November 7, 2025
Cosmetics brands are increasingly turning to AI-driven facial skin analysis tools to deliver personalized skincare recommendations. These tools invite consumers to upload facial images or engage in real-time video capture, enabling algorithms to assess skin issues such as dryness, hyperpigmentation, and blemishes to recommend the best product to resolve users’ skin concerns or identify products in response to user preferences and profiles. While this technology promises tailored experiences and higher brand engagement, it also raises significant privacy concerns. When facial images are processed for identification or analysis in virtual try-on services, they may be treated as biometric data under UK, EU and U.S. privacy regimes, requiring more onerous legal obligations.
Biometric data is personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow the unique identification of that natural person, and this includes facial images. As biometric data can be used for the purpose of uniquely identifying an individual, it is treated as more sensitive data which requires extra protection.
In Europe and the United Kingdom, the General Data Protection Regulation (GDPR) and UK GDPR classify biometric data used for unique identification as “special category data”. The regulations require that brands establish a lawful basis for processing, which in the consumer-facing context of cosmetics, means obtaining explicit consent. Such consent must be freely given, specific, informed, and unambiguous, and brands should avoid bundling it with other terms or making it a condition of service unless strictly necessary. Given that facial imaging is a high-risk activity, brands are also required to conduct Data Protection Impact Assessments (DPIAs) before implementing such tools, and to provide clear, accessible privacy notices explaining how data will be used, stored, and shared. Given the sensitive nature of facial images, brands must implement technical and organizational measures to protect the data, including encryption, strict access controls, and regular security audits. Regulatory authorities, such as the UK’s Information Commissioner’s Office, have repeatedly stressed that biometric technologies should only be deployed when they are necessary and proportionate to achieve a legitimate aim. Failure to meet these standards can result not only in financial penalties but also reputational damage, which is particularly acute in the luxury cosmetics sector where consumer trust is paramount.
Of further note is that the EU AI Act introduces a new layer of regulation targeting biometrics. This includes biometric categorization systems which assign individuals to specific categories based on their biometric data. However, the definition excludes biometric categorization purely ancillary to commercial services, such as virtual try-on features.
In the United States biometric data regulation is left to a patchwork of state-level statutes.
The most stringent privacy laws have been enacted by the Illinois Biometric Information Privacy Act, which requires organizations to obtain written informed consent before collecting or using biometric identifiers, such as scans of facial geometry. It also mandates clear retention schedules and prohibits the sale or profit from biometric data. The consequences of non-compliance can be severe as BIPA provides a private right of action, enabling individuals to sue for statutory damages.
A further example is the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), which takes a broader approach. While not exclusively focused on biometrics, it classifies biometric data as a category of personal information, and includes imagery of the face from which an identifier template like a faceprint can be extracted. Biometric information is considered sensitive personal information when processed for the purpose of uniquely identifying a consumer. CCPA, as amended, grants consumers rights to access, delete, and opt out of the sale or sharing of personal information as well as limit the use of sensitive personal information.
An increasing number of states are considering enactment of privacy laws, signaling a trend toward greater regulation. Brands should therefore stay up to date with their expanding obligations across emerging jurisdictions, as failure to comply can result in substantial financial liability. For luxury cosmetics brands, the current fragmented landscape poses significant challenges. A single online facial analysis tool may attract users from multiple jurisdictions, each with different consent standards, retention rules, and enforcement risks. Companies must therefore adopt a multi-layered compliance strategy, harmonizing practices across states while anticipating future legislative developments. This often means implementing the highest common denominator, such as explicit consent and robust deletion protocols, to minimize risk and maintain consumer trust.
Implementing facial skin analysis tools requires a strategic approach to privacy compliance. In-house counsel should ensure that privacy considerations are embedded from the outset, rather than treated as an afterthought. The following measures can help cosmetics brands balance such innovations with regulatory obligations and consumer trust:
Whilst this article has focused on the privacy risks and compliance obligations associated with biometric data, which are subject to the strictest regulatory requirements, cosmetics brands should be aware that facial analysis tools routinely collect a broader spectrum of personal data. This includes device and location data, user-provided details (such as email, age, and preferences), behavioral and interaction logs, and AI-inferred insights about individuals. Addressing privacy risks and compliance obligations for all these data categories is essential for maintaining consumer trust and meeting legal standards.
Biometric Privacy Information Act (BIPA), General Data Protection Regulation (GDPR), data assets, privacy policy, California Consumer Privacy Act (CCPA)
Copyright © Finnegan, Henderson, Farabow, Garrett & Dunner, LLP. This article is for informational purposes, is not intended to constitute legal advice, and may be considered advertising under applicable state laws. This article is only the opinion of the authors and is not attributable to Finnegan, Henderson, Farabow, Garrett & Dunner, LLP, or the firm’s clients.
Federal Circuit IP Blog
July 8, 2026
Due to international data regulations, we’ve updated our privacy policy. Click here to read our privacy policy in full.