analyze selfies to deliver dermatologist-level skincare routines, while others employ handheld colorimeters or advanced smartphone cameras to detect skin undertones with high precision, matching users to exact shades from thousands of options.

Scope of processing of personal data

Yet these immersive Beauty & Fashion Tech Tools may process the most stringently protected categories of data under applicable law, exposing companies to material regulatory, financial, and reputational risk.

While deploying the applications described above, the following data categories may be processed:

  • Biometric Data. Including facial scans, geometry, skin texture, skin color, and the mapping of wrinkles or pores for virtual overlays and identification.
  • Health-Related Data. Covering skin conditions, allergies, dermatological signs of aging, or other physical attributes that allow for inferences about a user's health status.
  • Personal and Physical Data. Detailed measurements such as height, weight, clothing and shoe sizes, as well as specific fit and style preferences.
  • Multimedia and Metadata. High-resolution images and video recordings, supplemented by granular behavioral patterns, real-time location data, and technical device identifiers.

The legal protection afforded to these datasets differs between the U.S. and the EU. The U.S. landscape is shaped by a patchwork of consumer privacy law at state level and an active litigation environment in which data violations can trigger substantial class actions and settlements running into the millions. In the EU, the framework centers on the (cumulative) application of Art. 6 and Art. 9 GDPR, affording consumers a greater degree of control over how their data is collected, stored and used. The following sections provide an overview of applicable legal bases, statutory frameworks, and key litigation dynamics in both jurisdictions.

U.S.: Navigating the litigation landscape

By providing those Tech Tools to consumers, the Beauty & Fashion industry now increasingly faces the same challenges as other industries that process consumer data: class action lawsuits and regulatory scrutiny.

The U.S. lacks a comprehensive federal privacy law, leaving regulation at the state level. Many, but not all, U.S. states have enacted comprehensive data privacy laws. State comprehensive data privacy laws are typically enforced by regulators rather than private individuals, but individuals may still bring private claims for traditional torts such as invasion of privacy. Additionally, every U.S. state has enacted laws requiring citizens to be notified if their personal information is the subject of data breaches.

Class actions are authorized under both state and federal law (Federal Rule of Civil Procedure 23) and can be brought on behalf of any private individual; there is no requirement that the plaintiffs' lawyers must be a consumer representative organization or acting in the public interest. In the privacy space, some of the most common types of class actions are for data breaches, including unlawful data sharing, biometric violations, and common law privacy tort claims. The financial exposure can be substantial: in Lopez v. Apple (N.D. Cal. 2024), a class action settled for USD 95 million following allegations that Apple's virtual assistant Siri had recorded users without permission and shared data with third parties.

Hot spots for litigation and enforcement are Illinois and California, where state-level privacy statutes are particularly restrictive:

Illinois' Biometric Information Privacy Act (BIPA)

Of all U.S. state-level frameworks, BIPA, 740 ILCS 14 is the most aggressive and difficult to comply with biometric law, and is unusual in allowing a private right of action. BIPA requires written consent before collecting, storing, or otherwise obtaining biometric information from individuals. This is a requirement of direct relevance to any size-fitting tool, AR try-on or AI-based skin analysis. Indeed, multiple companies in the Beauty & Fashion space have been targets of BIPA litigation based on their use of the Tech Tools:

  • Louis Vuitton North America: A BIPA class action was filed against Louis Vuitton North America, alleging that website visitors using Louis Vuitton's webcam-based virtual try-on tool had their facial geometry scanned and stored without their informed written consent, in direct violation of BIPA. Though voluntarily dismissed without prejudice, the claims could be refiled at any time.
  • Neutrogena and Charlotte Tilbury: Neutrogena (Johnson & Johnson) settled a class action suit for USD 4.7 million in February 2026, and Charlotte Tilbury settled for over USD 2.9 million in October 2024, both actions arising from companies' use of virtual try-on tools which allegedly processed user data that may include biometric data.

In 2024, Illinois amended BIPA to cap damages at USD 1,000 to USD 5,000 per consumer per violative practice, replacing the previous situation where a company could be fined for each specific scan, leading to excessively high damages. The cap provides meaningful relief for companies, but the risk of large-scale class actions remains significant for any company processing data from Illinois residents.

California's Consumer Privacy Act (CCPA)

The CCPA is more restrictive than many other comprehensive state privacy laws. In addition to standard obligations for companies, like safeguarding sensitive data and disclosing data use in privacy policies, the CCPA imposes additional obligations on selling or sharing of personal information, including opt-out rights for consumers.

Given California's market size, the CCPA often sets the standard for brands operating at scale in the U.S. The California Attorney General's Office has also ramped up enforcement in recent years, including against companies in the Beauty & Fashion industry:

  • Sephora: In August 2022, Sephora settled with the State of California for USD 1.2 million under the CCPA, following allegations that it had allowed third parties to place tracking tools on their retail websites without disclosing this to consumers or providing an opt-out mechanism. Under the CCPA, permitting third parties to access consumer personal information through such tools constitutes a "sale" of that information, triggering disclosure and opt-out obligations. The Sephora case serves as a clear warning to beauty brands operating tracking or data-sharing arrangements with advertising or analytics partners.

Key takeaway

Taken together, these developments reflect an accelerating trend: virtual try-on, skin diagnostics, and data-sharing practices are attracting legal challenges. The highly active plaintiffs' bar and well-established class action mechanism make data privacy violations a frequent and costly litigation target. Thus, Beauty & Fashion brands must treat U.S. data privacy compliance as a front-line priority.

EU: Stringent privacy protections

While the EU has not yet seen the same volume of data-related mass claims as the U.S., the litigation environment has shifted considerably following the transition toward collective redress. The EU Representative Actions Directive (EU 2020/1828) empowers authorized associations to pursue damages on behalf of large groups of consumers, creating material litigation exposure for companies that process personal data and special categories of personal data through Beauty & Fashion Tech Tools. In addition, individual consumers across the EU retain the right to claim damages for data violations under Art. 82 GDPR.

Applying Art. 6 and Art. 9 GDPR to beauty & fashion tech tools

Data processing through Beauty & Fashion Tech Tools could engage two cumulative legal bases: the legal bases for processing personal data of Art. 6(1) GDPR and the special requirements for processing special categories of personal data under Art. 9(1) GDPR. If one or the other legal basis applies, companies are facing litigation or regulatory scrutiny. And the bar for processing sensitive data is deliberately high under Art. 9 GDPR.

  • Scope of Art. 9 GDPR: Art. 9(1) GDPR establishes a prohibition reserving the right of permission and applies to the processing of special categories of data, including health data and biometric data. For example, the European Court of Justice applies a rather broad understanding of health data in Lindenapotheke (Case C-21/23). Biometric data, by contrast, only qualifies as a special category where it is processed through technical means specifically to identify a natural person; not every face scan or video recording automatically constitutes the processing of sensitive data within the meaning of Art. 9 GDPR, though it could still require a legal basis under Art. 6(1) GDPR. Whether Art. 9 GDPR or Art. 6 GDPR is engaged must be assessed on a case-by-case basis, having regard to the specific tool and purpose of processing at issue.
  • Limited exceptions: The exceptions for lawful processing of sensitive data in Art. 9(2) GDPR are exhaustive. For special category data, processing may be lawful on grounds of explicit consent, necessity to protect vital interests or medical treatment in the health care system. Processing of personal data that does not qualify as sensitive data under Article 9 GDPR can be based on the grounds listed in Art. 6(1) GDPR, including consent, contractual necessity or legitimate interest (balancing test).
  • (Explicit) Consent: Consent under Art. 9(2)(a) GDPR must be explicit, freely given, and informed. This is a higher standard than the consent required under Art. 6(1)(a) GDPR. In both cases, pre-ticked boxes, implied consent, or bundled consent clauses will not suffice. In any event, for consent under Art. 9(2)(a) and Art. 6(1)(a), specific consent is required, meaning that product hyper-personalization and AI training cannot be covered by a single consent.
  • Narrow public interest grounds: For companies deploying Beauty & Fashion Tech Tools, legal bases such as substantial public interest or medical treatment in the health care system are unlikely to apply, leaving explicit consent or, in limited cases, the manifestly public data exception as the only realistic options.
  • Regulatory scrutiny: Data protection authorities have consistently taken a strict approach with regard to the processing of sensitive data, and enforcement actions in this space have resulted in significant fines.

In practice, even where a specific tool does not engage the processing of sensitive data under Art. 9 GDPR, all processing of personal data requires a legal basis under Art. 6(1) GDPR. Companies must ensure that every data point – regardless of its sensitivity – is processed on a valid legal basis and in compliance with the general data processing principles, such as purpose limitation and data minimization.

Data-related class actions: liability and enforcement considerations

The use of biometric, health-related and personal data translates into significant litigation and enforcement risks for Beauty & Fashion companies. Under the GDPR, processing sensitive data requires both a valid legal basis under Art. 6(1) GDPR and an exemption under Art. 9(2) GDPR. A single flaw in the consent process renders the entire processing operation unlawful, and because personal data is collected from large consumer bases at scale, one compliance failure can instantly create the basis for mass civil litigation. With the EU 2020/1828 firmly in place, U.S.-style class action exposure is no longer a future prospect: it is a present reality.

The consequences are severe: substantial damages under Art. 82 GDPR; administrative fines up to EUR 20 million or 4 percent of global annual turnover; and regulatory sanctions including processing bans, criminal liability and reputational damage, including under Art. 84 GDPR in conjunction with § 42 BDSG (Germany), Art. 226-16 et seq. Code Pénal (France), and Art. 167 Codice della Privacy (Italy).

Key takeaway

Beauty & Fashion brands operating in the EU must recognize that data protection violations, particularly those involving biometric and health-related data, now carry very real litigation risks. The EU 2020/1828 has created structural conditions for U.S.-style class action exposure; a single consent failure can serve as the basis for claims spanning millions of consumers. Investing in robust privacy governance and legally sound notice and consent mechanisms is a strategic imperative for protecting against litigation and ensuring financial health, positive regulatory standing, consumer trust, and long-term brand reputation.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2026 White & Case LLP

Contacts

Dr. Sonja Hoffmann
Dr. Sonja Hoffmann
Partner|Frankfurt
Services
Litigation, Financial Institutions, Technology, Sustainability & Responsible Business, Consumer & Retail, Data, Privacy & Cybersecurity
Anna B. Naydonov
Anna B. Naydonov
Partner|Washington, DC
Services
Litigation, Intellectual Property, Technology, Consumer & Retail, Artificial Intelligence (AI)
Hope Anderson
Hope Anderson
Partner|Los Angeles
Services
Data, Privacy & Cybersecurity, Technology, Artificial Intelligence (AI), Privacy Advisory and Compliance, AI Regulatory, Content and non-privacy data regulation
Dr. Sylvia Lorenz
Dr. Sylvia Lorenz
Partner|Berlin
Services
Artificial Intelligence (AI), Intellectual Property, Data, Privacy & Cybersecurity, Technology Transactions, Fintech & Digital Assets, Technology
Anna-Lena Zimmermann
Anna-Lena Zimmermann
Associate|Frankfurt
Services
Litigation, Sustainability & Responsible Business, Consumer & Retail
Nathan Swire
Nathan Swire
Associate|New York
Services
Litigation, Life Sciences and Healthcare
Rosie Norwood-Kelly
Rosie Norwood-Kelly
Associate|New York
Services
Intellectual Property

Service areas

Top