MAC Lawsuit Exposes Privacy Risks in AI Beauty Tools — What to Know

Virtual makeup try-ons and AI-powered beauty tools have become standard features on retailer websites and brand apps. They promise a convenient way to test lipstick shades or foundation colors without stepping into a store. But a recent lawsuit against MAC Cosmetics has raised questions about what happens to the data these tools collect — and whether users are giving informed consent.

If you have ever used a virtual try-on feature to see how a product looks on your face, your biometric data may have been captured, stored, or shared in ways you did not expect. Understanding what the MAC lawsuit alleges and how it applies to similar tools can help you make more informed choices about your privacy.

What happened

MAC Cosmetics, a brand owned by Estée Lauder, is facing a lawsuit over its virtual try‑on technology. The complaint, filed under Illinois’ Biometric Information Privacy Act (BIPA), alleges that MAC’s AI beauty tool collected facial scans and other biometric data without proper notice or consent, and that this data was shared with third parties for purposes beyond providing the try-on service.

BIPA is one of the strictest biometric privacy laws in the United States. It requires companies to inform users in writing about what biometric data is being collected, why it is being collected, and how long it will be stored. Companies must also obtain written consent before collecting such data. The MAC lawsuit claims the brand failed to meet these requirements.

Although the case is still in its early stages, it has drawn attention to a wider practice in the beauty industry. Many brands use similar AI-powered virtual try-on features, often provided by third-party vendors. The data collected can include measurements of facial features, skin tone analysis, and even estimates of age or skin type. The lawsuit suggests that this data may have been used for purposes like training AI models or improving product recommendations — without clearly informing users.

Why it matters for consumers

The privacy risks highlighted by the MAC lawsuit are not unique to one brand. AI beauty tools are widely deployed by retailers, cosmetics companies, and even social media platforms. When you use such a tool, you are typically giving the company access to a detailed map of your face. Biometric data is considered sensitive because it is uniquely tied to your identity, and unlike a password, you cannot change it.

Many users assume that the data is processed locally on their device or deleted immediately after the session. In practice, that is not always the case. Facial scans and skin tone readings may be uploaded to a company’s servers, stored for an indefinite period, and shared with analytics or advertising partners. The exact data practices depend on each app or website’s privacy policy, but consumer protection experts argue that these policies are often vague or hard to find.

Beyond individual risks, the lawsuit has broader implications for regulation of AI in retail. If the court finds that MAC’s practices violated BIPA, it could set a precedent affecting how other beauty brands handle biometric data. It could also lead to more scrutiny from regulators and pressure on companies to design these tools with privacy in mind from the start.

What you can do to protect your data

You do not have to stop using virtual try‑on tools entirely, but it helps to take a few precautions.

First, check whether the tool is offered directly on the brand’s website or as a separate app. Browser-based try‑ons may still collect data, but they often provide a setting to disable camera access after the session. In your browser’s permissions settings, you can revoke camera access for that site once you are done. For apps on your phone, review the permissions regularly: does the app need camera access at all times, or only when you use the try-on feature? Deny “always” permission if it is not necessary.

Second, avoid saving or uploading a photo of your face to a beauty tool unless you understand how that image will be used. If the tool asks you to take and upload a selfie for a personalized recommendation, find out whether the photo is stored on the company’s servers and for how long. Some tools process images on‑device and never upload them, but many do not. When in doubt, search the company’s privacy policy for phrases like “facial recognition,” “biometric data,” or “third‑party sharing.”

Third, look for a one-time try-on option. Many websites allow you to use the virtual mirror without creating an account or logging in. That reduces the amount of data tied to your identity. If the tool requires you to sign in, consider using a temporary email or a limited profile.

Finally, be cautious about granting consent in one click. Some try-on tools include a checkbox to agree to terms that may authorize data collection for research or marketing. Read the consent language, even if it takes a minute. If the brand is based in a state with a biometric privacy law (like Illinois, Texas, or Washington), you have additional legal protections, but you still need to know your rights.

The MAC lawsuit is a reminder that even routine interactions with AI beauty tools can have privacy implications you might not anticipate. Staying informed about what data is collected and who has access to it is one of the most effective steps you can take to protect your digital privacy.

Sources: Personal Care Insights (“MAC lawsuit highlights privacy risks in AI beauty tools, says expert,” June 23, 2026); Illinois Biometric Information Privacy Act (740 ILCS 14).