The Future of Online Shopping: Reconciling Augmented Reality with Privacy Rights

Technology has infiltrated nearly every area of our daily lives, with the pandemic accelerating the rate of such innovation in unprecedented ways. One such result has been the acceleration of augmented reality technology (AR) in the retail fashion industry.

AR technology has been in the works for years, but as a result of recent (and ongoing) limitations on movement, has enjoyed more limelight and investment than usual. But as beguiling as it is to have a bejeweled reflection, are consumers placed at greater risk of privacy infringement because of it? Although consumers don’t necessarily need to sacrifice hard-earned cash to experience AR, are they unknowingly sacrificing precious privacy rights instead?

What is AR?

AR – augmented reality technology – allows users to experience “reality” in the digital realm. In terms of the fashion industry, this means that people can “try on” 3D digital clothing which appears on a person’s body in real time via a screen – for example, your phone or iPad. One of the most impressive elements of AR clothing try-ons is the “real-time” element, i.e., having the ability to move around and see how the digital clothing looks on in a non-static likeness. 

AR in the online fashion industry

AR has been used quite frequently in the beauty and accessories industry, as discussed in our previous article. For example, luxury powerhouses such as Dior and Chanel have been harnessing AR online to allow remote trialing of their lipsticks for years, but now, VOGUE Business reports that the fashion world may find itself right in the mix too, allowing consumers to try on items from jeans to jewels. 

Indeed, Dior is using AR via Snapchat to give followers a virtual run in their trendy new sneakers, designer Clara Daguin wore a digital version of her design at Paris Fashion Week in a collaboration with DressX, people all over the streets of Paris were spotted wearing an avant garde puffer coat from the digital sneaker company Rtfkt and Farfetch has created an AR trial through Snapchat with Off-White jackets. The advantage of using AR technology in this way is that fashion brands can tap into the digital experience market that has already been somewhat mastered by the beauty and gaming industry, allowing such brands to increase online sales and decrease e-commerce returns. 

This technology has caught the eye of investors too, with Snap Inc. acquiring Vertebrae which creates 3D digital versions of apparel for brands such as Fossil, and the digital fashion platform DressX receiving a seed round investment of $2 million from the Artemis Fund. 

The pandemic also accelerated the uptake of such technology in brick-and-mortar stores where changing rooms were out-of-action due to sanitary rules, as discussed in our article for TechGirl International, available here. 

Why are there privacy risks?

Users of AR in the cosmetic industry will already know that AR requires a picture or, better yet, a live reflection of the user for the technology to “paint” on the cosmetic and have the cosmetic move as the user moves; with such technology even being used on everyday apps such as Instagram and Snapchat. The same is true for fashion retail, which has seen a slower roll out due to the fact that such technology needs to function with your entire body, not just the face. However, in using such technology, biometric data is being processed – which means any processing must comply with the applicable data protection laws, such as the General Data Protection Regulation (EU) 2016/679 (the GDPR) in the European Economic Area and the Data Protection Act 2018 (the DPA) in the UK. 

Important questions on such processing by brands must be asked. For example, how is such biometric data stored? Who has access to it? Will brands offering virtual trials of their clothing retain the data such as our heights, weights, movements? Will the consumer become “recognisable” through his use of AR, and if yes, by whom? 

Processing biometric data under the GDPR and the DPA

Biometric data is considered special category sensitive data under both the GDPR and the DPA (which for the moment are identical pieces of legislation). This means that it is accorded extra protection, and processors and controllers of such biometric data must follow additional rules. 

Fashion brands that shall be using such AR to allow consumers to virtually try on their products will have to rely on a lawful basis under Article 6 of the GDPR (as is the case for all processing) and additionally will have to rely on a lawful basis under Article 9 of the GDPR– which related to special category data processing. 

Article 9(1) of the GDPR applies a general ban on the processing of biometric data for the purposes of identifying a natural person, alongside generally processing data related to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, data concerning health or data concerning a natural person’s sex life or sexual orientation. Thus, this provision prevents, for example, Dior from using the biometric data collected during the AR session to identify the user, thereby preserving the user’s anonymity. 

However, there are ten exceptions to Article 9(1)’s blanket prohibition, all enshrined in Article 9(2). Amongst them are the exceptions of when explicit consumer consent has been given, and when processing is necessary on the grounds of public interest in the area of public health, such as protecting against serious cross-border threats. 

Since such AR is being used for commercial gain, even when offered as a free trial, the most appropriate ground to rely on shall be consent. However, these exceptions do accord companies some wiggle room to derogate from the general prohibition on processing biometric data. Nonetheless, the GDPR’s hefty penalties for breaches (up to €20 million or up to 4% of their global annual turnover) is a strong enough incentive for fashion companies to ensure that privacy rights are always respected. 

Misuse of biometric data

Even if such companies do indeed rely on the lawful ground of consent as per the GDPR and the DPA, and attain that consent from you in line with the standard prescribed in the relevant legislation (i.e., consent is freely given, specific, informed and unambiguous), users of such AR technology should be aware of how such biometric data will be used and what exactly they are consenting to. 

For example, will your sensitive biometric data be sold to and used by AdTech companies? Will it be shared within group companies and affiliates (which in the case of companies such as LVMH, has a large scope)? Could such data be used for e-marketing or forecasting AI tools? These elements and uses of your biometric data should be covered in the controller’s privacy policy which should be made available to you before you provide your consent. 

Furthermore, biometric data which includes a scan of your face and/or body could reveal further sensitive information such as health data, sex and racial or ethnic origins. If any technology is run through AI and machine learning, this could pose issues with algorithmic bias, which has been a key issue in this industry and one that was not adequately addressed in the new AI Regulation proposal from the European Commission. 

Final Thoughts

AR technology will be an exciting new facet to online fashion retail shopping and one that has the potential to augment the brick-and-mortar store experience in a digital space. However, due to the nature of the personal data being processed, both companies and consumers must pay attention to the details and ensure privacy rights are at the forefront of all such technology.  

If you have any questions, please do not hesitate to contact us! 

Article by Komal Shemar and Alix Balsan