The Vermont Attorney General (Vermont AG) filed suit against Clearview AI, Inc. (Clearview) in Vermont state court on March 10, 2020, alleging that the organization engaged in unfair acts and practices in violation of the Vermont Consumer Protection Act when it leveraged “screen scraping” technology across a number of internet sites in order to amass a database of photographs to power its facial recognition tool, and then sold access to the tool to U.S. law enforcement, private individuals and organizations, and foreign governments. Clearview’s service allowed its customers to “upload a photograph in order to instantly identify the individual through facial recognition matching.”

The Vermont AG alleges that Clearview collected over 3 billion photographs from across the internet, including photographs displayed on social media sites, often acting in violation of the terms of service of the relevant websites. This collection, according to the Vermont AG, invaded consumer privacy, exposed “citizens to the threat of surveillance, stalking, harassing, and fraud,” and resulted in the collection, storage, and distribution of photographs of minors without their consent. The Vermont AG also seeks a preliminary injunction to enjoin Clearview from collecting, storing, and making available images of Vermonters.

The complaint further alleges that Clearview made materially false or misleading public statements in its privacy policy and elsewhere on its website, including statements regarding Vermont consumers’ ability to opt out of Clearview’s tool, representations about the strength of Clearview’s data security, and that the product is “only used by law enforcement agencies and is not publicly available.”

The complaint references news reports that Clearview has provided access to its application to “numerous” for-profit corporations, universities, and investors, as well as foreign governments, in addition to law enforcement agencies. Finally, the complaint alleges violation of Vermont’s Fraudulent Acquisition of Data Law, which prohibits acquiring “brokered personal information” (which includes biometric data used to identify a consumer) through fraudulent means such as screen scraping.

The complaint was preceded by a March 5, 2020 warning letter instructing Clearview AI to cease collecting Vermont residents’ photographs and to “delete or destroy all photographs and facial recognition identifiers of Vermont residents.” The letter warned of civil penalties of up to $10,000 for each violation of the Vermont Consumer Protection Act.

The complaint also notes that Clearview had not registered with Vermont’s Data Broker Registry and only did so four days before the publication of a New York Times report on its privacy practices in January 2020. Even then, Clearview’s registry information for Vermont stated that it “work[s] to remove images of California-resident minors from all datasets,” but the Vermont AG’s investigation “has revealed that Clearview does not yet have the capability” to carry this out and cannot identify and remove individuals “by geographic region or age.” The complaint explained that there is no Vermont statute that would specifically require Clearview to honor opt-out requests made on behalf of Vermont minors.

Vermont has acted first, but other states may well follow suit. In addition to the FTC Act’s prohibition on unfair or deceptive acts and practices, every state and the District of Columbia has a consumer protection law prohibiting unfair or deceptive practices. Causes of action related to data breach notification and to reasonable data security are similarly widespread. Meanwhile, Clearview faces a class action based on the Illinois Biometric Privacy Act (BIPA) filed in federal district court in New York, as well as a joint investigation by the privacy protection authorities of Canada, Quebec, British Columbia, and Alberta.