AI Beauty Tools Like MAC’s Could Be Spying on You: What the Lawsuit Reveals

Virtual try‑on tools and skin‑scanner apps have become a fixture in beauty shopping. You hold your phone to the camera, see how a lipstick shade looks on your face, or get a “skin age” analysis. What many users don’t realize is that these features often rely on facial recognition and biometric analysis, and the data they collect may be more sensitive—and less protected—than you expect.

A recent class‑action lawsuit against MAC Cosmetics has brought these privacy practices into the spotlight. While the case is still unfolding, it serves as a useful reminder to think twice before letting any app scan your face.

What happened

In June 2026, a class‑action complaint was filed against MAC, a well‑known cosmetics brand owned by Estée Lauder. The lawsuit, brought in Illinois, alleges that MAC’s virtual try‑on tools—both on its website and in its mobile app—collect, store, and share users’ biometric data without proper consent. Specifically, the suit claims that when a user uploads a selfie or uses the live camera to “try on” makeup, the software captures a detailed map of facial geometry, including measurements of the distance between eyes, nose shape, and jawline.

Illinois has one of the strictest biometric privacy laws in the United States, the Biometric Information Privacy Act (BIPA). It requires companies to get explicit, written consent before collecting biometric identifiers, and to publish clear data‑retention policies. The lawsuit argues that MAC did neither.

At this stage, the allegations are exactly that—allegations. MAC has not yet responded in court, and there is no ruling on whether the company broke the law. But the case has drawn attention because MAC is far from the only beauty brand using this technology. L’Oréal, Sephora, and many indie brands offer similar features.

Why it matters

Biometric data—your face, fingerprints, iris scans—is fundamentally different from other personal information. You can change a password or get a new credit card number. You cannot change your face. Once your facial geometry is stored by a third party, it can be used for identification, tracking, or even re‑sold to data brokers without your knowledge.

Here are the concrete risks:

  • Data breaches. Any company that stores a database of facial scans is a high‑value target. If the data leaks, your biometrics are permanently exposed.
  • Third‑party sharing. Many beauty AI tools are powered by outside vendors (e.g., ModiFace, YouCam, or Perfect Corp.). The app developer may share your scan with those partners, or with advertisers, under vague privacy policies.
  • Profiling and discrimination. Skin‑analysis tools often claim to detect “skin age,” pigmentation, or oiliness. That data could be used to build a profile about your health, income, or lifestyle, and could influence the prices you see for beauty products or insurance.
  • Lack of consent. Most users tap “Allow” on a camera permission without reading a full privacy notice. BIPA‑style laws are designed to force a pause, but in most states there is no such requirement.

The MAC lawsuit will test whether beauty brands can claim that virtual try‑ons are just “images” (not subject to biometric laws) or whether they count as biometric data collection. The outcome could affect every company that asks you to pose for a camera.

What readers can do

You don’t have to stop using virtual try‑ons entirely, but a few steps can reduce your exposure:

  1. Check app permissions. On your phone, go to Settings > Privacy > Camera (iOS) or App permissions > Camera (Android). Look at which apps have camera access. Disable it for any beauty app you do not absolutely trust. You can also revoke access after use.

  2. Use on‑device processing. Some newer beauty apps, especially those built with Apple’s ARKit or Google’s ML Kit, process facial data entirely on your phone and never upload it. Look for phrases like “on‑device” or “local processing” in the privacy policy. If the policy is vague, assume the data is sent to a server.

  3. Avoid uploading photos from your gallery. Many try‑on tools let you take a selfie live or pick one from your camera roll. Uploading a photo from your library sends a stored image (which may contain your face and metadata) to the company’s servers. Prefer the live camera if you must use the feature—and immediately delete any captured images if the app offers that option.

  4. Read the privacy policy—especially the “biometrics” section. Search the policy for words like “biometric,” “facial geometry,” “image analysis.” If the policy says data is shared with third parties for “analytics” or “improve our services,” treat that as a red flag.

  5. If you live in Illinois, Texas, or Washington, know your rights. These states have biometric privacy laws. If a company collects your face scan without clear consent, you may have a legal claim. In other states, no such law exists, so you are relying on the company’s own promises.

  6. Consider privacy‑focused alternatives. Some beauty brands offer try‑on tools that work without saving images. For example, Sephora’s Virtual Artist (at the time of writing) processes images in‑session and says it does not store them. Still, verify before trusting.

Sources

  • “MAC lawsuit highlights privacy risks in AI beauty tools, says expert,” Personal Care Insights, June 23, 2026.
  • Illinois Biometric Information Privacy Act (740 ILCS 14).
  • Consumer reports and privacy analyses of virtual try‑on apps by the Electronic Privacy Information Center (EPIC) and Mozilla’s Privacy Not Included guide.

The MAC case is a reminder that convenience and privacy do not have to be enemies, but they rarely align by default. Taking a few minutes to review how an app handles your face data is a small price for keeping your most personal identifier out of someone else’s database.