MAC lawsuit highlights privacy risks in AI beauty tools, says expert

The personal care industry’s deployment of AI tools is exposing legal vulnerabilities around consumer consent and data privacy. Beauty brand’s AI-powered tools are drawing questions on biometric privacy, and MAC Cosmetics is the latest to face potential consequences.

On June 4, a US federal judge in Illinois denied MAC Cosmetics’ motion to dismiss a consumer’s data privacy suit. The class action, which will now proceed, was filed by an Illinois resident who is accusing the beauty retailer of collecting imagery of her facial geometry and biometric data via its in-store and online virtual try-on services without adequate disclosures or written consent.

In its motion to dismiss the suit, MAC argued that the Biometric Information Privacy Act (BIPA) applies to biometric data capable of identifying a person and that the plaintiff had not plausibly alleged MAC could identify her from the virtual try-on data.

According to Ceren Canal Aruoba, managing director of consulting firm Berkeley Research Group, the lawsuit may be indicative of brewing tension between the cosmetic industry’s rise of AI-powered imagery, data privacy, and informed consent.

Personal Care Insights sits down with Aruoba to discuss the potential legal risks of AI-driven personalization tools, where vulnerabilities arise, and other such cases in the beauty industry. She predicts that AI-related litigation may extend beyond biometrics and into the technology’s influence on consumer beliefs, perceptions, and decision-making.

“As AI becomes more embedded in routine consumer interactions, these potential expectation gaps may become increasingly salient, and could, in some circumstances, serve as a focal point in future disputes,” says Aruoba.

Personal Care Insights has reached out to MAC Cosmetics’ parent company, The Estée Lauder Companies, for comment, but received none by the time of publication.

Data privacy in AI beauty tech

The MAC lawsuit centers on AI-powered virtual try-on technology and biometric data collection. According to court documents, the plaintiff, Fiza Javid, “plausibly” alleged that MAC collected her biometric information capable of identifying her when paired with her customer account data, enough so that the case could proceed.

AI beauty tools are facing greater legal scrutiny.

“Statutory frameworks such as BIPA, which permit claims without proof of actual harm and provide for statutory damages, can create incentives for class-wide litigation, especially when applied to scalable technologies where multiple interactions could be alleged to constitute violations,” says Aruoba.

In court filings, MAC argued that under BIPA, the terms “biometric information” and “biometric identifier” only cover data that can be used to identify someone. The company maintained that the case failed to state a claim because Javid had not plausibly alleged that the company could identify her through data captured by its virtual try-on tool.

The court agreed with MAC on the need to allege identifiability, but found Javid’s allegations sufficient at this stage when considered alongside Javid’s customer account and information available to MAC. According to the court, MAC’s customer relationship and commercial incentives supported the inference that collected data could potentially be linked to Javid’s identity.

The court document stated that the company possessing the ability to identify customers through biometric data “would permit the retailer to amass a host of valuable information — e.g., who used its virtual try-on mechanism, what products this customer virtually tried on, and whether the virtual try-on converted into actual sales.”

Consumer consent intricacies

According to Aruoba, the MAC data privacy lawsuit hinges on the intricacies of consumer consent. She underlines that situations where data collection is dependent on the company’s disclosures are seeing a particular rise in legal attention.

“This broader trend has been shaped in part by evolving privacy regimes and increased scrutiny of how firms operationalize notice and consent, and the incorporation of AI-driven

Virtual try-on services may raise biometric privacy concerns.

tools may further add to that complexity in ways that could increase legal activity over time,” says Aruoba.

From a consumer behavior perspective, Aruoba explains that the rise in these legal cases can be attributed to potential tension in the discrepancy between the data required to effectively execute AI-powered personalization and the “well-documented limits in consumer attention, comprehension, and decision-making.”

AI-powered personalization technologies, such as the virtual try-on tool in the MAC case, may offer advantages like reducing uncertainty and enhancing product evaluation. However, Aruoba states that how the technology is achieved, such as the capture of facial geometry, may not be apparent to the consumer at the point of interaction.

“In such circumstances, consumers may place greater weight on the immediate utility of the experience and comparatively less on underlying data practices, consistent with established findings on salience and bounded rationality,” she says.

“As a result, even where disclosures are provided, there is a possibility that they are not fully processed in the moment, particularly when consumer attention is directed toward product selection.”

According to Aruoba, this discrepancy between consumer comprehension and the technical operation of the tool may lead to a designation of lacking informed consent.

With the growing prevalence of AI-enabled personalization tools, Aruoba says that potential litigation exposure may increase in parallel.

Piling precedents

Aruoba tells us that cases of lawsuits on the grounds of mishandled consumer consent with AI-enabled tools are likely already on the radar of personal care companies.

She points to the example of Kenvue subsidiary Neutrogena, which agreed to a proposed US$4.7 million settlement over similar allegations in February 2026. The suit, put forward by plaintiffs from Illinois, alleged that Neutrogena’s Skin360 scanning technology collected and stored biometric data without informed consent.

As a result, she says that the MAC case is more likely to be reinforcing an emerging pattern rather than exposing something new in this arena of privacy law.

“What these cases may signal, however, is a potential shift in emphasis from a primary focus on what firms formally disclose, to a closer examination of what consumers reasonably understand from those disclosures in practice,” she says.

AI-powered personalization is reshaping beauty retail risks.

“From a consumer behavior perspective, this distinction can be meaningful, as research has shown that consumer comprehension does not always track the presence or completeness of disclosures.”

According to Aruoba, the extent to which courts and regulatory bodies place emphasis on the distinction between corporate disclosure and consumer comprehension may “raise the bar” on how companies design and implement AI-enabled consumer experiences.

“In turn, this may place greater importance on cross-functional coordination among legal, regulatory, marketing, and product teams as part of broader AI governance efforts aimed at maintaining consumer trust.”

She highlights that this field of law and its considerations are continuously evolving. Thus, she says it is pertinent to evaluate their facts on a case-by-case basis.

Where AI-related litigation is headed

Aruoba suggests that the next wave of AI-related litigation may move beyond biometric privacy to focus more directly on how AI systems influence consumer behavior.

“In particular, issues such as algorithmic bias, transparency, and potential consumer deception could give rise to risks that, in some contexts, may be comparable to current privacy-related claims,” she says.

She offers a hypothetical in which an AI system may produce outcomes that differ across consumer groups, leading to potential discrimination claims.

“Similarly, the opacity of certain AI systems may contribute to situations in which consumers do not fully understand how recommendations or outputs are generated, which in turn could create disputes over whether adequate disclosures or warnings were provided,” she illustrates.

She also tells us that these dynamics may lead to increased scrutiny of marketing claims surrounding AI-enabled products or services, “particularly where consumers might reasonably rely on those claims in forming expectations about performance or accuracy.”