Hello all, and happy Thursday!
Clearview AI will be familiar to many readers of this newsletter. The facial recognition company has been notorious for non-compliantly collecting biometric data by scraping the internet for over 60 billion photos. Clients of Clearview AI can upload a photo of somebody they want to identify, and then Clearview AI matches it against their database to identify the individual. Law enforcement agencies, retailers, universities, and more have all made use of Clearview AI.
Obviously, it’s a privacy nightmare. EU data protection authorities agree. Over the years, Clearview AI has racked up over €100 million in fines for GDPR violations.
The kicker? They haven’t paid a (euro-) penny! There’s no way for EU authorities to enforce fines on US companies like Clearview AI, especially since it holds no offices, employees, or equipment in the EU.
That sets the scene for one of our stories this week: Max Schrems’ “none of your business” (noyb) has filed a criminal complaint against Clearview AI.
Article 84 of the GDPR allows EU member states to establish criminal penalties for GDPR violations. If noyb’s complaint is accepted, Clearview AI’s executives could face jail time.
Given how egregiously Clearview AI has ignored EU authorities, I’d bet noyb is successful in their petition.
Best,
Arlo
Blog: Marketing Data Privacy in 2025: Building Privacy-First Strategies for Marketers
So long as marketers use data, they’re going to bump up against data privacy regulations. Data privacy seems like it falls under the purview of lawyers and privacy pros—but marketers have just as much to do with data privacy as they do. Learn how marketers can embrace data privacy and manage this new set of responsibilities here.
Checklist: The Ultimate Marketing Compliance Checklist
Nothing's sweeter than being able to say, “It’s already done,” the next time your boss or legal department asks about compliance. But not knowing where to start is a major blocker. In our checklist, we looked at the major regulations that overlap with marketing’s role, sifted through their requirements, and identified the actions that yield the greatest degree of compliance relative to their effort.
Podcast: Where Tabletop Games Meet the Future of Privacy with Dr. Tehilla Shwartz Altschuler of the Israel Democracy Institute
Dr. Tehilla Shwartz Altshuler is at the forefront of conversations where technology, democracy, and human rights collide. With Israel recently updating its privacy law and global debates intensifying around AI, smart glasses, and workplace surveillance, Tehilla’s work highlights what’s at stake if regulation lags behind reality.
Blog: Data Privacy Management Software: Find the Best Data Privacy Solution for You
Embarked on your software evaluation journey, or know someone who is? Our comparison guide highlights the strengths and weaknesses of the top data privacy solutions.
Facial recognition company Clearview AI has repeatedly been found to have violated the GDPR. Now, “None of Your Business” (noyb) has filed a criminal complaint against Clearview AI under Article 84 of the GDPR. If successful, Clearview AI and its executives could face jail time and be held personally liable.
The California Privacy Protection Agency (CPPA) will soon release DROP (Delete Request and Opt-out Platform), a free, online tool that will help consumers control what personal information data brokers have about them. DROP lets you send a single request to 500+ registered data brokers to require them to delete their your information.
Attorneys general are tapping outside law firms to bring data protection cases against the biggest tech companies—snagging a cut of multimillion-to-billion-dollar settlements along the way—in a new approach to privacy enforcement. Just this year, Nebraska, Minnesota, Kentucky, Arkansas, and Utah used private law firms to sue tech platforms that serve US consumers.
The U.S. District Court for the Northern District of California gave website operators an expedited exit from privacy-related complaints and lawsuits under the California Invasion of Privacy Act (CIPA), a 1960s-era law designed to prevent unlawful telephone wiretapping. Plaintiffs attempt to use CIPA to attack the use of cookies, pixels, and other tracking mechanisms, a strategy that has been successful in recent years.
The European Union has claimed that Meta and TikTok had breached their transparency obligations after an investigation that could result in billions of dollars in fines. The inquiry found both companies had violated the Digital Services Act by obstructing access to data for researchers and failing to make it easy for users to flag illegal content and effectively challenge moderation decisions.
There's more to explore:
We go deeper into additional privacy topics with incredible guests monthly. Available on Spotify or Apple.
The book inspired by this newsletter: Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start building a privacy program from the ground up. More details here.
If you’re interested in working at Osano, check out our Careers page!