What we call connected cosmetics actually refers to the Internet of things applied to beauty, which combines advanced technologies, cosmetic treatments, and products.

Offerings keep increasing on the cosmetics market, mirroring the emergence of a new segment of personalized services in the sector, as can be seen with:
• The mini-scanner that analyzes the epidermis and suggests personalized skincare products via a mobile application
• The facial mask fitted with integrated sensors that carries out a detailed, personalized diagnosis of the user’s needs
• The device that helps create our cosmetics ourselves, as it is connected to a platform which provides us with a detailed diagnosis of our skin data

The Internet of things in the cosmetics sector makes its players collect and process a wide range of personal data.

The notion of personal data

To make things clear, personal data are data that identify or recognize a physical person, directly or indirectly. They can be a last name, first name, date of birth, postal or email address, IP address of a computer, phone number, payment card…

It should be known that this issue is regulated in France. The Loi Informatique et Libertés no. 78-17 of 6 January 1978, which is associated with various implementing decrees, provides the framework for personal data collection and processing, by setting up different obligations data controllers must comply with.

The obligations

In substance, abiding by the French Loi Informatique et Libertés requires complying with the following main obligations.

Prior procedures with the Cnil (the Commission informatique et libertés in charge of data issues)
Apart from legal exemptions, companies must carry out the formalities required by the Cnil, like the authorization request or declaration for processing data. These procedures can be followed online, on the Cnil website.

Data quality
It is up to data controllers to make sure the collected data are adequate, relevant, exact, complete, updated, and not excessive in relation to the purposes for which they were collected or are further processed.

Purposes
The data shall be collected for specified, explicit, and legitimate purposes, and not further processed in a way incompatible with these purposes.

Information to the data subjects
Information to the persons concerned must not be omitted. Indeed, companies shall inform their customers of their right to query, access, amend, and object the information relating to them, as well as their right to oppose on legitimate grounds the processing of the data relating to them.

Other measures
Among the other applicable measures, there is also the obligation to define and implement a policy on the period of time during which personal data are stored, to implement measures to guarantee their confidentiality, and to control cross-border flows of data. In addition, the data controller shall ensure all data remain confidential.

The particular case of cookies

The development of cosmetics players’ websites and mobile applications also led to the rapid expansion of cookies. What is their legal framework? It is possible to use these cookies freely?

Cookies
Cookies are tracers placed on web users’ hard drives and used by the websites they visit to send information to web users’ browsers, so that these browsers can send back information to the original website (for example, a login ID, a language choice, or a date).

Obligation
The Law provides that cookies or other tracers cannot be stored or read on a web user’s hard drive if he has not given his consent after being previously informed (some exceptions apply).

In these conditions, the data controllers that implement cookies or other tracers shall:
• Inform web users about cookies beforehand (via a banner on the website or application the first time web users have visited the website)
• Obtain their prior consent

In a nutshell, the actions to be implemented regarding cookies are the following:
• Identifying the cookies and tracers used
• Identifying their purpose
• Determining their regime
• Creating or updating an information statement on cookies

From France to Europe

If using digital tools makes it possible to collect a wide range of personal data and, if need be, track a web user’s virtual behaviour or not, everyone must remain vigilant as regards the preservation of these personal data.

This issue is all the more relevant today, since a European regulation on personal data protection has just been promulgated. As a result, European companies are granted two years as from this date to comply with the new requirements set out in the Regulation.

Here are the key points of the regulation:
• Establishment of a right to digital oblivion for the persons concerned, as well as a right to data portability
• Obligation to implement data protection as early as the design phase and by default
• Principle of security by design
• Function of data protection officer
• Obligation of notification of personal data violations

The European Regulation is aimed to introduce mechanisms to guarantee the harmonized application of the legislation on data protection throughout the European Union.

Naima Alahyane Rogeon
Lawyer
Department Director
Alain Bensoussan Avocats