The Cosmetic Industry and Augmented Reality: Biometric Data Collection and the Privacy Paradox

Amalia Kurniaputri Secretary General of ELSA Tilburg

When it comes to cosmetics, buyers must see and test the product to decide whether it matches their skin tone or is eye-catching to wear—it is unlikely to buy cosmetics blindly and impulsively. As a result of the COVID-19 predicament, the cosmetic industry has been driven to be technologically innovative to provide such experiences with consumer-facing technology.1 The technology now has acquired a critical role in customer and shopping experiences, allowing costumer to feel being as if they are at a physical store while staying at home.2 Ulta Beauty's GlamLab virtual try-on tool, for instance, has increased consumer engagement fivefold with over 19 million shade try-on.3 Ulta Beauty also recently unveiled Skin Analysis,4 which uses the biometric collection to analyse skin and provide recommendations and

1 Martha Anne Coussement and Thomas J. Teague, 'The New Customer-Facing Technology: Mobile And The Constantly-Connected Consumer' (2013) 4 Journal of Hospitality and Tourism Technology. 2 Rosy Broadman, Claudia E. Henninger, Ailing Zhu, ‘Augmented Reality and Virtual Reality – New Drivers for Fashion Retail?’ in Gianpaolo Vignali, Louise F. Reid, Daniella Ryding, and Claudia E. Henninger (eds), Technology-Driven Sustainability Innovation in the Fashion Supply Chain (Palgrave Macmillian, 2019) 3 Kristin Larson, ‘Beauty’s New Frontier” How Technology Is Transforming The Industry, From Virtual Reality To Livestreaming’ (Forbes, 9 January 2021) <https://www.forbes.com/sites/kristinlarson/2021/01/09/the-new-beauty-frontier-where-digital-amplifiesbeauty/?sh=4c22100124f3> accessed 16 September 2021 4 Ibid product recommendations for concerns such as hyperpigmentation and fine wrinkles. The feature of choosing and testing cosmetic products online expanded to other brands; Maybelline New York with ‘Maybelline Virtual Try-On Makeup Tool’ and Chanel with ‘Chanel Lipscanner.’ On the other side, as these technologies were designed to meet the needs and interests of specific customers, they may also expose individuals to identity-based attacks. This essay looks at how a cosmetic company, in this example Ulta Beauty, uses biometric data collecting and processing through consumer-facing technologies while elegantly wrapping it in self-fulfilment activities. The privacy paradox in personalised shopping will also be addressed. Despite the fact that Ulta Beauty is a US-based corporation that adheres to the California Consumer Privacy Act and the Schrems II ruling, the case may underline the need for privacy awareness in the shopping experience.

Biometric data is personal information derived through technological processing of a natural person's physical, physiological, or behavioural traits that allows or confirms that natural person's unique identity, such as

a face image or dactyloscopy data.5 In the present case, the personalisation facilities with the try-on make-up feature are gathered when customers provide the biometric data or interact with the technology.6 The data collected and processed was for the marketing and sales strategies, and other reasons disclosed to the customer at the time of collection. Knowing that this data may be shared with third parties, which exposed the extent to which the data was given, poses an identity-based vulnerability considering the sensitive nature of the information. To put it another way, if an unauthorised user has access to certain facial data, they may use that information to identify that individual and take whatever action they wish, whether lawful or unlawful. Since the GDPR has no precise rules for processing biometric data, the rights to privacy and data protection could be violated. According to Kindt,7 using facial images and biometric features for identification purposes, in general, may violate other fundamental rights such as freedom of expression and the right to assemble and associate. The biometric data gathered was also seen as an aspect of “private life.” In S. and Marper v. the United Kingdom,8 the Court expanded "private life" protection to include not just a person's name but also their physical and psychological integrity, as well as numerous aspects of their physical, social, and ethnic identities. On that account, the necessity for appropriate and comprehensive protection will be regarded as a preventative measure against

5 Article 4(14) GDPR 6 Para. 9, ULTA.com Privacy Policy, < https://www.ulta.com/company/privacy/> accessed 16 September 2021 7 E. Kindt, ‘Privacy and Data Protection Issues of Biometric Applications. A Comparative Legal Analysis.’ (2013) (1st, Dordrecht, 2013) Para. 35, Chapter 4.1.1.3.1. 8 Para. 66 S. and Marper v the United Kingdom, European Court of Human Rights, Applications nos. 30562/04 nd 30566/04 the emergence of the greatest risks like covert identification and function creep. Recognising the risks associated with biometric technologies should become a primary focus for every country.

The primary purpose of adopting virtual try-on features for customer experiences was to deliver a personalised experience. For that reason, many customers are unaware of their self-interest prioritised benefits and overlook the risks, a phenomenon is known as the privacy paradox.9 As per the Privacy Calculus Theory, since the apparent benefits outweigh the perceived risks, privacy issues are frequently neglected, resulting in information exposure in exchange for economic benefits, personalisation, convenience, and social benefit.10 Additionally, a previous study has indicated that, despite online customers' worries about privacy, they occasionally willingly divulge personal information and accept being tracked and profiled in exchange for retail value and personalised services.11 Therefore, the privacy paradox posed the question of 9 Susanne Barth and Menno D. T. de Jong, ‘The privacy paradox – Investigating discrepancies between expressed privacy concerns and actual online behavior – A systematic literature review’ (2017) 34(7) Telematics and Informatics <https://www.sciencedirect.com/science/article/pii/S0736585317302022#bb0420> accessed 16 September 2021 10 Dave Wilson and Joseph S. Valacich, ‘Unpacking the privacy paradox: Irrational decision-making within the privacy calculus’ in Thirty Third International Conference on Information Systems, ICIS 2012 (2012) < https://aisel.aisnet.org/icis2012/proceedings/ResearchInProgress/101/> accessed 16 September 2021 11 Lemi Baruh, Ekin Secinti, Zeynep Cemalcilar, ‘Online Privacy Concerns and Privacy Management: A Meta-Analytical Review’ (2017) 67(1) Journal of Communication <https://doi.org/10.1111/ jcom.12276> accessed 17 September 2021; S. Shyam Sundar, Hyunjin Kang, Mu Wu, Eun Go, Bo Zhang, ‘Unlocking the Privacy Paradox: Do Cognitive Heuristics Hold the Key?’ In M. Beaudouin-Lafon, P. Baudisch, & W. E. Mackay (eds), CHI EA 2013 – Extended Abstracts on Human Factors in Computing Systems: Changing Perspectives (Association for Computing Machinery, 2013)

whether customers—and society in general—are fully ready for the digital era and conscious enough to leave their biases to preserve their personal information. On the contrary, the privacy paradox is important for a business like Ulta Beauty. That's because the privacy paradox narrative defines the scope of corporate responsibility as relatively narrow: if customers are presented as relinquishing privacy when online, businesses have little to no responsibility to acknowledge or satisfy privacy protection.12 Such practices may be viewed as creating inadequate privacy safeguards, which may contribute to biometric data-related risks. Thereby, Stefanie Pötzsch13 noted that in order to prepare societies for the digital era and tackle the privacy paradox, businesses should develop tools and features that are designed to influence people’s behaviour in increase privacy awareness. Lastly, Article 12(1) GDPR mandated taking the appropriate steps to distribute information in a comprehensible and easily accessible way. While Ulta Beauty's privacy policy is comprehensive regarding what data was gathered and processed and for what purpose, it may be impractical for certain people to read and analyse the policy. Customers' virtual try-on make-up experiences should be informed through specific application tools (for instance, the pop-up informed consent) about what data is gathered apart from cookies—because the two are not the same—rather than using automated individual decision making.

In closing, the makeup try-on technology analyses and identifies individual personalisation for the cosmetic we have picked with the biometric collection. Customers must carefully balance their desire and needs when utilising technological features that take advantage of personalisation to preserve privacy. When a person is digitally ready, they can leverage and are aware of the technologies they are using, including the consequences. The act of choosing to be unaware, ipso facto, has a long-term influence on the privacy data issue for both the customers and businesses. The price of privacy does not outweigh the benefits. Consequently, both customers and businesses must share the burden of privacy awareness; businesses must provide tools to enhance privacy awareness, whereas customers must strengthen their sense of protecting their privacy.

12 Kirsten Martin, ‘Breaking the Privacy Paradox: The Value of Privacy and Associated Duty of Firms’ (2019) 30(1) Business Ethics Quarterly <https:// www.cambridge.org/core/journals/business-ethics-quarterly/article/breakingthe-privacy-paradox-the-value-of-privacy-and-associated-duty-of-firms/ F7A893CB4C537B0DB4CC3914DF9B9DFA> accessed 16 September 2021 13 Stefanie Pötzsch, ‘Privacy Awareness: A Means to Solve the Privacy Paradox?’ in V. Matyáš et al (eds), The Future of Identity (IFIP International Federation for Information Processing, 2009)