Leo Weissburg, CLS ’21
You may not have heard of Clearview AI. However — if you are one of the hundreds of millions of Americans with a Facebook, Instagram, or Linkedin account — Clearview has almost certainly heard of you. Since 2016, Clearview has quietly “scraped” billions of publicly available photos from millions of websites.[i] Clearview has used these photos to create a powerful facial recognition app: users simply upload a photo of a person, and Clearview’s app provides links to other publicly available photos of the person — such as their Facebook profile.[ii] Clearview’s database is orders of magnitude larger than typical law enforcement facial recognition databases — which draw mostly from drivers’ license, passport, and jail booking photos.[iii] Clearview counts Walmart, the NBA, ICE, and hundreds of local police departments among its clients.[iv] Since January 2020, when New York Times reporting first brought Clearview’s activities into the public eye, Clearview has been subject to numerous legal threats.
Congress has not yet enacted a general federal data privacy law.[v] However, some indications suggest that one may not be far off. California has passed the California Citizens’ Privacy Act (CCPA), a broad data privacy statute modeled on the European Union’s recently enacted General Data Protection Regulation (GDPR).[vi] Many state legislatures are considering similar proposals.[vii] Concerned that technology companies may face inconsistent (and strict) state privacy regimes, the Chamber of Commerce supports federal legislation in principle.[viii] Two proposed bills await consideration in the Senate, one supported by the Republican caucus and another supported by the Democrats.[ix] Concerns about Clearview’s practices may help spur action — Senators Ed Markey and Ron Wyden have sent letters to the company questioning their practices and seeking additional information.[x]
Until Congress enacts federal privacy legislation, affected parties must rely on state law remedies — or pursue theories unrelated to data privacy. Today, the CCPA is the nation’s broadest data privacy law.[xi] In relevant part, the CCPA requires that companies notify individuals when collecting their personal information.[xii] Companies that collect personal information must also delete all collected information upon request, and allow individuals to opt-out of collection.[xiii] To satisfy its CCPA obligations, Clearview publishes a “Clearview California Privacy Notice” on its website.[xiv] While the notice does explain Clearview’s deletion and opt-out procedures, it isn’t clear whether such a statement satisfies the CCPA’s mandate that disclosure be made “at or before the point of collection.”
Putative class actions have been filed in California under the CCPA[xv] and in Illinois — under that state’s “Biometric Information Privacy Act,” a 2008 law that prohibits companies from collecting individuals’ biometric data without consent.[xvi] Vermont’s Attorney General has also sued, alleging that Clearview’s practices violate Vermont consumer protection law.[xvii] The online services from which Clearview obtained photos have also threatened litigation. Facebook, Google, Twitter, Linkedin, Venmo, and Youtube have issued cease-and-desist letters to Clearview, each alleging that Clearview has violated the services’ terms of use.[xviii] Clearview responds that it has a First Amendment right to make use of publicly available information.[xix] A recent Ninth Circuit case, HiQ Labs, Inc. v. Linkedin Corp., 938 F.3d 985 (9th. Cir. 2019), involved (but did not resolve) a similar argument.[xx] There, Linkedin argued that, by “scraping” publicly available information from Linkedin, HiQ had accessed data without authorization — thus violating the Computer Fraud and Abuse Act (CFAA).[xxi] The Ninth Circuit rejected this restrictive reading of the CFAA—but did not address HiQ’s First Amendment argument.[xxii]
Despite these legal challenges and mounting pressure from groups like the ACLU, Clearview’s founder has vowed that his company will continue to operate.[xxiii] It remains to be seen whether the growth of Clearview and other companies like it will spur Congress to act on a federal privacy bill.
[i] “Scraping” refers to automated downloading of publically-available web content, typically images. Louise Matsakis, Scraping the Web Is a Powerful Tool. Clearview AI Abused It, Wired, (Jan 25, 2020), https://www.wired.com/story/clearview-ai-scraping-web/.
[ii] Kashmir Hill, The Secretive Company That Might End Privacy as We Know It, N.Y. Times, (Jan. 18, 2020), https://www.nytimes.com/2020/01/18/technology/clearview-privacy-facial-recognition.html.
[iii] Kaixin Fan, Clearview AI Responds to Cease-and-Desist Letters by Claiming First Amendment Right to Publicly Available Data, JOLT Digest, Harv. J. L. & Tech. (Feb. 25, 2020), http://jolt.law.harvard.edu/digest/clearview-ai-responds-to-cease-and-desist-letters-by-claiming-first-amendment-right-to-publicly-available-data.
[iv] Ryan Mac et. al., Clearview’s Facial Recognition App Has Been Used By The Justice Department, ICE, Macy’s, Walmart, And The NBA, Buzzfeed News (Feb. 27, 2020), https://www.buzzfeednews.com/article/ryanmac/clearview-ai-fbi-ice-global-law-enforcement.
[v] David Saunders & Allison Glover, INSIGHT: A Federal Privacy Bill May Be Closer Than Once Thought, Bloomberg Law, (Feb. 14, 2020), https://news.bloomberglaw.com/privacy-and-data-security/insight-a-federal-privacy-bill-may-be-closer-than-once-thought.
[vi] Anjali C. Das & Stefanie L. Ferrari, California Consumer Privacy Act Effective January 1, Nat’l L. Rev., (Dec. 3, 2019), https://www.natlawreview.com/article/california-consumer-privacy-act-effective-january-1-update.
[vii] Rachel Marmor et. al., “Copycat CCPA” Bills Introduced in States Across Country, DWT Privacy & Security Law Blog, (Feb. 8, 2020), https://www.dwt.com/blogs/privacy–security-law-blog/2019/02/copycat-ccpa-bills-introduced-in-states-across-cou/.
[viii] David Saunders & Allison Glover, INSIGHT: A Federal Privacy Bill May Be Closer Than Once Thought, Bloomberg Law, (Feb. 14, 2020), https://news.bloomberglaw.com/privacy-and-data-security/insight-a-federal-privacy-bill-may-be-closer-than-once-thought.
[ix] Id.
Wendy Zhang, Comprehensive Federal Privacy Law Still Pending, Nat’l. Law Review, (Jan. 22, 2020), https://www.natlawreview.com/article/comprehensive-federal-privacy-law-still-pending.
[x] Ryan Mac et. Al., Senators Are Probing Clearview AI On The Use Of Facial Recognition By Gulf States And International Markets, Buzzfeed News, (Mar. 4, 2020), https://www.buzzfeednews.com/article/ryanmac/senators-markey-wyden-clearview-ai-facial-recognition.
[xi] Anjali C. Das & Stefanie L. Ferrari, California Consumer Privacy Act Effective January 1, Nat’l L. Rev., (Dec. 3, 2019), https://www.natlawreview.com/article/california-consumer-privacy-act-effective-january-1-update.
[xii] Id.
[xiii] Id.
[xiv] California Privacy Notice, Clearview AI, (Last visited Mar. 31, 2020), https://staticfiles.clearview.ai/clearview_california_notice.html.
[xv] The CCPA provides no private right of action, except for claims arising out of data breaches or hacks. The Burke complaint frames the alleged CCPA violations as also violating the California Unfair Competition Law, Cal. Bus. & Prof. Code § 17200, which prohibits businesses from engaging in practices that violate other California laws—such as the CCPA. Complaint, Burke v. Clearview AI, Inc., No. 3:20-cv-00370, 4 (S.D. Cal. Feb. 27, 2020). However, the CCPA appears to explicitly disclaim this kind of bootstrapping. Cal. Civ. Code § 1798.150(c) (“Nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”).
[xvi] Daniel R. Stoller, Sarah Merken, Clearview AI Faces California, Illinois Lawsuit After Breach, Bloomberg Law, (Feb 28, 2020), https://news.bloomberglaw.com/privacy-and-data-security/clearview-ai-faces-california-illinois-lawsuit-after-breach.
[xvii] Complaint, State of Vermont v. Clearview AI, Inc., Vt, Super. Ct. (Filed Mar. 10, 2020);
Press Release, Office of the Vermont Attorney General, Attorney General Donovan Sues Clearview AI for Violations of Consumer Protection Act and Data Broker Law (Mar. 10, 2020), https://ago.vermont.gov/blog/2020/03/10/attorney-general-donovan-sues-clearview-ai-for-violations-of-consumer-protection-act-and-data-broker-law/.
[xviii] Kashmir Hill, Twitter Tells Facial Recognition Trailblazer to Stop Using Site’s Photos, N.Y. Times, (Jan 22, 2020) https://www.nytimes.com/2020/01/22/technology/clearview-ai-twitter-letter.html.
[xix] Kaixin Fan, Clearview AI Responds to Cease-and-Desist Letters by Claiming First Amendment Right to Publicly Available Data, JOLT Digest, Harv. J. L. & Tech. (Feb. 25, 2020), http://jolt.law.harvard.edu/digest/clearview-ai-responds-to-cease-and-desist-letters-by-claiming-first-amendment-right-to-publicly-available-data.
[xx] HiQ Labs, Inc. v. Linkedin Corp., 938 F.3d 985 (9th. Cir. 2019).
[xxi] Kaixin Fan, Clearview AI Responds to Cease-and-Desist Letters by Claiming First Amendment Right to Publicly Available Data, JOLT Digest, Harv. J. L. & Tech. (Feb. 25, 2020), http://jolt.law.harvard.edu/digest/clearview-ai-responds-to-cease-and-desist-letters-by-claiming-first-amendment-right-to-publicly-available-data.
[xxii] Id.
[xxiii] Caroline Haskins et. al., The ACLU Slammed A Facial Recognition Company That Scrapes Photos From Instagram And Facebook, Buzzfeed News, (Feb. 10, 2020) https://www.buzzfeednews.com/article/carolinehaskins1/clearview-ai-facial-recognition-accurate-aclu-absurd.
