Insight,

How Beauty Brands Address Data Compliance Risks in China

23 December 2022

Our People
CN | EN
Current site :    CN   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

Introduction:

The beauty industry is embracing cutting-edge digital technology as a means by which to connect with consumers. Cosmetic brands are introducing interactive entertainment and hi-tech experiences as part of their consumer outreach program. Part of this digital transformation is enhanced capability in storing and analyzing consumer data.

This article will elaborate on scenarios such as “virtual makeup”, “bespoke skincare”, and the typical role of “Beauty Adviser” to discuss how cosmetics companies need to address risks in data compliance and make a splash in the future.

I. “Virtual makeup” and facial recognition technology

Virtual makeup function is crucial for many of today’s leading beauty brands. One leading provider of beauty technology solutions claims its virtual makeup app has over one billion downloads worldwide[1]. Use of the virtual makeup technology leads to much higher consumer conversion rates and as a result cosmetic brands are rushing in to debut their “virtual makeup” on the platform.

However, this technology does not just increase sales but also increases privacy concerns.

Facial recognition is the core technology applied in virtual makeup as the user face’s outline is capturing and then is used to generate true-to-life makeup effects powered by augmented reality and artificial intelligence.

To accurately track faces and achieve ultra-realistic make-up experience, virtual make-up technology needs to capture a large amount of information about the individual's face. The more facial feature points tracked on the consumer’s face, the more lifelike the makeup becomes. Therefore, for beauty and medical aesthetics, especially for which demands high precision in face description, the key face feature points needed can be as high as more than one thousand to accurately outline the shape of the face and the position of the five key features.

1. Key regulations on “facial information”

Recently, a well-known cosmetics company in the United States was accused of violating the Illinois Biometric Information Privacy Act (“BIPA”) by collecting “biometric information” of its consumers’ facial features through its virtual makeup tools as provided for on its official website. According to public disclosures, the company's privacy policy did not notify consumers that they collect, capture and otherwise obtain and store consumers' biometric information.

Similarly, in China improper use of facial information is an increasingly common complaint. In 2021, several physical stores in China were fined for installing facial recognition systems for passenger flow statistics and consumer analysis without consumer consent or even informing the consumer of the purpose of collection. The information collected includes headcount, male-female ratio, and age of consumers.

As much of the economy becomes increasingly digitalized, personal facial information is being used as a daily fact of life: when you travel, when you pay, when you need to prove who you are. As a result, facial information not only links to the person, but can also have a close link to personal financial information and spending habits. If facial information is misappropriated or publicly disclosed then this may cause significant damage to the safety of consumers' person and property.

China’s promulgation of the Personal Information Protection Law (the “PIPL”) and the Provisions of the Supreme People’s Court on Several Issues Concerning the Application of the Law to Civil Cases Involving the Processing of Personal Information by Using Facial Recognition Technology (the “2021 Judicial Interpretation”) aims to strictly regulate “facial information”. Cosmetic companies need to pay attention to the following aspects in the business scenario of virtual makeup.

(1) Principle of notice and consent in “virtual make-up”

Facial features, together with genes, fingerprints, voiceprints, palm prints, auricle (part of the ear for the non-doctors) and irises, all fall within the category of personal biometric information[2]. Under the PIPL, facial information is protected as sensitive personal information[3]. This means personal information processors are required to obtain the separate consent for collecting and processing personal information[4]. Also according to the 2021 Judicial Interpretation, it is not sufficient to rely upon an individual’s consent to processing of his or her facial information by bundling authorizations[5].

This is relevant for “virtual makeup” apps as they rely upon the consumers turning on their computer or cell phone cameras in order to take real-time videos or photos of their faces and try the virtual makeup on such real-time videos or photos. A number of platforms support consumers to upload their videos or photos to share their experience. Consumers’ separate consent is required in such circumstance.

Some companies seek to obtain consumers’ “implied consent” covertly when they use virtual makeup apps. This may entail use of a pre-selected checkbox, or bundling the act of capturing facial features with other functions or processing activities (such as sending marketing messages, personalized recommendations, optimizing facial recognition algorithms, etc.) to obtain consumers’ consent (i.e. this is the “bundled” consent we referred to above). This may affect the consumers’ right to choose and therefore violate the principle of voluntariness under the PIPL. In other cases, companies use standard contractual clauses to seek unlimited, irrevocable, and arbitrary sublicense rights to the processing of facial information. It is possible that such standard clauses are found to be invalid[6].

In addition to online channels, consumers can also have virtual makeup experiences through “smart makeup mirrors” in physical stores. In these cases, consumers click on the mirror, or use virtual makeup tools (i.e. in-store tablet or their cell phone) to experience the service. Under this offline scenario, a particular concern is that many of the consumer protections will be avoided by store staff handling the process leading to skipping the step of the consumer’s informed consent. This violates the requirement to obtain separate and express consent for collecting sensitive personal information.

To address these concerns, beauty brands should:

  • inform consumers of the significant impact on their rights and interests of processing sensitive personal information so consumer can give full and informed consent;
  • make consent for facial information processing separate from other consent;
  • ensure settings are such that each new consumer needs to provide consent (i.e. to avoid any inconsistency between the data subject and the consent giver).

(2) Storing “facial information”

Consumers concerned about misuse of their facial information may raise questions such as “Does facial recognition involve saving my data?”, “Where are my facial images being stored?”, “Who has access?”, “Why do they need to save my facial data” and “Is my facial information encrypted?”

China has addressed most of these concerns. According to the PIPL, personal information shall be kept for the minimum period to achieve the purpose of processing[7]. Accordingly, companies should only keep consumers’ facial information for the maximum period necessary to provide virtual makeup services. Also, if absent justifiable reasons, the companies must take the initiative to delete personal information. The national standard “Information Security Technology - Personal Information Security Specification” (35273-2020) puts forward stricter requirements for the storage of facial information. In principle, companies should not store the original personal biometric information, such as the original collected facial images; if storage is necessary, companies should only store the summary information of the facial images, that is, the original facial images should be technically processed so that the stored information cannot be reversed to show the original facial image[8].

If a company stores consumers’ facial information based on consumers’ consent, then the company is required to take necessary technical measures to ensure a secure storage environment which prevents facial information from being leaked, tampered with, or lost.

In respect of processing facial information in conjunction with other consumer identifying information, the company must ensure the facial images and consumers’ identity information[9] are stored separately.

II. “Bespoke skincare” and personalized recommendations

Consumers are increasingly looking towards bespoke solutions. The traditional factory-made beauty products which apply to everyone no longer meet modern consumer demand for tailored skincare.

Bespoke cosmetics is characterized by product customization together with personalized recommendation. On the one hand, companies develop beauty products containing different ingredients for different skin problems based on consumers’ skin conditions such as dryness, acne, and wrinkles. On the other hand, companies recommend suitable products to consumers based on their specific skin type, age, living area, dietary habits etc. This may mean anti-aging products for mature skin group, and low-irritation products with anti-allergy ingredients for sensitive skin group.

Bespoke skincare raises the following issues.

1. Skin testing and consumer questionnaires

To obtain a bespoke solution the consumer will need to share information with the beauty brand. Typically, this will be achieved through the completion of a detailed and comprehensive personalized questionnaire. These questionnaires may be distributed via channels such as e-commerce APPs, mini-programs or web pages to collect information on consumers’ age, gender, living environment, living habits and skincare preferences.

In addition, skin detection technology enables beauty brands and beauty salons to conduct on-site testing of consumers' skin. The skin testing equipment often needs to collect facial images of consumers, and then use technical means to analyze information such as skin color, stratum corneum thickness, water content, sebum secretion, wrinkles and spots.

When harvesting personal information using questionnaires and skin testing equipment companies should focus on the following:

1. Informed consent: companies must obtain separate consent and inform the consumer truthfully, accurately and completely in a prominent manner and in clear and understandable language. For instance, companies need to clearly inform consumers of the name and contact details of all personal information processors, processing purpose, the processing method, type of personal information collected, retention period, etc.[10]

2. Minimum and necessity: whether the companies adequately respect the will of the individual and whether there exists a practice of forcing consumers to provide non-essential personal information by refusing to provide the service. Companies can consider whether excessive access to consumers' personal information is being sought by reference to two considerations: firstly, minimal scope of personal information collected, that is, the personal information collected should be directly related to the fulfillment of the skin testing function; and secondly, the appropriateness of processing, that is, processing with the minimum impact on consumers’ rights.

3. Special requirements for human genetic resources: some beauty brands go beyond questionnaires and skin tests and offer genetic testing services. This involves analyzing unique genetic characteristics of consumers' skin by way of examining their genetic sequences.

Collecting or analysing human genetic material are highly sensitive topics in China. When collecting and processing consumers’ genetic sequences, in addition to complying with all requirements for handling personal information, it is also necessary to comply with the laws and regulations governing human genetic resources.

According to the Regulations on Human Genetic Resources Management, companies collecting human genetic resources must obtain written consent and inform individuals of the purpose of the collection, application of the collection, possible health effects, measures taken to protect personal privacy, as well as the right to participate voluntarily and to withdraw unconditionally at any time[11].

Further, companies also need to pay attention to any potential cross-border transmission of such data. China does not allow institutions established or under the effective control of foreign entities or individuals to collect or store human genetic resources in China[12]. In addition, the trading of human genetic resources is strictly prohibited and storage of human genetic resources is subject to approval by the science and technology administration department of the State Council of China[13].

2. The boundaries of precision marketing in “bespoke skincare”

Bespoke skincare holds out the possibility to accurately market specific beauty products to consumers who will then reap the benefit of a more targeted skincare solution. However, there are limits to what companies can do with consumer information for personalized marketing.

First, companies cannot use biometric information to make other targeted offers to consumers. According to the Basic Requirements for the Protection of Biometric Information in Information Security Technology (GB/T 40660-2021), companies should not carry out user profiling, statistical analysis and personalized recommendations based on biometric information itself[14]. Given that genetic sequences and facial images are biometric information[15], companies should, with the consent of the consumer, carry out skin texture analysis and make personalized recommendations to consumers based on the results of the analysis. However, companies should not use raw data obtained on genetic sequences and facial images for user profiling or personalized recommendations. This includes not sending commercial messages based on personal genetic or facial recognition features.

Second, companies cannot force consumers to give their consent. Companies relying on online methods such as app platforms and applets to collect personal information through questionnaires, should not set default consent for use of personal information for personalized recommendation activities. In relevant beauty apps or retail platforms, personalized recommendation services should not be bound up together with basic services to seek bundled consent from consumers, or to activate personalized recommendations by default.

Third, companies cannot link the biometric information with other consumer data that have been collected. In “bespoke skincare” beauty brands may collate consumer data collected from testing equipment/questionnaire data together with data held on their R&D database. This collection of data is not only stored but also connects to the WeChat app or public platforms and results in facilitating future personalized pushing directly to a consumer’s private account. If the beauty brand obtains relevant information such as the WeChat avatar of the consumer through the API interface in the later stage of the skin test, then it is required to inform consumers completely and truthfully, and obtain consumers’ consent. In addition, beauty brands should provide consumers with a convenient path to be able to turn off personalized recommendations at any time.

III. Behavior control of beauty adviser and employees

Beauty advisers (also known as BAs) play an important role in China market, when consumers make decisions on skincare and makeup products. Beauty advisers need to combine their expertise with consumers’ individual needs to accurately recommend products and services. For this reason they will normally establish a closer relationship with consumers than other employees of a brand. In addition to services provided in general business scenarios, such as in-store consultation, product/service ordering and after-sales service, beauty advisers are often responsible for online or offline marketing and regular consumer return visits.

1. “Exclusivity” of beauty advisers

The one-on-one and continuing exclusive consumer service means that beauty advisers often require long-term communication so the consumer’s needs are comprehensively understood. Personal beauty advisers may remind a consumer to prepare specialized skincare or makeup products for specific scenarios based on personal information about a consumer’s family members or recommend “anti-glycation” skin care products based on knowledge of a consumer’s lifestyle habits, such as having a sweet tooth.

Also to keep the relationship with the consumer and increase repeat business, some beauty brands’ online stores will automatically pop up a window when consumers log in, and assign them with a dedicated beauty adviser. In China these beauty advisers will often try to become a WeChat friend with the consumer in order to maintain the relationship. This personal touch is becoming an increasingly important way for beauty brands to collect consumer information and provide full-round service to consumers.

When beauty advisers chat with consumers online, provide video consultations, or send invitations for events and other services, they will invariably obtain consumers’ basic information, preferences, purchasing intentions, and other data. This can inevitably collect and process a large amount of personal information. The exclusive service provided by beauty advisers differs from the traditional questionnaire or collecting personal information through a website and is challenging for brands to control beauty advisers. The absence of clear boundaries between individual behavior and corporate behavior could lead to obtaining excessive access to consumer’s personal information or using such personal information without consent. In particular, when beauty advisers interact with consumers directly through personal WeChat or other private channels, it is difficult for companies to effectively supervise or manage their behavior. Indeed, they may transfer altered or omitted information to companies. If companies lack clear guidelines and restraint mechanisms that limit the scope and sharing methods in respect of personal information then this may lead to data such as chat records and consultation videos between beauty advisers and consumers being secretly recorded, sold, or leaked. All of this are serious potential data compliance risks for companies.

2. “Mobility” of beauty advisers

Beauty advisers in the cosmetics industry are usually highly mobile, and brands may hire students, white-collar workers, and netizen bloggers on a part-time basis to expand their consumer base. The risk of data leakage for cosmetic companies can originate from multiple sources. This may include unclear delineation of access rights for beauty advisers and related employees, insufficient training on data security awareness, or inadequate technical measures for protection. For example, when beauty advisers or employees are tempted by external interests or have disputes with the company, they may use their positions to obtain the personal information of consumers or employees and then sell or leak to third parties. If a company does not establish an effective data security response mechanism to identify security events, it may result in a larger data leakage event, which will not only damage the company’s reputation but also seriously affect its normal business activities.

3. Internal control risks for staff and beauty advisers

In practice, data leaks caused by insiders of companies do occur.

In one case, an employee of a cosmetics company used his administrator account to steal consumer personal information for subsequent sale to a third party. This act grievously harmed his employer’s listing.

In another case a customer service agent of a communications operating company that had called to ask consumers to redeem their points for gifts as soon as possible because the points were about to expire. He would then send a link to the consumers’ cell phones via SMS and stole their personal information through such link.

As beauty advisers and employees pose risks to brands when they processing consumer personal information it is crucial to have a system in place to keep consumer data safe.

Brands should build internal data security response mechanisms so as to prevent problems before they occur.

At a system level, it is important to clarify the scope of authorization and corresponding responsibilities of persons in charge and employees when formulating internal norms for each department and business link. Employees at different levels should be given different data processing authority and access.

At a technical level, it is far better for brands to actively build a unified online customer relationship management (CRM) platform which collects consumers’ personal information by setting up a closed loop so as to avoid unauthorized personnel and third parties from accessing and acquiring personal information.

At a management level, companies need to manage employees on a full-cycle basis. In addition to requiring employees to sign appropriate confidentiality agreements, brands also need to conduct regular data compliance training for employees so as to enhance their awareness of the protection of consumers’ personal information.

Conclusion:

The implementation of the PIPL has led to Chinese consumers becoming more aware than ever of the importance of protecting their personal information as well as their avenues to defend their rights.

Beauty brands, which frequently interaction with consumers for product development and marketing purposes find that collection and processing of large amounts of consumer-related data at all stages of their business activities is crucial for their success.

With the growing importance of technology (AI, digital platforms etc.) and immersive consumer scenarios and models, it is increasingly important for beauty brands to regulate the collection and processing of consumer personal information. In particular, beauty brands (including e-commerce platforms and brands) will face increasingly stringent regulations when it comes to the processing consumer personal information. Accordingly, brands need to pay due attention to data compliance, guard against possible risks in their operations, strive for sound, long-term operations and harness the power of technology and the digital economy to develop a "beautiful new world" of consumer interaction.

Thanks to Mi Hualin (Intern) for her contribution to this article.

 Scan the code to download the article

https://www.perfectcorp.com/zh-cn/business/news/2022-Q3-trend-report-CHS

Information Security Technology – Personal Information Security Specification, Article 5.3 (c).

Personal Information Protection Law, Article 18.

Personal Information Protection Law, Article 29.

Provisions of the Supreme People’s Court on Several Issues Concerning the Application of the Law to Civil Cases Involving the Processing of Personal Information by Using Facial Recognition Technology, Article 4.

Provisions of the Supreme People’s Court on Several Issues Concerning the Application of the Law to Civil Cases Involving the Processing of Personal Information by Using Facial Recognition Technology, Article 11.

Personal Information Protection Law, Article 19.

Information Security Technology – Personal Information Security Specification, Article 6.3.

Information Security Technology – Personal Information Security Specification, Article 6.3.

Personal Information Protection Law, Article 17.

Regulations on Human Genetic Resources Management, Article 12.

Regulations on Human Genetic Resources Management, Article 7.

Regulations on Human Genetic Resources Management, Article 14.

Basic Requirements for the Protection of Biometric Information in Information Security Technology, Article 7.

Basic Requirements for the Protection of Biometric Information in Information Security Technology, Article 3.3.
Categories

Reference

  • [1]

    https://www.perfectcorp.com/zh-cn/business/news/2022-Q3-trend-report-CHS

  • [2]

    Information Security Technology – Personal Information Security Specification, Article 5.3 (c).

  • [3]

    Personal Information Protection Law, Article 18.

  • [4]

    Personal Information Protection Law, Article 29.

  • [5]

    Provisions of the Supreme People’s Court on Several Issues Concerning the Application of the Law to Civil Cases Involving the Processing of Personal Information by Using Facial Recognition Technology, Article 4.

  • [6]

    Provisions of the Supreme People’s Court on Several Issues Concerning the Application of the Law to Civil Cases Involving the Processing of Personal Information by Using Facial Recognition Technology, Article 11.

  • [7]

    Personal Information Protection Law, Article 19.

  • [8]

    Information Security Technology – Personal Information Security Specification, Article 6.3.

  • [9]

    Information Security Technology – Personal Information Security Specification, Article 6.3.

  • [10]

    Personal Information Protection Law, Article 17.

  • [11]

    Regulations on Human Genetic Resources Management, Article 12.

  • [12]

    Regulations on Human Genetic Resources Management, Article 7.

  • [13]

    Regulations on Human Genetic Resources Management, Article 14.

  • [14]

    Basic Requirements for the Protection of Biometric Information in Information Security Technology, Article 7.

  • [15]

    Basic Requirements for the Protection of Biometric Information in Information Security Technology, Article 3.3.

    • SHOW MORE

MEET THE AUTHORS

LATEST THINKING
Insight
Ad hoc Arbitration in China: Progress and Uncertainty
As the revision of the Arbitration Law of the People’s Republic of China (“PRC Arbitration Law”) progresses, ad hoc arbitration is gaining more attention in China. Previously, there was discussion on whether ad hoc arbitration will truly take root in the country. Recently, there have been notable advancements in the adoption of practical rules surrounding ad hoc arbitration in certain regions while on the national level, there appears to be more of a cautious stance in expanding the scope of ad hoc arbitration. This article provides a brief summary of these developments, starting with a national perspective and discussion of the key issues regarding the draft amendments to the PRC Arbitration Law. The article then ends with an overview of regional efforts to introduce ad hoc arbitration, including initiatives under the current regional system in Shanghai.dispute resolution and litigation-domestic arbitration

14 March 2025

Insight
Guangdong’s Capital Market Drive: New Measures Bring Opportunities
On January 12, 2025, the Guangdong Provincial Government introduced the Measures for High-Quality Development of Capital Markets to Support Guangdong’s Modernization (the “Measures”). These Measures lay out a detailed framework aimed at strengthening Guangdong’s multi-tiered capital markets, boosting tech-driven enterprises, and improving the overall quality of listed companies. The overarching goal is to position Guangdong as leading financial hub and embrace innovation to attract global investment.

07 March 2025

Insight
Shanghai Sets Sights on Digital Trade: Global Hub Plan Revealed
On January 16, 2025, the General Office of the Shanghai Municipal People’s Government released the Implementation Plan for Promoting the High-Quality Development of Digital Trade and Service Trade in Shanghai (the “Implementation Plan”). This strategic blueprint aims to establish Shanghai as a global hub for digital trade, which includes digital products, and technology-driven trade, as well as service trade, covering sectors such as finance, insurance, logistics, and cultural services. With a strong focus on reform, innovation, and the opening of key sectors, the Implementation Plan sets out a series of priorities and actionable steps to achieve these goals by 2029.

07 March 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
CROSS-JURISDICTIONAL PRACTICE OFFICE
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies