UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION
FIZA JAVID,
Plaintiff, No. 25 CV 11693 v. Judge Georgia N. Alexakis M.A.C. COSMETICS, INC.,
Defendant.
MEMORANDUM OPINION AND ORDER
The Court denies the motion to dismiss brought by defendant M.A.C. Cosmetics, Inc. (“MAC”) under Federal Rule of Civil Procedure 12(b)(6). [11]. To state a claim under Section 15(b) of the Illinois Biometric Information Privacy Act (“BIPA”), plaintiff Fiza Javid must plausibly allege that MAC was capable of identifying her using collected biometric data. Javid has met this burden, so the matter may proceed. A. Legal Standards A complaint must contain “a short and plain statement” showing that the plaintiff is entitled to relief. Fed. R. Civ. P. 8(a)(2). A motion to dismiss under Rule 12(b)(6) challenges the sufficiency of the complaint, not its merits. See Fed. R. Civ. P. 12(b)(6); Gibson v. City of Chicago, 910 F.2d 1510, 1520 (7th Cir. 1990). To survive a Rule 12(b)(6) motion, the complaint must allege facts sufficient to state a facially plausible claim. Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). A claim is facially plausible if the complaint’s “factual content allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). At this stage, the Court assumes the facts alleged in the complaint are true and draws all reasonable inferences from those facts in the plaintiff’s favor. See Tobey
v. Chibucos, 890 F.3d 634, 645 (7th Cir. 2018). But “[a] pleading that offers ‘labels and conclusions’ or ‘a formulaic recitation of the elements of a cause of action will not do.’” Iqbal, 556 U.S. at 678 (quoting Twombly, 550 U.S. at 555). The Court applies this approach in the discussion that follows. B. Factual Background On several occasions in the last five years, Javid has shopped at a MAC cosmetics store. [1] ¶ 21.1 On at least one such occasion, a MAC sales associate
suggested that Javid use an in-store device to “virtually ‘try on’” the makeup items that Javid was considering purchasing. Id. ¶¶ 22, 25–26. The device operated by detecting and identifying Javid’s face in videos and then capturing “a scan of her unique facial geometry, including the length, width, depth, and location of, as well as the distance and spacing between, various of her facial features and landmarks.” Id. ¶ 26; see also id. ¶ 29.
MAC’s website has a similar “virtual try-on” feature, which Javid also has used. Id. ¶¶ 27–28. That feature requires her to “upload a preexisting photo of her face, turn on and use her device’s camera via an interface on MAC’s website to take a new photo of her face, or allow MAC’s website to access her device’s camera to begin
1 The complaint begins on page 13 of the document at [1], using the pagination that appears in the blue CM/ECF header. a live video stream of her face.” Id. ¶ 27. Like the in-store device, the website’s virtual try-on mechanism captured Javid’s unique facial geometry. Id. ¶ 28. Whether it obtained them through the in-store device or the website feature,
MAC stored the scans of Javid’s facial geometry, accessed them to detect and identify Javid’s key facial features, and used this data to calculate and create a “unique digital map” of Javid’s face, otherwise known as “a face template.” Id. ¶ 30. MAC also stored the face templates. Id. MAC then used the stored scans and face templates to apply makeup virtually to Javid’s face. Id. ¶¶ 31–32. MAC did not tell Javid that it would capture, collect, otherwise obtain, store, and use her facial geometry through its virtual try-on mechanisms. Id. ¶¶ 36–37. And
it did not obtain her written consent or secure a release before doing so. Id. ¶¶ 38–39. Through these actions, Javid alleges that MAC violated the Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1 et seq. She filed a complaint on behalf of herself and a putative class in state court, which MAC removed to federal court. MAC then moved to dismiss the complaint under Rule 12(b)(6). C. Analysis
1. Meaning of “Biometric Identifier”
To state a claim under BIPA’s Section 15(b), a plaintiff must allege that a private entity “collects,” “captures,” or “otherwise obtains” a person’s “biometric identifier or biometric information” without first satisfying several conditions. 740 ILCS 14/15(b). BIPA defines “biometric identifier” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” See 740 ILCS 14/10. It excludes from that definition a number of items, including “writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as
height, weight, hair color, or eye color.” Id. BIPA defines “biometric information” as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.” Id. According to MAC, as a matter of statutory interpretation, “biometric information” and “biometric identifier” are “categories that only include data that can be used to identify a person.” [13] at 4. Therefore, MAC argues, because Javid has not alleged that MAC was capable of identifying her using the data it captured through
its virtual try-on devices, Javid has failed to state a claim under BIPA. MAC’s argument has merit with respect to “biometric information.” After all, BIPA plainly defines this term as “any information … based on an individual’s biometric identifier” that is “used to identify an individual.” 740 ILCS 14/10 (emphasis added). The more difficult question is whether “biometric identifier” encompasses the same limitation, as the statutory definition for that term does not
include the same “used to identify an individual” proviso. No court with binding authority on this one has resolved this question. But the Ninth Circuit has concluded that, under BIPA, “biometric identifiers” must be capable of identifying a person. See Zellmer v. Meta Platforms, Inc., 104 F.4th 1117, 1123 (9th Cir. 2024) (“[S]cans of face geometry ... are not covered by BIPA if they cannot identify a person.”). Numerous courts in this District have held the same. See, e.g., G.T. v. Samsung Elecs. Am. Inc., 742 F. Supp. 3d 788, 799–800 (N.D. Ill. 2024);2 Martell v. X Corp., No. 23 C 5449, 2024 WL 3011353, at *3 (N.D. Ill. June 13, 2024) (“[U]nder a plain reading of BIPA, Plaintiff must allege that the biometric identifier
can be used to identify an individual.”); Castelaz v. Estée Lauder Cos., Inc., No. 22 CV 5713, 2024 WL 136872, at *6 (N.D. Ill. Jan. 10, 2024) (same); Clarke v. Aveda Corp., 704 F. Supp. 3d 863, 865 (N.D. Ill. 2023) (same); Daichendt v. CVS Pharmacy, Inc., 22 CV 3318, 2022 WL 17404488, at *5 (N.D. Ill. Dec. 2, 2022); see also Rivera v. Google Inc., 238 F. Supp. 3d 1088, 1094 (N.D. Ill. 2017) (holding that “biometric identifier” means “a biology-based set of measurements (‘biometric’) that can be used to identify a person (‘identifier’)”).3
The Court finds the reasoning in these cases persuasive. It will not recap each decision. But it will call particular attention to Zellmer’s rejection of the argument that because BIPA’s definition of “biometric identifier” does not reflect an “explicit requirement” that a biometric identifier be able to identify an individual, a plaintiff
2 The Court recognizes that an appeal is pending in G.T. See G. T. v. Samsung Elecs. Am. Inc., Appeal No. 25-1120 (7th Cir.). 3 At least one court within this District has concluded otherwise. See Brown v. AS Beauty Grp. LLC, 22 C 7288, 2024 WL 2319715, at *5 (N.D. Ill. May 22, 2024). Other decisions have acknowledged the question but not resolved it. See, e.g., Konow v. Brink’s, Inc., 721 F. Supp. 3d 752, 757 (N.D. Ill. 2024) (“This court is not certain that the ‘uniquely identifying’ test is supported by BIPA’s plain language. But assuming that it is, Plaintiff’s Complaint plausibly states a claim even under this narrower approach.”). Javid cites this Court’s decision in Rodriguez v. ByteDance, Inc., No. 23 CV 4953, 2025 WL 672951 (N.D. Ill. Mar. 3, 2025), to support its opposition to MAC’s motion to dismiss. [19] at 5. But in Rodriguez, “it [was] clear from the face of plaintiffs’ complaint that defendants were capable of using the data to identify them.” 2025 WL 672951, at *17. The question was similarly out-of-bounds in another recent decision from this Court related to BIPA. See Hooks v. CloudSpotter Techs. Inc., No. 25 CV 9754, 2026 WL 1045734, at *2 (N.D. Ill. Apr. 17, 2026). does not need to allege that capability in order to state a claim under Section 15(b). 104 F.4th at 1123. Javid advances the same argument. [19] at 6–8. Zellmer considered the “ordinary meaning” of “identifier”—“one that
identifies”—when interpreting the statutory term “biometric identifier.” 104 F.4th at 1123–24. Zellmer explained that this approach to statutory interpretation has been endorsed by the Supreme Court, “particularly when there is dissonance between that ordinary meaning and the reach of the [statutory] definition.” Id. at 1123–24 (citing Bond v. United States, 572 U.S. 844, 861 (2014)). In Bond, the Supreme Court explained that a “fair reading” of the pertinent law needed to account for the “natural meaning” of a defined term and thus permitted the conclusion that the law “does not
have as expansive a scope as might at first appear.” 572 U.S. at 861; see also id. at 862 (“We are reluctant to ignore the ordinary meaning of ‘chemical weapon’ when doing so would transform a statute passed to implement the international Convention on Chemical Weapons into one that also makes it a federal offense to poison goldfish.”). Applying that approach to BIPA’s definition of “biometric identifier,” Zellmer
concluded that the plaintiff’s proposed reading of the statutory term “would write the term ‘identifier’ out of BIPA” and put “every ‘retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry’ … within BIPA’s reach.” 104 F.4th at 1123 (quoting 740 ILCS 14/10). Zellmer continued: [T]his reading conflates necessary and sufficient conditions. The defined term imposes on the ordinary meaning of “biometric identifiers” a set of necessary conditions. Something that falls outside the defined statutory definition (such as a photograph) can be a biometric identifier under the term’s plain meaning, but not be covered by BIPA’s statutory definition. On the other hand, something can otherwise fall within BIPA’s specific list of potential “biometric identifiers,” but still not be covered if it cannot identify.
Id. at 1123. Zellmer thus concluded that although “scans of face geometry fall within BIPA’s list,” they “are not covered by BIPA if they cannot identify a person.” Id. Zellmer’s approach to statutory interpretation is consistent with Illinois’ rules of statutory construction. Illinois’ “primary rule of statutory construction is to ascertain and give effect to the intent of the legislature,” and the best indicator of that intent is the “clear language of the statute.” See Zahn v. N. Am. Power & Gas, LLC, 815 F.3d 1082, 1089 (7th Cir. 2016) (citing People v. Donoho, 788 N.E.2d 707 (Ill. 2003), and People v. NL Indus., 604 N.E.2d 349 (Ill. 1992)). Critically, the statute’s language must be given its “plain and ordinary meaning.” Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186, ¶ 24, 129 N.E.3d 1197, 1204; see also Cothron v. White Castle Sys., Inc., 2023 IL 128004, ¶ 20, 216 N.E.3d 918, 923–24, as modified on denial of reh’g (July 18, 2023) (“The best indicator of legislative intent is the statutory language itself, given its plain and ordinary meaning.”). And each word must be given effect. See Mosby v. Ingalls Mem’l Hosp., w, ¶ 36, 234 N.E.3d 110, 119 (“Each word in a statute is to be given a reasonable meaning and not rendered superfluous.”) (cleaned up). “When the statutory language is plain and unambiguous,” courts cannot “depart from the law’s terms by reading into it exceptions, limitations, or conditions
the legislature did not express,” nor can courts “add provisions not found in the law.” Rosenbach, 2019 IL 123186, ¶ 24, 129 N.E.3d at 1204. Yet, at the same time, “[s]tatutes must not be read in isolation but as a whole; all relevant parts of the statute must be considered when courts attempt to divine the legislative intent underlying the statute.” Zahn, 815 F.3d at 1089.4 As Zellmer explained, the plain and ordinary meaning of “identifier” is “one
that identifies,” 104 F.4th at 1124, and under Illinois’ rules for statutory construction, this plain and ordinary meaning cannot be ignored. To do so would write “identifier” out of BIPA and compromise the Court’s ability to ascertain legislative intent based on the statute’s “clear language.” See Zahn, 815 F.3d at 1089. It also does not run afoul of the principle, much emphasized by Javid, that courts only consult “dictionary definitions” when a term is not defined by a statute. [19] at 5 (citing Rosenbach, 2019 IL 123186, ¶ 29). The defined term is “biometric identifier”; but where BIPA does not
separately define “identifier,” “we assume the legislature intended for it to have its popularly understood meaning.” Rosenbach, 2019 IL 123186, ¶ 29, 129 N.E.3d at 1205. See also Martell, 2024 WL 3011353, at *3 (explaining that the term “biometric identifier” includes the word identifier, that the dictionary definition of “identifier” is “one that identifies,” and the dictionary definition of “identify” is “to prove the identity of (a person or thing)”); G.T., 742 F. Supp. 3d at 800 (rejecting a position “grounded
in a comparison of statutory definitions” of “biometric information” and “biometric identifier” because this distinction, although accurate, “does not mean the word ‘identifier’ should be ignored”). The ordinary meaning of “identifier” is especially relevant where the state legislature used this word elsewhere in the statute, de-
4 Javid emphasizes People v. Fiveash, 2015 IL 117669, 39 N.E.3d 924, and People v. Chapman, 2012 IL 111896, 965 N.E.2d 1119, when discussing Illinois’ rules of statutory construction. E.g., [19] at 8. The Court has reviewed these decisions and finds their discussion of Illinois’ rules of statutory construction to be consistent with the above-cited opinions. coupled from the word “biometric.” See 740 ILCS 14/5(c) (referring to “other unique identifiers that are used to access finances or other sensitive information”); 740 ILCS 14/10 (providing as an example of “confidential and sensitive information,” “a unique
identifier number to locate an account or property”). A narrower construction of “biometric identifier” than what Javid proposes is consistent with other relevant parts of BIPA. For example, the state legislature memorialized the intent behind BIPA in the statute itself. See 740 ILCS 14/5. The legislature recognized that the use of biometrics was growing, id. at 14/5(a) and (b), and that, “unlike other unique identifiers that are used to access finances or other sensitive information” such as social security numbers, “biometrics … are biologically
unique to the individual,” so, “once compromised, the individual has no recourse, is at heightened risk of identity theft, and is likely to withdraw from biometric- facilitated transactions,” id. at 14/5(c). “For biometrics to be compromised, however, there must be some ability to connect the biometrics to an individual; a facial scan is meaningless if there is no way to determine who it belongs to.” See G.T., 742 F. Supp. 3d at 800; see also Daichendt, 2022 WL 17404488, at *5 (where plaintiffs had not
alleged that the defendant “could connect the voluntary scans of face geometry with their identities,” they “failed to plead the most foundational aspect of a BIPA claim”). Thus, construing the term “biometric identifier” as requiring the ability to identify a person is not only consistent with the clear language of the statute and, hence, reflective of legislative intent; it is also consistent with 740 ILCS 14/5, the section of BIPA where the Illinois General Assembly memorialized the findings and purpose that motivated the law. A narrower construction of “biometric identifier” is also consistent with other
provisions of BIPA, which require, first, that a “biometric identifier” and “biometric information” be stored “in a manner that is the same as or more protective than the manner in which the private entity stores … other confidential and sensitive information” and, second, define the term “confidential and sensitive information” as “personal information that can be used to uniquely identify an individual or an individual’s account or property.” 740 ILCS 14/10, 14/15(e)(2). It would not make sense to require private entities to treat “biometric identifiers” in a manner at least
as protective as that of “biometric information” and “other confidential and sensitive information” if the first category of data, unlike the second and third, could not be used “to uniquely identify an individual or an individual’s account or property.” See Zellmer, 104 F.4th at 1124 (noting the interplay between these BIPA provisions and explaining that “[r]eading the statute ‘as a whole,’ it makes sense to impose a similar requirement on ‘biometric identifier’”).
For these reasons, the Court agrees with MAC that, for purposes of BIPA, “biometric information” and “biometric identifier” are “categories that only include data that can be used to identify a person.” [13] at 3. 2. Whether Javid Has Sufficiently Alleged the Ability To Identify
The Court next considers MAC’s argument that Javid has not alleged that MAC was capable of identifying her using the data it captured through its virtual try- on mechanisms. Javid contends otherwise, making one point tied to the meaning of “identity” and a second point tied to specific allegations in her complaint. The Court addresses each contention in turn.
First, Javid argues that “identifier” under BIPA does not necessitate identification by name, but rather requires only identification of “unique physical features.” [19] at 15–18. The Court is not persuaded by this point. As MAC aptly argues: “[S]uch a reading would be inconsistent with the General Assembly’s stated findings and intent in enacting BIPA—namely, that BIPA is concerned with data that can be used for identity theft to gain access to, for example, an individual’s “finances or other sensitive information [where] the individual has no recourse [because] such
information is tied to finances and other personal information.” [27] at 10 (quoting 740 ILCS 14/5(c) and (d)). Second, Javid argues that she has plausibly pled that the captured biometric identifiers and information can be used to determine her identity. Specifically, Javid alleges that MAC is capable of identifying her by pairing her captured biometric identifier with her MAC customer account. [1] ¶ 34. This account reflects her name,
date of birth, zip code, email address, and a list of past purchases, including purchases Javid made after she virtually tried on makeup in MAC’s store. Id. Javid also has a Facebook account that is searchable by her name and features a public photo of her face. Id. ¶ 35. According to Javid, anyone deploying facial recognition technology to scrape the internet can thus use her captured biometric identifier to identify her. Id. ¶¶ 13, 33. For the reasons that follow, Javid’s allegations pass muster. In Daichendt v. CVS Pharmacy, Inc. (“Daichendt II”), No. 22 CV 3318, 2023 WL 3559669, at *1 (N.D. Ill. May 4, 2023), the district court found that plaintiffs had sufficiently stated a claim under BIPA’s Section 15(b) after alleging that they
“entered their names, email addresses, and phone numbers into a computer terminal inside defendant’s stores prior to scanning their biometric identifiers.” Here, Javid alleges that MAC had access to similar personal information about her through her customer account. MAC tries to distinguish Daichendt II by focusing on the temporal aspect of the pertinent allegation: that the plaintiffs there provided defendant CVS with their contact information “during the process of verifying plaintiffs’ features.” [27] at 11 (citing Daichendt II, 2023 WL 3559669, at *2 (emphasis in original). By
contrast, Javid has not alleged that she created her MAC customer account during the virtual try-on process. MAC therefore argues that she has failed to plausibly allege any link or connection between the collected biometric data and the customer account. Id. at 12. Certainly, the fact that the Daichendt II plaintiffs provided defendant CVS with their “real-world identifying information” just before providing their biometric
identifiers strengthened the plausibility of their allegation that CVS could connect the two data sets to identify the plaintiffs. 2023 WL 3559669, at *1. But that doesn’t make temporal proximity a requirement for stating a claim under BIPA’s Section 15(b). As Zellmer would put it, that’s a sufficient, but not necessary, condition. For example, in Castelaz, the district court relied on Daichendt II to conclude that the plaintiffs there fell short of alleging that the defendant was able to determine plaintiffs’ identities through collected facial scans. 2024 WL 136872, at *7. This failure, however, did not result simply because the plaintiffs failed to allege that they tendered contact information at or near the time they shared their biometric
identifiers. Rather, the plaintiffs in Castelaz had failed to provide “any specific factual allegations” that defendant was capable of determining plaintiffs’ identities “by using the collected facial scans, whether alone or in conjunction with other methods or sources of information available to [defendant] (e.g., the user’s account information such as their name, email, physical address, etc.).” Id. (emphases added). In other words, Castelaz recognized that a plaintiff could sufficiently allege an ability to identify from biometrics using “other methods or sources of information” beyond the
particular facts alleged in Daichendt II. Likewise, in Bell v. Petco Animal Supplies Stores, Inc., it was enough that plaintiffs had alleged mere “access to [plaintiffs’] names and to the patterns of their voices.” No. 1:22-cv-06455 (N.D. Ill. May 11, 2023), Dkt. 23 at 4, n.6. From this allegation, the district court in Bell concluded that it was “reasonable to infer that defendant (or someone else) who gained access to the data derived from plaintiffs’
voices could have used it to identify them.” Id. See also Rodriguez, 2025 WL 672951, at *17 (denying motion to dismiss where plaintiffs allege that defendant’s app “‘collect[ed] a broad array of private and personally identifiable data’ that (at least in theory) could have been used to connect plaintiffs’ voiceprints and face scans to their identities,” even through the complaint did not specify when the personal information was collected relative to the biometric identifiers or how precisely any connection could be made). Here, the Court considers Javid’s allegations that MAC had access to her
personal information through an existing customer account; that the customer account reflected her past purchases, including purchases made during the same store visit as a virtual try-on; and that MAC had financial incentives to encourage its customers to virtually try on its products. [1] ¶¶ 34, 40. Crediting these allegations as true, drawing all reasonable inferences in Javid’s favor, and relying “on its judicial experience and common sense” to assess the plausibility of Javid’s claim, see Iqbal, 556 U.S. at 679, the Court concludes that Javid has sufficiently alleged that her
captured biometric identifier could be used to identify her. The “clear preexisting relationship” between Javid and MAC supports the inference that biometrics collected by the commercial retailer could be used to identify its customer. See Konow, 721 F. Supp. 3d at 758. Doing so would permit the retailer to amass a host of valuable information—e.g., who used its virtual try-on mechanism, what products this customer virtually tried on, and whether the virtual try-on
converted into actual sales. Consistent with Javid’s allegations, this information then could be used to inform marketing and advertising efforts and, in turn, to enhance sales. [1] ¶ 40. Put another way: Just as a truck company has an “obvious” incentive to use facial scans collected to analyze driving behavior to identify a particular driver, so, too, does MAC have an incentive to leverage the information collected through its virtual try-on devices to identify a preexisting customer and boost the company’s performance. Konow, 721 F. Supp. 3d at 758.5 Of course, it remains to be seen, via discovery, whether MAC (or another
entity) was capable of connecting the dots between the collected biometrics and the customer account information to make a real-world identification. But for now, Javid has sufficiently alleged that capability. 3. Intentional or Reckless Violations of BIPA
MAC moves to dismiss Javid’s demand for enhanced statutory damages based on its allegedly intentional and reckless conduct. The Court agrees with Javid, however, that she is not required to make specific allegations about MAC’s mental state to successfully plead a BIPA claim and that she does not need to plead facts to show her entitlement to specific form of relief. See Davis v. e.l.f. Cosms., Inc., No. 22 C 5069, 2024 WL 2722663, at *9 (N.D. Ill. May 28, 2024) (collecting cases); Sosa v. Onfido, Inc., 600 F. Supp. 3d 859, 874–75 (N.D. Ill. 2022); see also Fed. R. Civ. P. 8(a)(3). This aspect of MAC’s motion is therefore denied.
5 Given this analysis, the Court does not need to separately consider whether Javid’s allegations regarding her Facebook account also permit her to state a claim under BIPA’s Section 15(b). CONCLUSION For the foregoing reasons, the Court denies defendant’s motion dismiss brought under Federal Rule of Civil Procedure 12(b)(6). [11]. The parties are directed to file a joint status report by 6/18/2026 with a proposed discovery schedule.
ENTER:
Date: 6/4/2026 eats Georgia N. Alexakis U.S. District Judge