Why the MAC lawsuit should make you rethink AI beauty apps

Why the MAC lawsuit should make you rethink AI beauty apps

If you have ever used a virtual try-on tool to see how a shade of lipstick or foundation looks on your face, you are not alone. These AI-powered features are now common on beauty brand websites and apps. But a recent lawsuit against MAC Cosmetics raises serious questions about what happens to the facial data you hand over in exchange for a digital preview.

The lawsuit, filed in Illinois, alleges that MAC’s virtual try-on tool collected biometric data (a detailed map of users’ faces) without obtaining proper informed consent. The case draws on the state’s Biometric Information Privacy Act (BIPA), one of the strongest such laws in the United States. BIPA requires companies to inform people in writing that their biometric data is being collected, explain the purpose and how long it will be stored, and get a signed release. The MAC suit claims none of that happened.

What really happens when you try on makeup virtually?

When you use an AI beauty tool, the camera captures your facial image. Behind the scenes, software analyzes dozens of reference points—the shape of your eyes, the curve of your jaw, the texture of your skin. This information is turned into a mathematical representation of your face: a biometric template.

This template can be stored on the company’s servers, shared with third-party analytics firms, or used to train other AI models. Unlike a password, you cannot change your face if it is leaked. That is why BIPA and similar regulations treat facial geometry with extra caution.

The MAC lawsuit is not an isolated incident. Other beauty apps and augmented reality filters have faced scrutiny over their data practices. A 2023 investigation by the Norwegian Consumer Council found that several popular beauty apps collected and shared facial data with third parties in ways that were not clearly explained to users.

Why this matters for everyday consumers

Most people do not read privacy policies before tapping “Allow” on a camera permission request. But AI beauty tools are not just taking a photo. They are extracting sensitive biometric data that can be used to identify you, profile you, or even target you with advertising in ways you did not expect.

Even if a company promises not to sell your data, it may still share it with service providers, cloud storage platforms, or marketing partners. If those partners suffer a data breach, your facial template could be exposed. Once biometric data is compromised, it is compromised for life.

The MAC case also highlights a broader pattern: companies often design consent flows that are confusing or buried in legalese. Users frequently assume that a virtual try-on is just a camera filter with no lasting footprint. The reality can be quite different.

Steps you can take to protect your privacy

You do not have to give up AI beauty tools entirely, but there are ways to reduce your exposure.

• Check the app’s permissions. On iOS and Android, you can see which apps have access to your camera. Revoke access for any beauty tool you no longer use.
• Read the privacy policy (or at least skim it). Look for phrases like “biometric data,” “facial recognition,” or “third-party sharing.” If the policy is vague or says data may be used for training AI models, think twice.
• Prefer on-device processing. Some beauty apps now offer a mode that keeps your facial data on your phone and never sends it to a server. This is a much safer option. Look for settings labeled “local processing” or “on-device.”
• Use a dummy photo. If you want to test a product without exposing your own face, some tools allow you to upload a photo of a model or a generic face. That way, your biometric data is not involved.
• Consider which brands you trust. A company with a history of privacy complaints or a weak track record on data security may not deserve the benefit of the doubt.

What the industry can learn from this

Regulation like BIPA is gradually forcing companies to be more transparent, but the law is not uniform across states or countries. In the European Union, the GDPR imposes similar requirements, but enforcement varies. Until stronger federal rules exist in the United States, consumers need to stay alert.

The MAC lawsuit is a reminder that convenience and novelty often come with hidden costs. Virtual try-on tools are fun and helpful, but they are also data collection devices disguised as mirrors. Treat them that way.

Sources:

• Lawsuit filing against MAC Cosmetics under Illinois BIPA as reported in news outlets including Personal Care Insights.
• Norwegian Consumer Council investigation into beauty app data practices, 2023.
• Illinois Biometric Information Privacy Act (740 ILCS 14) text and legal summaries.