In brief:
- Virtual try-on features, i.e. augmented reality technology that allows consumers to see how products look on themselves, are an attractive offering to those consumers, but without proper data protection measures, they pose a compliance risk.
- Companies deploying virtual try-on tools should review their consent and data protection practices to ensure compliance.
- Improper processing poses substantial risks, particularly where it leads to secondary processing, processing without the correct legal basis, or customer profiling.
What are virtual try-on features?
Virtual try-on features (VTFs) (which we previously wrote about here) use technology like facial recognition and augmented reality to show customers how products may look on their face without physical application. VTFs are commonly deployed for makeup, hair colouring and accessories such as glasses.
VTFs enable consumers to experiment with products from any location. Retailers may benefit from increased sales, reduced returns and enhanced engagement, particularly from customers without access to a physical store.
How do VTFs work?
The technology behind VTFs detects facial features to create a digital mesh mapping facial geometry — a geometric copy, or faceprint, of the face. This faceprint is then used to overlay colours or product images, mimicking real-world application.
Some VTFs operate on static images, while others provide 'live' try-on via a continuous video feed. The underlying technology may also analyse the image or video of the customer to recommend products based on skin condition, tone of the skin, the faceprint itself or other features - for example, a closer-matched foundation shade, glasses that complement the face shape, or a skin treatment for fine lines.
While VTFs can deliver a hyper-personalised shopping experience at a distance, they present a number of data compliance concerns that may create potential liabilities for unprepared businesses.
Data compliance concerns
Where retailers offer VTFs services, significant amounts of personal data about customers are collected and processed from photo and/or video content. Key data protection compliance concerns that arise from this include:
Consent requirements
Images and videos of an individual constitute personal data. The additional processing that VTFs rely on to enable items to be "tried on" means that biometric data may also be collected, which is special category data subject to enhanced protections under UK GDPR. Other special category data may be inferred, such as racial or ethnic origin from skin colour, or health status from visible physical features. Visible items may also reveal information about political opinions, religious beliefs or disability, which could also constitute further special category data. However, not all deployers of VTFs may be processing biometric data for the purposes of uniquely identifying a natural person and, if so, the enhanced protections may not apply in such circumstances.
Processing special category data has additional restrictions and conditions under the UK GDPR. Companies deploying VTFs usually rely on informed consent for compliance. Where consent is the chosen basis, 'explicit consent' must be obtained through a clear statement - not inferred from actions such as continued use of the service. Similarly, "accepting" or acknowledging terms of a privacy notice is not sufficient. Under UK law, consent must be freely given, specific, informed and unambiguous.
Businesses that fail to meet the UK's standard of consent, or that otherwise process personal data not in accordance with applicable law, are exposed to the risk of enforcement action by the ICO and/or private legal claims.
The risk of relying on an inappropriate legal basis for processing, or failing to obtain appropriate consent, is not limited to the UK. Similar provisions apply in the EU by virtue of the EU GDPR. In the USA, several class actions have been brought under Illinois' Biometric Information Privacy Act (BIPA), including one against Amazon's virtual try-on feature that obtained class certification. (Svoboda, et al. v. Amazon.com Inc., No. 25-1361, 2025 WL 3654053 (7th Cir. Dec. 17, 2025)) While both BIPA and the UK/EU GDPR require informed consent for the processing of special category data, BIPA is more stringent, requiring written informed consent and publicly disclosed data retention and deletion policies.
Data used for profiling
If personal data collected via VTFs is to be used for other purposes, Article 13 of the UK and EU GDPR requires that customers must be informed of what these purposes are. This includes use for targeted automated product recommendations or other profiling. For instance, if characteristics such as age, skin tone or hair type are being collected, categorised and stored for future recommendations, this must be disclosed at the point of collection.
Retailers should also be mindful of biases that might exist within automated tools that may be used in connection with VTFs and ensure that proper safeguards are in place to minimise any inappropriate or harmful recommendations. Recommendations by biased technology can have discriminatory effects which, even where they do not have a materially serious or legal effect, could cause reputational damage to those deploying them.
Recommendations may also be inappropriate for other reasons, including where the product is not relevant to the customer (causing annoyance) or overly relevant to the customer (perceived as invasive).
Secondary use of data
Consent must be specific to each use of personal data. If a customer consents to VTFs use for testing a shade of lipstick, that consent cannot be relied on for a secondary purpose, such as improving the VTFs. Where special category data is used for a secondary purpose, explicit consent must be obtained for each specific use.
Children's data
While VTFs may not be explicitly targeted at children, many children are active customers of beauty brands and likely early adopters of such technology. Where children's personal data is processed, retailers must also have regard to the Information Commissioner's Office's guidance, and in particular the Children's Code. This may require measures such as child-friendly privacy notices and consent language.
If VTFs incorporate any sharing or customer-to-customer interaction, retailers should also consider whether the Online Safety Act applies (which we previously wrote about here). The Act imposes obligations to prevent the sharing of illegal content, and to protect children from harmful content.
How to remain compliant?
Where VTFs are deployed, businesses should review what personal data is collected, how it is used, and what is disclosed to consumers.
As facial recognition is likely central to VTFs in the beauty sector, businesses should consider conducting a data protection impact assessment, as this is likely to be a high-risk processing activity. Compliance with transparency requirements and consent standards is also essential, alongside appropriate internal compliance documentation and policies.
Businesses should also consider whether VTFs can be deployed without the need for facial recognition technology and/or biometric data processing, and whether more minimal data collection practices could reduce the invasiveness of processing. For instance, VTFs could be developed to collect fewer data points of facial geometry. If the data collected identifies facial features, but cannot identify a specific individual, it may not constitute biometric processing or even constitute personal data itself. Similarly, product recommendations could be based on survey responses or close-up images of the skin, rather than a full facial image.
How Mishcon de Reya can help
Our Data team advises businesses on a variety of data protection and regulatory compliance issues. The team works closely with clients to develop and implement data compliance, online safety and privacy strategies. If you have any questions in relation to the above, please get in touch.