Introduction
In recent years, the fashion industry has undergone a radical transformation. Today, through online platforms, mobile applications, and advanced artificial intelligence, brands offer highly personalized experiences, recommending outfits based on individual preferences. As of 2026, personalization in digital fashion is going to be shaped by a tighter regulatory framework under the EU GDPR, EU AI Act, and EU Data Act, requiring brands to balance innovation with strict ethical and legal standards.
1. Fashion in the Digital Era
Digitalization has gone beyond simple e-commerce. Brands are now prioritizing immersive experiences through augmented reality (AR) and virtual reality (VR). These technologies often process biometric identifiers—such as facial geometry or body measurements for virtual fittings. According to current interpretations by European Data Protection Authorities, these activities require explicit consent and robust security measures, as they involve sensitive data that defines an individual’s physical identity.
2. Personal Data in Digital Fashion
Data collected by fashion companies can generally be categorized as follows:
- Identification data: name, email address, phone number, and postal address.
- Behavioral data: purchase history, browsing activity, clicks, time spent on pages, and style preferences.
- Biometric and other sensitive data: body measurements, 3D scans, images, and information derived from wearable devices.
- Synthetically generated data: AI-generated profiles used for testing or simulations, which must be clearly distinguished from real user data to prevent algorithmic bias and ensure transparency.
Improper processing of these data today results not only in GDPR fines but also in potential AI compliance penalties, which can be more severe for systems found to be manipulative, discriminatory, or misleading.
3. Regulatory Framework
While the GDPR remains the cornerstone of data protection, the legal landscape will be complemented by the EU AI Act and the Data Act in 2026. Fashion companies must ensure that their recommendation algorithms are transparent, explainable, and compliant with high-risk AI requirements. Furthermore, with the rollout of the Digital Product Passport (DPP), the concept of “data” in fashion now bridges the gap between consumers’ personal information and a product’s environmental footprint, creating a holistic transparency obligation that encompasses both user data and product lifecycle information.
4. Ethical Challenges
Beyond legal compliance, the use of personal data in digital fashion raises substantial ethical questions. Extreme personalization can lead to continuous consumer surveillance, potentially undermining trust between brands and customers. In addition, algorithmic systems that generate product recommendations based on demographic or behavioral data may produce discriminatory outcomes, such as limiting access to certain collections or price ranges for specific user groups.
Transparency remains a critical challenge, as many consumers are insufficiently informed about what data is collected and how it is processed. In this context, the principles of privacy by design and by default play a crucial role. Additionally, excessive personalization may contribute to the creation of “filter bubbles,” where users are repeatedly exposed to a narrow set of products, styles, or brands that align with their past behavior. This phenomenon can reduce consumer autonomy, limit exposure to diverse market offerings, and constrain the freedom to explore alternative identities within digital fashion environments.
Since 2024, the prohibition of dark patterns under the Digital Services Act has strengthened user protection by limiting manipulative interface design practices. From February 2025, the EU AI Act will further reinforce these safeguards by prohibiting certain forms of AI-driven behavioral manipulation that undermine users’ autonomy and decision-making. Together, these frameworks address both deceptive choice architectures and algorithmic nudging practices, promoting fairness and consumer autonomy on digital platforms.
The filter bubbles phenomenon is now directly addressed in the EU AI Act. From August 2, 2026, transparency obligations will come into force for AI systems that interact with humans or generate content. Under these rules, providers must ensure that users are aware of AI interactions, thereby mitigating the risk of opaque algorithmic confinement. Although the final deadline for systems embedded in high-risk regulated products extends to 2027, most recommendation engines used in retail must already comply with strict disclosure rules. Excessive personalization that confines consumers to a narrow set of options could be considered a risk to fundamental rights, such as informational self-determination. Under the AI Act, providers must implement risk assessments and mitigation strategies to ensure personalization does not inadvertently manipulate or unduly restrict users’ exposure to different products. By connecting this to Explainable AI, fashion brands must now not only protect data but also provide clear explanations of the rationale behind automated style decisions, strengthening consumer trust and mitigating the ethical risks associated with algorithmic bias or hidden nudging.
5. Practical Cases and Examples
5.1 Responsible Practices
- Burberry: The brand has experimented with blockchain-based systems, such as participation in the Aura Blockchain Consortium, to enhance product authenticity and traceability. These decentralized solutions aim to ensure transparency and data integrity while avoiding unnecessary exposure of sensitive personal information. They align with standards for the EU Digital Product Passport, scheduled to come into force in 2027, and strengthen both ethical and environmental transparency.
- Stitch Fix: This online personal styling platform relies extensively on customer data to generate personalized outfit recommendations. Users are informed about the nature and purpose of data processing activities and are required to provide explicit consent, contributing to greater transparency, trust, and compliance with AI and data regulations.
- Farfetch: As a global luxury e-commerce platform, Farfetch has implemented consent management tools and privacy by design practices that allow customers to exercise greater control over the information they share with brands and third parties, aligning technological innovation with ethical standards.
5.2 Risk and Breach Scenarios
Even established fashion brands have faced significant challenges in protecting personal data. While acknowledging that the following cases rely on public accounts and media reports documented during 2025, and without prejudice to the factual accuracy of such claims or ongoing legal outcomes, these examples offer critical insights into the industry’s vulnerabilities:
- Shein: The company has been reported to have faced substantial administrative sanctions from the French data protection authority (CNIL) in connection with its use of tracking technologies that allegedly did not fully comply with GDPR consent requirements.
- Kering Group (parent company of brands including Gucci, Balenciaga, and Alexander McQueen): Public reports indicate that a cyberattack in 2025 may have resulted in the exposure of customer data, such as names, email addresses, and phone numbers, leading to reputational concerns and regulatory attention.
- Louis Vuitton: The brand has reportedly experienced multiple data security incidents in different jurisdictions, including Hong Kong, prompting data protection authorities to launch investigations.
- SABO: An unsecured database was reported to have exposed large volumes of customer records, demonstrating the legal and fiduciary consequences of insufficient technical security measures.
These cases demonstrate that, beyond formal compliance, robust cybersecurity and data protection practices are essential. Inadequate safeguards may result in financial penalties, regulatory scrutiny, and a long-term erosion of consumer trust.
6. Conclusion and Future Perspectives
The Collection and processing of personal data has become a strategic necessity in digital fashion. Looking to the future, emerging technologies—including generative artificial intelligence and immersive metaverse environments—will pose new regulatory and ethical challenges. By 2026, the industry’s focus will have shifted toward Explainable AI, where fashion brands must not only protect data but also clearly explain the rationale behind automated styling recommendations. This dual focus on data protection and explainability should strengthen consumer trust, mitigate algorithmic risks, and ensure that personalization in fashion remains ethical, transparent, and legally compliant.
