JCPenney Sued Over Alleged Unlawful Facial Scans: Illinois Biometric Privacy Act Class Action Targets “Skincare Advisor” Tool

Table of Contents

  1. Key Highlights:
  2. Introduction
  3. What the complaint alleges about the “Skincare Advisor”
  4. Understanding BIPA: the statute at the center of the case
  5. Why facial biometric data receives special legal attention
  6. The business use case: what are “Skincare Advisor” tools and why retailers use them?
  7. How facial scans can trigger BIPA protections
  8. The alleged compliance failures and their legal significance
  9. Potential scale of damages under BIPA and litigation dynamics
  10. How courts evaluate “knowledge” or “recklessness” under BIPA
  11. Broader implications for retailers and app developers
  12. What consumers need to know and what actions they can take
  13. Legal process and likely defenses JCPenney may raise
  14. Comparisons to other biometric controversies and regulatory trends
  15. Potential business and operational impacts if claims succeed
  16. What to watch next in the JCPenney litigation
  17. Practical lessons for organizations adopting biometric features
  18. FAQ

Key Highlights:

  • A new Illinois statewide class action alleges JCPenney captured, stored and used consumers’ facial scans through its “Skincare Advisor” tool without providing required notice, obtaining written consent, or publishing a biometric retention and destruction policy under the Illinois Biometric Information Privacy Act (BIPA).
  • Plaintiff Christine Borovoy seeks statutory damages, injunctive and declaratory relief on behalf of Illinois consumers who used the tool within the past five years; the complaint describes the alleged violations as knowing, willful or reckless.
  • The litigation underscores growing legal and regulatory scrutiny of retail uses of facial-recognition and facial-analysis technologies and highlights the compliance risks companies face when biometric data is collected without clear policies and consent.

Introduction

A class action filed in Cook County, Illinois, accuses JCPenney of capturing and retaining consumers’ facial biometric data through an online and mobile “Skincare Advisor” feature without meeting Illinois’ strict consent and transparency requirements. The complaint centers on the state’s Biometric Information Privacy Act, a statute that has become a focal point for privacy litigation where companies collect fingerprints, face scans, or other biometric identifiers. The plaintiff seeks to represent a statewide class and demands statutory damages and injunctive relief, arguing JCPenney denied users the information and control BIPA guarantees.

The suit adds JCPenney to a list of retailers and technology providers facing legal challenges tied to biometric tools. It also raises practical questions for consumers, regulators and businesses about how facial-analysis features should be deployed: what disclosures are required, how long data may be retained, and what constitutes valid consent when interactive tools prompt users to submit images of their faces.

The sections that follow explain the allegations in detail, outline the legal obligations under BIPA, examine the risks of collecting facial biometric data, describe how damages and injunctive remedies under the statute operate, and consider broader implications for retail technology deployments and consumer privacy.

What the complaint alleges about the “Skincare Advisor”

The lawsuit, filed by plaintiff Christine Borovoy, alleges JCPenney’s “Skincare Advisor” — an AI-powered product recommendation feature available on the company’s website and mobile application — captured facial scans of consumers who used the tool. According to the complaint, JCPenney not only captured biometric identifiers and biometric information but failed to satisfy the procedural protections that BIPA requires before collecting or storing such data.

Key allegations include:

  • Failure to provide the statutorily required written notice to consumers that biometric data would be collected.
  • Failure to obtain written informed consent from consumers prior to collecting biometric identifiers or biometric information.
  • Failure to make publicly available a written policy that explains JCPenney’s retention schedule and destruction procedures for biometric identifiers and biometric information.

The complaint frames these failures as depriving users of their statutory right to control biometric data and seeks classwide relief. Borovoy alleges the violations were “knowing and willful” or at least reckless, amplifying the potential statutory exposure under BIPA.

Jury trial and remedies sought: The plaintiff requests a jury trial, declaratory and injunctive relief to stop ongoing misuse of biometric data, and statutory damages on behalf of herself and all class members who scanned their faces while using the tool in Illinois during the relevant class period.

Understanding BIPA: the statute at the center of the case

The Illinois Biometric Information Privacy Act, enacted in 2008, regulates private entities that collect, use, store, or disclose biometric identifiers and biometric information. The law treats biometric data—unique personal identifiers derived from physiological or behavioral characteristics—differently from other personal data because biometric traits are immutable and uniquely tied to an individual.

Core BIPA requirements relevant to this case include:

  • Written Notice and Consent: A private entity must inform a person in writing that biometric identifiers or biometric information are being collected or stored, the specific purpose and length of term for which the data is being collected, used, or stored, and must obtain a written release executed by the person.
  • Public Retention/Destruction Policy: A private entity must have and make publicly available a written policy establishing a retention schedule and guidelines for permanent destruction of biometric identifiers and biometric information. The statute contemplates retention only as long as necessary to fulfill the reason for which the information was collected.
  • Prohibition on Profiting: The law prohibits the sale, lease, trade, or otherwise profiting from a person’s biometric identifiers or biometric information.

BIPA creates a private right of action. Remedies include:

  • Statutory damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation (or actual damages, whichever is greater).
  • Reasonable attorney’s fees and costs.
  • Other relief, including injunctive or declaratory relief.

These provisions make BIPA a powerful tool for individuals challenging unauthorized or improperly handled biometric collection. The presence of per-violation statutory damages has made BIPA litigation particularly consequential because exposure can escalate quickly when many individuals are affected.

Why facial biometric data receives special legal attention

Biometric data differs from email addresses or phone numbers in two important ways that explain why laws like BIPA impose heightened protections.

  1. Permanence and uniqueness: Unlike a password or a payment card number, biometric identifiers such as face geometry or fingerprints cannot be changed if compromised. A breach of biometric data carries long-term identity-security risks because victims cannot simply "reset" their faces.
  2. Potential for surveillance and misuse: Biometric identifiers enable persistent linkage across systems and can facilitate mass surveillance, identity tracking, and profiling when combined with other data sources. This raises privacy and civil-liberties concerns beyond ordinary data-handling issues.

Given these characteristics, many jurisdictions treat biometric information as particularly sensitive and require affirmative consent and transparency before collection and use. BIPA embodies that approach by demanding notice, written consent, and clear retention and destruction policies.

The business use case: what are “Skincare Advisor” tools and why retailers use them?

Retailers increasingly deploy AI-driven features that analyze consumer-provided images to offer personalized product recommendations. A “Skincare Advisor” typically asks a user to submit a photograph or scan of their face and uses image analysis to assess skin tone, texture, acne, fine lines or other dermatological characteristics. The tool then recommends products — moisturizers, serums, sunscreens — tailored to the results.

Retailers adopt these tools for several reasons:

  • Personalization increases conversion rates: Consumers who receive tailored recommendations are more likely to make purchases that appear suitable for their specific needs.
  • Reduced friction in product discovery: Browsing for skincare products can be confusing; an advisor simulates in-store expertise online.
  • Data for product development and marketing: Aggregated insights about skin types and concerns can inform product assortments and targeted promotions.

These commercial benefits explain the broad adoption of image-based recommendation features. The legal risk arises when those features process or extract biometric identifiers from user images without complying with governing privacy laws.

How facial scans can trigger BIPA protections

Whether an image-based feature triggers BIPA depends on the nature of the data extracted and whether it constitutes a “biometric identifier” or “biometric information” as defined under Illinois law. BIPA’s statutory definitions include a list of biometric identifiers such as retina or iris scans, fingerprints, voiceprints, scans of hand or face geometry, and so forth. The statute broadly covers information generated from biometric identifiers, such as templates created through algorithms.

Facial-analysis tools often do one or more of the following, any of which may fall within BIPA’s scope:

  • Create a mathematical representation or “template” of a face that captures unique patterns.
  • Measure facial geometry or distances between facial landmarks to categorize or identify traits.
  • Store face-feature vectors for subsequent comparison or matching.

If the tool creates and stores such templates or templates are transmitted to third-party processors for storage or analysis, BIPA’s notice and consent provisions typically apply. The complaint against JCPenney alleges precisely this: that the “Skincare Advisor” captured and stored facial biometric data without providing mandated notices, obtaining written consent, or publishing a retention and destruction policy.

The alleged compliance failures and their legal significance

The JCPenney complaint identifies three discrete alleged failures that map directly onto BIPA obligations:

  1. No written notice to consumers: BIPA requires entities to tell consumers in writing that biometric data will be collected, explain the purpose, and indicate the retention period. Without such notice, consumers lack the information needed to make an informed decision about participating in biometric data collection.
  2. No written consent: BIPA demands a written release (consent) before collecting biometric identifiers. Consent requirements are stricter than mere clicking “accept”; the statute envisions express, written authorizations. Failure to obtain this consent means a company has no statutory permission to collect or retain biometric information.
  3. No public retention and destruction policy: A written policy detailing how long biometric data will be kept and when it will be destroyed is required to limit indefinite, potentially risky retention. The absence of such a policy suggests data could be retained indefinitely, increasing risk if systems are breached or repurposed.

Each of these alleged violations carries statutory remedies under BIPA. Plaintiffs frequently seek both monetary damages and injunctive relief to stop ongoing collection or force changes to corporate practices. The complaint’s allegation that JCPenney acted “knowingly and willfully” or with reckless disregard is designed to support the higher statutory damages tier ($5,000 per violation) rather than the lower negligent-violation level ($1,000 per violation).

Potential scale of damages under BIPA and litigation dynamics

BIPA’s statutory damages are calculated on a per-violation basis, and courts have sometimes interpreted a single collection or storage event as multiple violations. Two features of BIPA make it a potent source of exposure:

  • Per-Person, Per-Violation Damages: Statutory damages of $1,000 or $5,000 per claimant per violation can accumulate quickly when thousands or hundreds of thousands of consumers are affected.
  • Private Right of Action: Individuals can sue directly for statutory damages without proving actual harm beyond the statutory violation.

These attributes have resulted in sizable settlements and significant defense costs in prior BIPA litigation across sectors, from social-media platforms to employers and retailers. The financial risk incentivizes early settlements in some cases, but defendants also litigate aggressively to limit exposure, seek dismissal of claims, or narrow the class.

Class certification is a pivotal stage. Plaintiffs must show that common questions of law or fact predominate and that a class action is a superior litigation mechanism. Defendants often challenge certification by arguing individualized issues, consent defenses, or that the biometric processing does not fall within BIPA’s definitions.

Beyond monetary exposure, injunctions matter. Plaintiffs commonly seek injunctive relief requiring companies to implement compliant policies, provide notice, obtain written authorizations going forward, and purge improperly retained biometric data. Courts can fashion remedies that change corporate practices, reducing future legal risk but sometimes imposing operational burdens.

How courts evaluate “knowledge” or “recklessness” under BIPA

BIPA distinguishes negligent from intentional or reckless violations. Plaintiffs aiming for the higher statutory award must show the defendant acted intentionally or recklessly. Courts assess available evidence to determine whether a company knew or recklessly disregarded BIPA’s requirements. Indicative factors include:

  • Internal communications about biometric features that suggest knowledge of biometric collection and legal obligations.
  • Evidence that a company received prior warnings or legal counsel about BIPA compliance and nevertheless failed to act.
  • The presence or absence of implemented policies, notices, or consent mechanisms once biometric technologies were in use.
  • The degree to which biometric data was stored or shared with third-party processors without appropriate safeguards or disclosures.

A complaint alleging knowing or reckless conduct places early pressure on the defendant by increasing potential statutory exposure, but plaintiffs must ultimately marshal evidence during discovery to support that characterization. The JCPenney complaint asserts knowing and willful conduct; discovery will determine whether documentary or testimonial proof supports that allegation.

Broader implications for retailers and app developers

The suit against JCPenney signals a broader compliance challenge for companies introducing image-based, AI-driven personalization tools. Retailers must reconcile the commercial value of personalized features with privacy obligations and the legal realities of jurisdictions with biometric data laws.

Practical implications include:

  • Audit and Mapping: Companies should audit whether features collect face scans or generate biometric templates. Mapping data flows—where images and templates are stored, who has access, and whether third parties process or store the data—is essential.
  • Consent Mechanisms: Where biometric data is collected, implement clear, conspicuous written notices and obtain documented written consent consistent with applicable law. Relying on general terms of service or buried privacy-policy language is risky.
  • Retention and Destruction Policies: Draft and publish retention schedules and destruction procedures specific to biometric identifiers and biometric information. Retention should be limited to what is necessary for the disclosed purpose.
  • Vendor Management: Contracts with third-party AI providers and cloud services must address data protection, restrictions on sale or profiting from biometric data, and compliance with applicable biometric statutes.
  • Minimization and Technical Controls: Where possible, avoid storing biometric templates and instead use ephemeral processing or on-device analysis. When storage is necessary, apply encryption, access controls and data-segmentation to limit risk.
  • Cross-Jurisdictional Compliance: Different states and countries have varying approaches to biometric data. A privacy-by-design posture helps companies adapt to multiple legal regimes.

Retailers that fail to align product design and privacy controls with statutory obligations risk litigation, regulatory inquiry and reputational harm.

What consumers need to know and what actions they can take

If you used JCPenney’s “Skincare Advisor” tool and scanned your face on the website or mobile app while located in Illinois within the last five years, you may fall within the putative class described in the complaint. Individuals in that group will be notified of class developments if the case proceeds and a class is certified.

Practical steps consumers can take:

  • Monitor case developments: Class counsel typically files notices if certification is granted. Consumers can also follow public filings in Cook County Circuit Court for case updates.
  • Preserve evidence: If you retained screenshots, confirmation emails, or records that show you used the tool, preserve them. Documents can be relevant in proving class membership or claims.
  • Review privacy settings and app permissions: Check what images an app stores and whether you can delete account data or request deletion under applicable privacy policies.
  • Consider data-removal requests: If JCPenney or other companies offer mechanisms to request deletion of biometric data, consumers can submit those requests and document responses.
  • Be cautious about sharing biometric images: Until companies clearly disclose practices and provide consent mechanisms, consumers may choose to avoid uploading facial images to retail or social apps.

Consumers seeking to assert privacy rights can also consult counsel to understand options beyond class membership, though individual suits are less common because class actions often aggregate claims.

Legal process and likely defenses JCPenney may raise

Defendants in BIPA litigation typically advance several lines of defense or strategies to limit liability:

  • Deny the data qualifies as biometric identifiers or that the tool generated stored templates. If the feature performs ephemeral analysis without preserving biometric templates, defendants argue BIPA does not apply.
  • Argue consent: If the company can show users were presented with disclosures and consented, it may assert an affirmative defense. The nature and sufficiency of consent are often disputed.
  • Challenge class certification: Defendants often contest whether a class can be certified, arguing individualized issues like differing consent, differing usage contexts, or the need for individualized proof of damages.
  • Attack the allegations about policy absence: Defendants may assert they have publicly available policies or other mechanisms that satisfy BIPA’s retention-and-destruction requirement.
  • Seek dismissal on technical grounds: Sometimes defendants argue the complaint fails to state a claim or lacks particularity for certain allegations.

The outcome will hinge on discovery and the court’s interpretation of how the technology functions and whether statutory thresholds are met. Litigation timelines vary, but BIPA cases commonly involve protracted discovery about technological processes, internal communications and vendor relationships.

Comparisons to other biometric controversies and regulatory trends

Retail uses of facial-analysis tools are not unique to JCPenney. Across sectors, companies face legal and regulatory scrutiny when biometric technologies are deployed without transparent user consent and carefully crafted safeguards. Litigation under biometric statutes, privacy regulations and consumer-protection laws has prompted many organizations to reassess product designs.

Regulatory attention has also grown. Legislatures and privacy regulators in various jurisdictions are scrutinizing biometric technologies and considering frameworks that restrict or tightly regulate their use. For companies operating across multiple states or internationally, reconciling divergent rules increases compliance complexity.

The JCPenney complaint is part of a broader pattern where courts and regulators must weigh the social benefits of certain AI-driven tools against privacy risks. Cases that produce injunctive relief can set practical boundaries for future product design, causing industrywide adjustments.

Potential business and operational impacts if claims succeed

If plaintiffs obtain injunctive relief or a settlement, several operational consequences could follow for JCPenney and other retailers:

  • Removal or modification of features: Companies may need to disable biometric components, shift to on-device processing that does not store templates, or redesign user interfaces to secure explicit written consent.
  • Investment in compliance: Businesses might allocate budget to legal analysis, privacy-engineering, vendor audits, and policy creation to meet BIPA and similar legal requirements.
  • Contract renegotiations with vendors: Third-party AI and cloud vendors will face scrutiny and contract terms may change to address liability and compliance responsibilities.
  • Increased litigation exposure: A successful case can spark additional suits by other plaintiffs or prompt regulatory inquiries in other jurisdictions.
  • Reputation management: Negative publicity around biometric misuse can damage consumer trust, particularly in categories that require sensitive personal data like health and beauty.

Companies can limit these costs by proactively auditing biometric uses and adopting transparent, compliant practices.

What to watch next in the JCPenney litigation

Key milestones and documents that will shape the trajectory of this case include:

  • Defendant response: JCPenney’s initial answer or motion to dismiss will reveal its immediate legal strategy and defenses.
  • Discovery: Plaintiff access to internal communications, vendor contracts and technical documentation will determine whether allegations about knowledge and willfulness hold.
  • Class certification motion: Whether a court certifies an Illinois-wide class will be determinative for the scope of potential damages and pressure to settle.
  • Expert reports and demonstrations: Technical experts may be called upon to demonstrate whether facial templates were stored or how the Skincare Advisor processed images.
  • Settlement negotiations: Given the potential for statutory damages to multiply, both sides may evaluate settlement to limit uncertainty and cost.

Observers should track court filings in Cook County and statements from counsel for both parties. The complaint names plaintiff counsel: Kylie K. Franklin of Hinders, Updegraff & Franklin PLC; Grace E. Parasmo and Yitzchak H. Lieberman of Parasmo Lieberman Law; and Allen Schwartz of Schwartz Law PLLC. The case is Borovoy, et al. v. Penney OpCo LLC, Case No. 2026CH02396, in the Circuit Court of Cook County, Illinois, County Department, Chancery Division.

Practical lessons for organizations adopting biometric features

The JCPenney lawsuit underscores several best practices organizations should adopt before deploying facial-analysis or other biometric technologies:

  1. Conduct a legal and privacy impact assessment: Evaluate whether the technology collects biometric identifiers as defined by relevant laws and assess fit with legal obligations in every jurisdiction of operation.
  2. Build consent workflows: Ensure consent is documented, explicit, and separate from general terms of use. Written consent mechanisms should be user-friendly and verifiable.
  3. Limit storage: Design systems to avoid storing biometric templates when possible. If storage is necessary, minimize retention and apply robust technical protections like strong encryption and strict access controls.
  4. Publish retention and destruction policies: Make policies public and easily accessible, specifying the retention period and destruction protocol for biometric data.
  5. Vendor diligence: Require contractual commitments from vendors that they will not sell or misuse biometric data and will comply with applicable statutes.
  6. Employee training and governance: Train product and legal teams on biometric risks and create escalation paths for high-risk features.

Organizations that adhere to these practices reduce legal risk and preserve consumer trust.

FAQ

Q: Who filed the lawsuit and where was it filed? A: The lawsuit was filed by plaintiff Christine Borovoy in the Circuit Court of Cook County, Illinois, County Department, Chancery Division. The case caption is Borovoy, et al. v. Penney OpCo LLC, Case No. 2026CH02396.

Q: What is the basis of the claim? A: The complaint alleges violations of the Illinois Biometric Information Privacy Act (BIPA) arising from JCPenney’s alleged capture, collection and storage of facial biometric data through its “Skincare Advisor” tool without providing required written notice, obtaining written consent, or publishing a biometric data retention and destruction policy.

Q: Who does the proposed class include? A: The complaint seeks to represent Illinois consumers who scanned their faces while using the Skincare Advisor on JCPenney’s website or mobile application at any time within the last five years prior to filing.

Q: What remedies does the plaintiff seek? A: The plaintiff demands a jury trial and seeks declaratory and injunctive relief, statutory damages under BIPA for herself and all class members, and other relief permitted by the statute.

Q: What are the possible damages under BIPA? A: BIPA provides statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation, or actual damages, whichever is greater. Plaintiffs may also recover attorney’s fees and costs.

Q: Does the complaint mean JCPenney has already been found liable? A: No. The complaint alleges violations; liability must be established through litigation, settlement, or judgment. JCPenney will have the opportunity to respond, defend, and present evidence.

Q: Can consumers outside Illinois bring similar claims? A: BIPA is an Illinois statute that protects individuals whose biometric data is collected in Illinois. Consumers in other states may have different legal protections; some states have their own biometric or privacy rules, and federal or state consumer-protection laws may apply in different circumstances.

Q: What should consumers who used the Skincare Advisor do? A: Consumers who used the tool and are located in Illinois should preserve any records showing use, monitor case developments, and consider asking the company to delete biometric data if deletion avenues exist. They may also consult counsel if they seek personalized legal advice.

Q: How might this case affect other retailers or app developers? A: The case reinforces the need for legal and privacy compliance when deploying biometric features. Companies may redesign features to avoid storing biometric templates, implement clear consent processes, and publish retention policies to reduce litigation risk.

Q: Where can I follow the case? A: Court filings will be available through Cook County court records and public docket resources. News outlets covering privacy litigation and class-action trackers will also report on major developments like motions, discovery disputes, settlements or class certification decisions.

The JCPenney class action joins a series of disputes testing how businesses can use facial-analysis tools while respecting statutory privacy protections. As technologies for personalized online experiences multiply, the decisions courts make about notice, consent and retention will determine how those technologies can be deployed lawfully and responsibly. Consumers and companies alike will watch whether the case produces injunctive changes, damages awards or clarifying legal precedent about biometric data in the retail context.