Mirror, Mirror on the Wall, Who’s the Fairest of Them All? AR Retailing in the 21st Century
In our last two editions, we discussed how brands can leverage augmented reality (AR) to reach their customers in new ways, the legal issues that may arise with the use of AR and the compliance considerations for businesses subject to the California Consumer Privacy Act (CCPA).1 In this edition, we take a deeper look at AR’s potential privacy risks.
The Shift to AR During COVID-19
For all of those who drooled over Cher’s Mis-Match program that put outfits together with ease in Clueless, now is the time to be alive: her closet has become a virtual reality. Since the start of the coronavirus pandemic, retailers have been increasingly shifting their attention to AR in an attempt to offset losses due to forced store closures. However, it also appears that AR (through virtual try-ons) has helped to improve return rates for online purchases. One virtual fitting room app has indicated that return rates for partnered retailers dropped from 38 percent to about two percent (whereas overall return rates for clothing and shoes bought online are at about 40 percent).2 At the same time, businesses implementing COVID-19 safety precautions in reopening stores may find that AR can increase customer safety while maintaining some elements of the experience customers expect. As closed-off fitting rooms and restricted use of test products become the new norm, instore AR mirrors allow customers to try-on products virtually without physically trying anything on.3 For customers hesitant to shop in physical stores (or wait in lines that wrap around the block), AR can help reduce in-person interactions and time spent in stores by simplifying in-store navigation through a customer’s device.4 In addition to customer safety applications, AR has the potential to increase customer engagement — for example, by connecting the mirrors to social media and providing a more interactive personalized experience. Certain AR mirrors already have the capability of recognizing items brought into fitting rooms and displaying suggested items on the mirror’s screen that may be of interest to the customer.5 Those mirrors can also enable customer requests, lighting changes and even checkout.6
Making Use of Data
While retailers have long been collecting information about their customers, AR has the potential to collect vast amounts of additional and often very-detailed personal data from users. For instance, retailers can get a better understanding of their customer base through “facial analysis” — i.e., the process of classifying users’ faces according to personal characteristics, such as age, race or gender.7
For example, men in their twenties typically gravitate toward shampoo or body wash that has a minty or woodsy scent, whereas men in their forties prefer unscented products. (Not captured in the statistics: men who borrow their partner’s body wash and smell like mango and bergamot all day.) Computer vision algorithms can also analyze facial expressions and identify changes in facial muscles that indicate an individual’s emotions.8 This would be particularly useful, for example, for businesses that sell perfumes or scented body products. (A scrunched nose means get it off the shelf!) Additionally, research has shown that pupil-dilation (which can be measured through eye-tracking technology) can reveal an individual’s level of interest in whatever product that person is viewing.9 In fact, eye-tracking has been hailed as “advertising’s holy grail” and seems to be the next best metric for understanding how users interact and engage with certain content.10 The combination of this data with existing customer data (e.g., purchase history, interests, preferences, etc.) could be used for many different purposes, including creating comprehensive customer profiles and targeted advertising and marketing. Retailers can also leverage AR to improve overall customer service and satisfaction by understanding how customers generally feel about certain products, as well as how interested a specific customer is in the product they are trying.
Understanding the Regulatory Landscape
While businesses using AR will likely have to comply with applicable comprehensive privacy laws — such as the CCPA and General Data Protection Regulation (GDPR) — businesses should also investigate whether any other regulations apply.
Biometric Privacy Laws
AR apps and devices that use facial recognition or eye-tracking technology may collect certain data that would be considered biometric information under biometric privacy or data breach laws. Currently, three US states — Illinois,11 Texas12 and Washington13 — regulate how companies collect, disclose and retain biometric information and impose certain notice and consent requirements for the collection and use of such information. While there is no universal definition of biometric information, the term is typically defined as information based on or derived from an individual’s unique biological characteristics that is used for identification or authentication purposes. There is also one law specifically regulating the use of facial recognition (outside the scope of general biometric laws). The city of Portland, Oregon, in September, passed a local ordinance prohibiting private entities from using facial recognition technologies in public places within Portland (though the ordinance makes an exception for face detection services in social media apps).14 The ordinance will take effect on January 1, 2021. While there is no federal law regulating biometric information, this has certainly been on Congress’ agenda. In August, Senators Jeff Merkley and Bernie Sanders introduced the National Biometric Information Privacy Act of 2020 (S. 4400).15 Although politicians on both sides of the aisle agree that a comprehensive federal privacy scheme is needed — and that it must address biometric information — partisan politics and the urgency of the COVID-19 pandemic have caused such bills to stall. In the meantime, without a federal law regulating biometric information, businesses using AR are left with a patchwork of overlapping and inconsistent obligations.
What Brands Can Do Now
Retailers considering launching AR projects should do their due diligence to ensure that they are implementing AR responsibly. Importantly, retailers should ensure that they understand (1) how the specific AR technology will function, (2) what type of data will be collected or generated, and (3) how the business will use such data. Retailers should carefully review agreements with vendors (including developers and device manufacturers) to understand how vendors will use any data and to restrict vendors’ ability from further using any data for unlawful purposes.
(1) See Katherine Motsinger, I Want You to Want Me: Augmented Reality Edition, Kattison Ave. (Spring 2020) ; Katherine Motsinger, Augmented Reality Marketing Campaigns and the California Consumer Privacy Act, Kattison Ave. (Summer 2020).
2) Abha Bhattarai, Virtual Try-Ons Are Replacing Fitting Rooms during the Pandemic, The Washington Post (July 9, 2020).
(3) See id.
(4) 10 Applications of AR/VR that can Transform Your Retail Sales Completely. Find out How!, [x]cube LABS (May 22, 2020).
(5) Hilary Milnes, ‘VR Isn’t Scalable’: Bursting the In-Store Digital Tech Bubble, DIGIDAY (Apr. 19, 2016).
(7) See U.S. Gov’t Accountability Off., GAO-20-522, Facial Recognition Technology: Privacy and Accuracy Issues Related to Commercial Uses 13 (2020).
(8) See 10 Emerging Applications of AR Face Recognition, Banuba (April 29, 2020); see, Augmented Reality and Virtual Reality Technology: Faccial Recognition, e.g.
(9) See Avi Bar-Zeev, The Eyes Are the Prize: Eye-Tracking Technology Is Advertising's Holy Grail, VICE (May 28, 2019).
(10) See id.; see also, Ben Dickson, Unlocking the Potential of Eye Tracking Technology, TechCrunch (Feb. 19, 2017).
(11) 740 Ill. Comp. Stat. 14 (2008).
(12) Tex. Bus. & Com. Code § 503.001 (2009).
(13) Wash. Rev. Code § 19.375.010 (2017).
(14) Portland, Oregon, City Code § 34.10.030. “Facial Recognition Technologies” is defined as “automated or semi-automated processes using Face Recognition that assist in identifying, verifying, detecting, or characterizing facial features of an individual or capturing information about an individual based on an individual’s face”; “Face recognition” is defined as “the automated searching for a reference image in an image repository by comparing the facial features of a probe image with the features of images contained in an image repository (one-to-many search). A Face Recognition search will typically result in one or more most likely candidates—or candidate images—ranked by computer-evaluated similarity or will return a negatives result.” Portland, Oregon, City Code § 34.10.020(A), (B).
(15) National Biometric Information Privacy Act of 2020, S. 4400, 116th Congress (2020). “The term “biometric identifier”(A) includes (i) a retina or iris scan; (ii) a voiceprint; (iii) a faceprint (including any faceprint derived from a photograph); (iv) fingerprints or palm prints; and (v) any other uniquely identifying information based on the characteristics of an individual’s gait or other immutable characteristic of an individual”.