The MAC Lawsuit Reveals Privacy Risks in AI Beauty Tools — Here’s What to Know

If you’ve ever used a virtual try-on to see how a lipstick shade looks on your skin, you’ve handed over a detailed scan of your face. A recent lawsuit against MAC Cosmetics—owned by Estée Lauder—alleges that the company collected and shared users’ facial data without proper consent. While many beauty brands offer these AI-powered tools as a fun and convenient feature, the legal case raises real questions about what happens to your biometric information once you point your camera at the screen.

What the MAC Lawsuit Is About

The lawsuit, filed in Illinois, claims that MAC’s virtual try-on technology captured “face geometry” and other biometric data from users without providing clear notice or obtaining the informed consent required under the Illinois Biometric Information Privacy Act (BIPA). According to the complaint, this data was used not only to render makeup on a user’s photo but also for analytics and may have been shared with third parties. Similar legal actions have been brought against other beauty retailers and tech companies in recent years, suggesting the practice is more common than many consumers realize.

MAC has not yet responded publicly to the specific allegations, and the case is in its early stages. But the core issue—collection of highly sensitive biometric data without explicit permission—is well established in privacy law and bears watching for anyone who uses these tools.

Why This Matters for Anyone Using Virtual Try-Ons

AI beauty tools typically scan your face to detect features like eye shape, nose position, lip outline, and skin tone. This isn’t just a picture; it’s a biometric map that can, in theory, be used to identify you uniquely. Laws like BIPA and Europe’s GDPR treat such data as especially sensitive because, unlike a password or email address, you can’t change your face if it gets leaked.

The risks are twofold. First, your facial data could be stored indefinitely and later exposed in a breach, sold to advertisers, or used for surveillance-style applications you never agreed to. Second, even if a company promises not to misuse the data, you have little control once it leaves your phone. The MAC lawsuit highlights that even respected brands may not be following best practices when it comes to transparency.

Steps You Can Take to Protect Your Privacy

You don’t have to stop using virtual try-ons altogether, but taking a few precautions can reduce your exposure.

  • Check the privacy policy before you grant camera access. Look for clear language about what data is collected, how long it’s stored, and whether it’s shared with third parties. If the policy is vague or says “we may share with affiliates,” assume your face scan could be passed around.

  • Use temporary sessions when possible. Some apps let you try on makeup without creating an account or saving your photo. If that option is available, choose it. The less data stored, the less that can be misused.

  • Avoid uploading a clear, full-face photo from your gallery. Many tools allow you to snap a live selfie instead. A live image is still collected, but you can at least refuse to let the app access your stored photos.

  • Know your state’s rights. If you live in Illinois, Texas, Washington, or New York, you may have additional protections under state biometric privacy laws. In those states, companies are generally required to inform you and get your explicit opt-in before collecting facial data.

  • Revoke camera permissions after you’re done. On both iOS and Android, you can go into settings and turn off camera access for that app. This doesn’t delete data already collected, but it prevents future scanning.

  • Consider using a browser-based version instead of a dedicated app. Browser tools often have limited ability to store or transmit data compared to full mobile apps, though this varies.

What Comes Next

The MAC lawsuit is a reminder that the convenience of AI beauty tools comes with trade-offs that aren’t always visible. While regulation in the U.S. remains patchy—BIPA is one of the strongest laws, but most states lack similar protections—legal pressure is beginning to push brands toward more transparent practices. For now, the best defense is to treat any virtual try-on as a data collection event and act accordingly.

Sources:

  • Personal Care Insights, “MAC lawsuit highlights privacy risks in AI beauty tools, says expert,” June 2026.
  • Illinois Biometric Information Privacy Act (740 ILCS 14).