On March 10, 2020, Vermont Attorney General T.J. Donovan initiated an enforcement action based on Vermont’s new data broker law against Clearview AI, Inc.

Vermont’s data broker law, which became effective January 1, 2019, governs data brokers, which it defines as companies that collect and sell or license to third parties the personal information of a consumer with whom the business does not have a direct relationship. The law requires that data brokers (a) annually register with the Vermont Secretary of State, including completing certain necessary disclosures, and (b) maintain minimum data security standards. The law also prohibits any businesses or individuals – not just data brokers – from acquiring brokered personal information through fraudulent means or for the purpose of stalking, harassment, discrimination, or fraud.

According to the complaint, Clearview, which only registered as a Vermont data broker in January 2020 shortly before the publication of a New York Times article discussing many of the issues outlined in the complaint, uses “screen scraping” to amass a database of three billion photographs. Clearview then combines those photographs with facial recognition technology to create a commercial service that allows a customer to upload a photograph and “instantly identify the individual through facial recognition matching.” While Clearview claims the technology exists to help law enforcement, the complaint alleges that Clearview has also provided its app to for-profit entities, investors, and foreign governments.

The complaint alleges that Clearview violated the data broker law by fraudulently acquiring brokered personal information through the use of its screen scraping technology.

In addition to the data broker law violations, the complaint alleges violations of Vermont’s Unfair Acts and Practices (UDAP) law. Clearview’s alleged unfair acts include, inter alia:

  • Screen scraping photographs without consent and in violation of website terms of use;
  • Collecting, storing and distributing the photographs of minors without parental consent;
  • Exposing consumers’ sensitive personal data to theft by foreign actors and criminals; and
  • Exposing citizens to the threat of surveillance, stalking, harassing and fraud.

Clearview’s alleged deceptive acts include making materially false and misleading statements regarding:

  • The ways Vermont consumers can assert their privacy rights, including the right to opt-out of the sale of their personal information;
  • The strength of its data security;
  • That the product was only used by law enforcement and was not publicly available; and
  • The accuracy of its facial recognition matching product.

The state requests injunctive relief, restitution, disgorgement of Clearview’s profits, and civil penalties of $10,000 for each violation of the UDAP and data broker laws.

Comment

By filing the complaint, AG Donovan has confirmed that he is serious about investigating and enforcing the data broker law as well as other privacy violations. This aligns with statements the Attorney General made in a recent interview with Reed Smith for The Privacy Advisor, a publication of the International Association of Privacy Professionals (IAPP), where he described the importance of the data broker law in “shedding sunlight and transparency” – with the goal of “changing troubling behaviors.”

While many stakeholders are still hoping for a federal privacy law, businesses should be aware that state attorneys general already have a number of tools in their arsenal to enforce privacy violations – and other “troubling behaviors.” Maintaining an understanding of the evolving legislative and regulatory landscape and understanding the policy and enforcement priorities of state attorneys general offices should be fundamental pieces of any privacy program.