Digital Audit - L’Oréal S.A.

Audit Phase: Digital (Digital / Technology Forensics) Subject Entity: L’Oréal S.A. (Euronext Paris: OR) Registered Address: 14 rue Royale, 75008 Paris, France Audit Date: June 2026 Evidence Base: Published corporate disclosures, vendor and L’Oréal press releases, trade and technology press, court filings, regulatory decisions, and named-source reporting. All factual claims are drawn from publicly available sources cited in the End Notes.

Scope and directionality note: Digital assesses the digital/technology nexus to Israel. The directionally serious case is the provision of surveillance, digital, data, or cyber technology to the Israeli state, military, or security services. The reverse direction - L’Oréal procuring technology from, or acquiring, Israeli-origin vendors - is a customer/owner relationship and is recorded explicitly as such, weighted far lower than provision. No transitive guilt is imputed: an Israeli vendor’s other clients, its founders’ backgrounds, or a parent group’s separate activities are not attributed to L’Oréal. US-entity relationships (e.g. Microsoft, Nvidia, IBM, Salesforce, Google as a US parent) are not Israeli-origin and are noted only for completeness. Where a cyberattack was done to L’Oréal, this is recorded as digital context, not provision.

Enterprise Technology Stack & Vendor Relationships

Strategic Cloud & Platform Partnerships (Direction: L’Oréal as customer)

L’Oréal’s principal disclosed enterprise cloud relationships are with US-headquartered hyperscalers and platform vendors. L’Oréal built a Talend-based data lake for its Research & Innovation department on a private Microsoft Azure infrastructure-as-a-service environment, ingesting robotic, laboratory, image-based and marketing data and processing reported volumes of around 50 million data points per day; this was an operational system as of reporting in October 2019.¹ Microsoft is a US entity and this is recorded for completeness only.

In 2025 L’Oréal announced a strategic partnership with Google Cloud centred on its Beauty Tech Data Platform and on generative-AI content creation, using Google’s BigQuery, Apigee API management, and the Imagen, Gemini and Veo generative models.²³ Google LLC is a US entity; the partnership is contracted at that level and is not an Israeli-origin vendor relationship. (Google’s separate ownership of an Israeli-origin vendor, BreezoMeter, is treated below.)

Enterprise Applications & Systems Integrators (Direction: L’Oréal as customer)

L’Oréal runs SAP (German-origin) enterprise software and has adopted Salesforce (US-origin) Commerce Cloud and Marketing Cloud for CRM and e-commerce consolidation, reported from 2022.⁴ OpenText (Canadian-origin) document-presentment software is documented alongside its SAP environment, and Accenture (Ireland-domiciled) is a documented global systems integrator across SAP/Salesforce/Microsoft platforms for companies of L’Oréal’s profile.⁴ No public evidence was identified that any of these engagements mandated or deployed Israeli-origin technology within a named L’Oréal programme.

Israeli-Origin Technology Vendors in the L’Oréal Stack (Direction: L’Oréal as customer)

BreezoMeter - In December 2021 L’Oréal announced a strategic partnership with BreezoMeter, an Israeli (Haifa-founded) environmental-data/climate-tech company, to build an “exposome” platform analysing how air quality, pollen and environmental factors affect skin ageing for consumer skincare services.⁵ BreezoMeter (founded 2014) was subsequently acquired by Google in September 2022 for a reported sum above US$200m and folded into Google’s environmental products.⁶ In this relationship L’Oréal is the customer/partner consuming environmental data; it is an inbound procurement relationship, not a provision of technology to any Israeli entity.

Cybersecurity Vendor Stack

L’Oréal’s Universal Registration Documents identify cybersecurity as a principal enterprise risk but do not name specific endpoint, network, SIEM, or cloud-security vendors in the public versions reviewed.⁷ No public evidence was independently identified confirming a licensing, subscription, or integration relationship between L’Oréal and any Israeli-origin cybersecurity vendor - including Check Point, Wiz, CyberArk, SentinelOne, Claroty, Verint, or NICE. General reporting confirms these are Israeli-founded firms, but none was linked to L’Oréal’s environment in any independently sourced record reviewed. Because the security-product stack is undisclosed, Israeli-origin cybersecurity-vendor exposure cannot be positively excluded on public evidence.

Procurement Transparency Constraints

L’Oréal is a private-sector company not subject to public-procurement disclosure obligations. Vendor relationships below the level of named, publicly announced partnerships are not in the public domain, and the full security/IT vendor stack is undisclosed. This is the principal evidence gap in this domain.

Surveillance, Biometrics & Retail Technology

Facial-Geometry Collection - Virtual Try-On (ModiFace) & BIPA Litigation

L’Oréal’s consumer-facing “virtual try-on” tools collect facial-geometry data via ModiFace, the augmented-reality engine L’Oréal acquired in 2018. ModiFace performs real-time facial-feature tracking, measuring reported parameters such as lip and eye edges, iris size and location, head pose, and skin features.⁸⁹ In March 2022 a proposed class action (Kukovec v. L’Oréal USA Products, Inc., N.D. Ill. 1:22-cv-01453) was filed alleging that L’Oréal’s ModiFace-powered “Try It On” tool captured Illinois residents’ facial-geometry biometric identifiers without the informed written consent and disclosures required by the Illinois Biometric Information Privacy Act (BIPA).¹⁰¹¹ In September 2024 an Illinois federal judge declined to dismiss the suit and declined to compel arbitration, finding the plaintiff had plausibly alleged collection of biometric identifiers and that L’Oréal’s privacy policy did not specifically address scans of facial geometry.¹² This is a US domestic biometric-privacy matter concerning consumer data, with no identified Israel nexus. ModiFace is documented in primary L’Oréal and Reuters sources as a Canadian-origin company (founded in Toronto by Parham Aarabi, with research ties to the University of Toronto); some trade outlets have loosely labelled it “Israeli,” but the primary record places its origin and continued base in Canada.⁸⁹

Israeli-Origin Surveillance / Biometric Vendors

No public evidence was identified that L’Oréal has deployed facial-recognition, biometric-identification, gait-analysis, or in-store behavioural-analytics technology of Israeli origin (e.g. Oosto/AnyVision, BriefCam, Trigo) for loss prevention, frictionless checkout, workforce monitoring, or store traffic analytics. The facial-geometry collection documented above is consumer-facing cosmetic simulation via ModiFace (Canadian-origin), not an identity-surveillance deployment. No public evidence identified of Israeli-origin surveillance vendors.

Retail Shelf Analytics

Trax (Israeli-founded, headquartered in Singapore) provides image-recognition shelf-monitoring used by FMCG companies. No public evidence was identified of a direct, named L’Oréal–Trax contract or integration in any public record. No public evidence identified.

Predictive Analytics, Workforce Monitoring & Social-Media Surveillance

No public evidence identified of L’Oréal deploying Israeli-origin predictive-analytics, sentiment-analysis, social-media-monitoring, or workforce-surveillance tools.

Third-Party Mediated Surveillance Technology

L’Oréal sells through thousands of third-party retail touchpoints (department-store counters, partner retailers). Whether any third-party retailer deploying Israeli-origin shelf or video analytics does so specifically within L’Oréal-branded environments is not determinable from public sources. No public evidence identified linking any such deployment to L’Oréal.

Cloud Infrastructure, Data Residency & Sovereign Cloud Participation

Data Centre Operations in Israel

No public evidence was identified that L’Oréal operates, leases, or co-locates data-centre infrastructure within Israel. L’Oréal maintains a commercial and corporate subsidiary in Israel (L’Oréal Israel Ltd, headquartered in Netanya, with a distribution centre in Caesarea), but the public record describes this as an import/distribution and corporate operation rather than a data-centre or data-sovereignty operation.¹³¹⁴

Project Nimbus & Israeli State Cloud Infrastructure

Not applicable. Project Nimbus is the Israeli-government cloud contract awarded to Google Cloud and Amazon Web Services; L’Oréal is a consumer-goods company, neither a participant nor a sub-provider. No public evidence was identified of L’Oréal involvement in any Israeli state-backed digital-infrastructure programme.

Data-Sovereignty or Resilience Services to Israeli State Institutions

No public evidence identified. L’Oréal does not operate as a technology or cloud-service provider to any state body, Israeli or otherwise.

Defence, Intelligence & Security Sector Technology Relationships

Military & Intelligence Contracts

No public evidence was identified of any contract, partnership, memorandum of understanding, or service agreement between L’Oréal and the Israeli Ministry of Defence, the Israel Defense Forces (IDF), or Israeli intelligence agencies (including Unit 8200-linked commercial entities). L’Oréal is a consumer-goods and cosmetics business and does not publicly operate in the defence-technology or security-services sector.

Provision of Technology / Data to the Israeli State or Military

No public evidence was identified of L’Oréal providing surveillance technology, data, software, cloud capacity, or digital services to the Israeli state, military, or security services. This is the directionally serious Digital case, and no qualifying evidence of it was found. No public evidence identified.

Dual-Use Technology Provision

No public evidence was identified of L’Oréal commercial technology - including ModiFace facial mapping, AI skin diagnostics, or recommendation engines - being reported or confirmed as deployed for military, intelligence, or law-enforcement surveillance applications in Israel or the Occupied Palestinian Territories.

Offensive Cyber Capability

No public evidence identified. L’Oréal does not develop, license, or sell offensive cyber capability. L’Oréal has, by contrast, been named as a target of claimed and confirmed cyber/data incidents (recorded below as digital context, done to the company): a December 2023 breach claim by the group “R00TK1T” that was unverified and unsupported by published evidence,¹⁵ and a 2018–2020 L’Oréal Singapore caching misconfiguration (exposing customers’ personal data to subsequent logged-in users) for which Singapore’s Personal Data Protection Commission issued a warning in January 2020.¹⁶ Neither incident has any nexus to provision of technology to Israel.

AI, Algorithmic & Autonomous Systems

AI/ML Provision to Israeli State Bodies

No public evidence identified. L’Oréal deploys AI/ML internally and in consumer products; no public evidence was identified of L’Oréal providing AI capability, model access, training data, or inference services to any Israeli state, military, or security body.

Consumer-Facing AI/ML Deployments (US-entity infrastructure)

L’Oréal operates substantial consumer AI within its “Beauty Tech” division, including ModiFace virtual try-on and the Vichy SkinConsult AI skin-diagnostic tool (graded against a databank of clinical and selfie images), running on Azure and Google Cloud infrastructure.⁹² In June 2025 L’Oréal announced a collaboration with Nvidia (US-origin) to scale generative and “agentic” AI - its CREAITECH content engine and the “Noli” AI beauty-discovery marketplace built on Nvidia AI Enterprise software and available on Microsoft Azure.¹⁷ In January 2025 L’Oréal and IBM (US-origin) announced a custom generative-AI foundation model for sustainable-cosmetics formulation research.¹⁸ These are US-entity AI relationships recorded for completeness; none was identified as involving Israeli state data or bodies.

Training Data & Model Development Involving Israeli Population Data

No public evidence was identified of L’Oréal’s AI or ML models being trained on Israeli population datasets, intercepted communications, or surveillance-derived data originating from Israel or the Occupied Palestinian Territories.

Internal Algorithmic Deployment - Israeli-Origin AI Tooling

Of the Israeli-origin technology identified in this audit, BreezoMeter supplied environmental-data AI consumed by L’Oréal for its exposome/skincare platform (L’Oréal as customer; vendor since acquired by Google).⁵⁶ No public evidence was identified of any other Israeli-origin AI vendor embedded in L’Oréal’s stack; the undisclosed full vendor list means secondary embedding within managed services cannot be positively excluded, but no such instance was identified.

Autonomous Systems & Lethality

No public evidence identified. The development or deployment of autonomous lethal systems is not within L’Oréal’s business domain.

Technology Ecosystem & R&D Footprint

Israeli R&D / Innovation Presence

L’Oréal maintains an active beauty-tech scouting and partnership function oriented toward the Israeli startup ecosystem. Its Israeli subsidiary’s public profile states that in Israel L’Oréal “identifies local technologies suitable to be integrated into the company’s business value chain,” operating a technological-incubator/scouting function and accessing breakthrough beauty-tech solutions.¹⁴¹⁹ L’Oréal Israel employs around 300 people across a Netanya headquarters and a Caesarea distribution centre.¹³ No public evidence was identified of a large-scale engineering/product-development R&D centre in Israel of the type maintained by major technology firms; the documented Israeli footprint is a commercial subsidiary plus a technology-scouting/incubator function.¹⁴¹⁹

Acquisitions & Investments in Israeli Technology Companies

L’Oréal has acquired at least one Israeli-origin technology company outright: in December 2014 it acquired Coloright, a Tel Aviv-based hair-fibre optical-reader / hair-colour diagnostic technology startup (founded 2002, reported ~50 employees, associated with Benny Landa, led by CEO Sagiv Lustig), integrating it into L’Oréal’s international Research & Innovation network.²⁰²¹²² This is an owner relationship - L’Oréal acquiring Israeli-origin beauty-tech IP for cosmetics research - not a provision of technology to any Israeli state entity. L’Oréal’s corporate venture fund BOLD (created 2018) is documented investing in beauty/biotech startups (e.g. SPARTY, Debut); no public evidence was identified in reviewed disclosures of a BOLD stake in an Israeli technology startup, though BOLD’s full portfolio is not comprehensively disclosed.²³

Patents & IP Co-Development with Israeli Institutions

No public evidence was identified of patent portfolios, licensing, or co-development arrangements between L’Oréal and Israeli academic institutions (Technion, Hebrew University/Yissum, Weizmann Institute), beyond the IP acquired with Coloright. The acquired Coloright IP entered L’Oréal’s research network in 2014.²⁰

Technology-Supply-Chain Due-Diligence Framework

No technology-supply-chain due-diligence framework specific to the national origin or geopolitical exposure of technology vendors is publicly documented by L’Oréal in the materials reviewed. No public evidence identified.

Civil Society Scrutiny & Regulatory History

NGO & Academic Scrutiny - Technology Supply Chain

No public evidence was identified of an NGO investigation, academic study, or UN report addressing L’Oréal’s technology relationships with the Israeli state, Israeli defence entities, or Israeli-origin vendors specifically. Civil-society attention on L’Oréal in relation to Israel has historically centred on its commercial and manufacturing presence in the Israeli market (the Economic domain), not on technology procurement or provision. No public evidence identified of technology-specific NGO scrutiny.

BDS & Boycott Campaigns

L’Oréal is a documented subject of BDS and boycott campaigning.²⁴ The publicly documented grounds relate to L’Oréal’s commercial presence and operations in the Israeli market, not to Israeli-origin technology procurement, software licensing, or digital-infrastructure provision. No public evidence was identified of a BDS or NGO campaign specifically targeting L’Oréal’s technology relationships.

Data-Protection & Biometric-Privacy Regulatory History

L’Oréal’s documented data/biometric regulatory exposure concerns its posture as a data controller of consumer data, not any Israeli-origin technology relationship: the ongoing Illinois BIPA class action over ModiFace-powered virtual try-on (surviving dismissal September 2024),¹⁰¹² and the January 2020 Singapore PDPC warning over a caching misconfiguration.¹⁶ No public evidence was identified connecting either to an Israeli state or Israeli-origin technology nexus.

Export Controls & Sanctions Authorities

No public evidence was identified of any action by export-control authorities, customs bodies, financial-sanctions authorities, or any equivalent body relating to L’Oréal technology sales, services, or data transfers to Israeli state entities. No public evidence identified.

Regulatory & Legal Actions - Technology Sales to Israeli State Entities

No public evidence identified of any regulatory, securities-regulator, export-control, or sanctions-body action relating to L’Oréal technology sales or services to Israeli state entities.

End Notes