Newport Thomson

Introduction: The $3 Billion Mistake

Imagine building a massive machine that collects 3 billion photos of people’s faces from the internet, without asking permission, then selling access to it. That’s exactly what Clearview AI did. In 2021, four Canadian privacy watchdogs investigated them and found they broke the law in multiple ways.

This isn’t just a legal story. It’s a master class in what NOT to do when building technology that uses people’s information.

THE SIMPLE VERSION: What Happened?

What Clearview Did:

1. They scraped (copied) billions of photos from Facebook, Instagram, Twitter, and other websites
2. They turned these photos into “face prints” (biometric data – unique numbers that identify your face)
3. They let police and companies upload a photo and search their database to find matches
4. They never asked anyone’s permission

What the Investigators Said: “You can’t do that. That’s illegal. Stop it.”

What Clearview Said: “These photos are public, so we can use them. Also, we’re helping catch criminals, so it’s fine.”

Why Clearview Was Wrong: Just because you post a photo on Instagram doesn’t mean a company can use it to build a surveillance tool. That’s like saying: “You left your curtains open, so I can take photos of you through your window and sell them.”

 

THE BUSINESS VERSION: Critical Lessons for Platform Operators

LESSON 1: “Public” Doesn’t Mean “Publicly Available” Under the Law

What Clearview Got Wrong: Clearview claimed that because people posted photos publicly on social media, they could scrape them and use them for facial recognition without consent. This was fundamentally wrong.

The Legal Reality: Canadian privacy law has a very specific definition of “publicly available information.” It includes things like:

• Phone directories
• Professional registries
• Published books and magazines
• Information made public BY LAW

It does NOT include:

• Social media posts
• Photos on public websites
• Search engine results

Why This Matters: Information posted on social media was shared for a specific purpose (connecting with friends, professional networking, etc.). Using it for an entirely different purpose, mass surveillance, requires express consent.

The Lesson: If your business model depends on collecting data from online sources, don’t assume “publicly accessible” equals “publicly available” under privacy law. This fundamental misunderstanding can invalidate your entire business model from the start.

Action Item: Get a legal opinion on whether your data sources qualify as “publicly available” under applicable privacy laws BEFORE you build your product. Don’t let your engineers make legal determinations.

 

LESSON 2: You Can’t Fix Bad Consent with “Good Purposes”

What Clearview Got Wrong: Clearview argued that even though they didn’t get consent, their PURPOSE was good (helping police catch criminals), so that should override consent requirements.

The Legal Reality: Privacy law doesn’t work that way. You need:

1. LAWFUL COLLECTION (with proper consent)
2. APPROPRIATE PURPOSE

You can’t have #2 without #1. The investigators found Clearview violated BOTH requirements.

Why This Matters: Even if your purpose seems noble, you can’t skip the fundamental step of getting proper consent. The ends don’t justify the means.

The Lesson: Even noble purposes don’t excuse fundamentally flawed data collection processes. If your collection method is illegal, your entire business model collapses – regardless of how beneficial your service might be. You need both lawful collection AND appropriate purposes.

Action Item: Map out your data collection, use, and disclosure practices. For each step, ask: “Do we have proper consent for THIS specific use?” Not “Is this generally helpful?” but “Did we get permission for THIS?”

 

LESSON 3: “It’s Already Out There” Is Not a Legal Defence

What Clearview Got Wrong: When privacy commissioners said “This could cause harm,” Clearview responded: “What harm? These photos are already online anyway!”

The Legal Reality: The fact that information exists somewhere online doesn’t give you the right to:

• Aggregate it at massive scale
• Create permanent records of it
• Use it for purposes unrelated to why it was shared
• Keep it even after the original is deleted

Why This Matters: There’s a difference between:

• A photo on your Instagram that you can delete
• That same photo permanently stored in a facial recognition database

Context matters. Control matters. The ability to change your mind matters.

The Lesson: Aggregation creates new privacy risks. Mass collection is qualitatively different from scattered individual posts. Scale changes everything.

Action Item: Conduct a “scale test” on your data practices. Ask: “If we collected this information about ONE person, would it be okay? What about 1,000? 1,000,000? 3,000,000,000?” If the answer changes, you have a scale problem.

 

LESSON 4: Biometric Data Is Different (And You Better Treat It That Way)

What Clearview Got Wrong: They treated facial recognition data like any other information. No big deal, just some numbers in a database.

The Legal Reality: Biometric information is considered SENSITIVE in almost all circumstances because:

• It’s permanently linked to you
• It’s distinctive and unique
• It’s difficult to change (you can’t get a new face like you can get a new password)
• It enables identification and surveillance

In Quebec specifically, using biometric data requires EXPRESS CONSENT. Not implied. Not assumed. Express.

Why This Matters: The law recognizes that some types of information deserve extra protection. Biometric data is at the top of that list.

The Lesson: If you’re collecting biometric data (faces, fingerprints, voice prints, DNA), you’re playing in the major leagues of privacy regulation. The rules are stricter, the scrutiny is higher, and the penalties for getting it wrong are more severe.

Action Item: Create a “sensitivity matrix” for your data. Categorize everything you collect:

• Low sensitivity (publicly available business addresses)
• Medium sensitivity (email addresses, names)
• High sensitivity (financial information, health data)
• EXTRA HIGH sensitivity (biometric data, children’s information)

Apply progressively stricter consent and security measures as you move up the scale.

 

LESSON 5: “We’ll Stop Serving Your Market” Is Not Compliance

What Clearview Got Wrong: When investigators found violations, Clearview’s response was essentially: “Fine, we’ll stop selling to Canadian customers for two years. But we’re not admitting we did anything wrong, and we’re keeping all the data we already collected from Canadians.”

The Legal Reality: The investigators ordered Clearview to:

1. Stop offering services in Canada
2. Stop collecting Canadian data
3. DELETE all Canadian data already collected

Clearview refused to commit to these orders.

Why This Matters: You can’t just “take your ball and go home” while keeping all the data you illegally collected.

The Lesson: Withdrawing from a market doesn’t erase past violations or ongoing obligations. When regulators order you to stop, delete data, and remediate harm, simply leaving the market while keeping the illegally collected data is not compliance. Geographic avoidance doesn’t equal legal compliance.

Action Item: If you face regulatory action, understand that true compliance means:

• Ceasing the violating activity
• Remedying past harms (including data deletion)
• Committing to not repeat the behavior

Anything less is just buying time.

 

LESSON 6: Cross-Border Business Means Multiple Jurisdictions Will Have Jurisdiction

What Clearview Got Wrong: Late in the investigation, Clearview suddenly claimed Canadian authorities had no jurisdiction because Clearview is a U.S. company and its servers are in the U.S.

The Legal Reality: Privacy commissioners found they DID have jurisdiction because:

1. Clearview actively marketed to Canadian customers
2. Clearview collected data from Canadian residents
3. Clearview had Canadian customers (including the RCMP)
4. Clearview’s activities created a “real and substantial connection” to Canada

Why This Matters: In the digital age, “We’re not physically in your country” is not a shield against privacy laws. If you:

• Target residents of a jurisdiction
• Collect their data
• Provide services to them

You’re subject to their privacy laws.

The Lesson: Think GDPR. Think CCPA. Think Canadian privacy law. If you operate online and have users in multiple places, you’re subject to multiple legal regimes. “But we’re in Silicon Valley!” doesn’t help you.

Action Item: Map out ALL jurisdictions where you:

• Have users/customers
• Collect data from residents
• Market your services

Then get legal advice on compliance requirements for EACH jurisdiction. Don’t wait until you’re under investigation to make jurisdictional arguments.

 

LESSON 7: “Helping Law Enforcement” Doesn’t Give You Law Enforcement Powers

What Clearview Got Wrong: Clearview positioned itself as a tool for law enforcement and assumed this gave them a license to collect data the way government agencies might.

The Legal Reality: Law enforcement agencies have specific statutory authorities to collect information. Private companies do NOT inherit these authorities just because they sell services to police.

You’re a COMMERCIAL entity operating FOR PROFIT. You’re not the government.

Why This Matters: The privacy rules that apply to private companies are different from (and often stricter than) those for government agencies. You can’t borrow government authority by association.

The Lesson: Selling to law enforcement doesn’t make you law enforcement. You’re still bound by private-sector privacy rules.

Action Item: If your customers are government agencies, make sure YOU are still complying with private-sector privacy laws in YOUR data collection. Don’t confuse what your customers can legally do with what you can legally do.

 

LESSON 8: Technical “Safeguards” Don’t Fix Fundamentally Inappropriate Purposes

What Clearview Got Wrong: Clearview argued that risks were minimal because:

• Users couldn’t browse the full database (only search it)
• The mathematical representations (vectors) were “hashed” and useless outside their system
• They only shared data with legitimate law enforcement

The Legal Reality: These technical measures don’t address the fundamental issue: collecting 3 billion faces for mass surveillance is an INAPPROPRIATE PURPOSE for a private company, regardless of safeguards.

Why This Matters: You can’t encrypt your way out of a purpose problem. Security measures address data protection; they don’t legitimize fundamentally inappropriate collection.

The Lesson: Before you build elaborate security systems, ask: “Should we be collecting this data in the first place?” If the answer is no, all the encryption in the world won’t help you.

Action Item: Run a “purpose test” before you design security measures:

1. What exactly are we collecting?
2. Why are we collecting it?
3. Would a reasonable person think this collection is appropriate given our purpose?
4. Are we a private company trying to do something that should only be done by government (if at all)?

Only after passing this test should you move to “How do we secure it?”

 

LESSON 9: Free Trials Count as “Doing Business”

What Clearview Got Wrong: When investigators noted that dozens of Canadian agencies used Clearview through trial accounts, Clearview downplayed this: “Only one entity became a paying customer.”

The Legal Reality: Trial accounts are still:

• Marketing to customers in that jurisdiction
• Collecting and processing data from those jurisdictions
• Providing commercial services

The fact that someone hasn’t paid yet doesn’t mean you’re not “doing business.”

Why This Matters: You can’t beta-test your way around privacy laws. If you offer trials in a jurisdiction, you’re subject to that jurisdiction’s laws.

The Lesson: Free trials, beta programs, and pilot projects all count as commercial activity. Don’t think you can test in a market and decide whether to comply with local laws based on how successful the test is.

Action Item: Before launching ANY presence in a new market (including trials), ensure you’re compliant with local privacy laws. “We’re just testing” is not a defense.

 

LESSON 10: Violations of Terms of Service Are Red Flags for Inappropriate Purposes

What Clearview Got Wrong: Major platforms (Google, Facebook, Twitter, YouTube, LinkedIn) sent cease-and-desist letters saying Clearview violated their terms of service. Clearview’s response: “Terms of service don’t apply to us. First Amendment!”

The Legal Reality: While investigators didn’t make a final ruling on the contract violations, they noted this was “relevant as a further factor in considering the inappropriateness of Clearview’s purposes.”

Why This Matters: If the platforms that host the data explicitly prohibit what you’re doing, that’s a strong signal that your collection method is inappropriate.

The Lesson: When the people who created and manage the platforms tell you “You’re not allowed to do that,” listen. They understand their users’ expectations and the purposes for which data was shared.

Action Item: Review the terms of service for every platform you scrape or collect data from. If you’re violating them, that’s a red flag that you may also be violating privacy laws. Don’t rely on constitutional arguments to override contractual restrictions – it suggests you know you’re on shaky ground.

THE PATTERN: Clearview’s Seven Deadly Mistakes

Looking at all these lessons, we can see a clear pattern in Clearview’s approach:

1. Assumption over verification – They assumed “public = legally usable” without checking
2. Ends-justify-means thinking – They believed their good purpose excused their bad methods
3. Minimizing harms – They dismissed privacy concerns as “hypothetical”
4. Legal dodge-ball – They tried to avoid jurisdiction rather than achieve compliance
5. Late-stage defenses – They only raised jurisdictional challenges after being caught
6. Selective interpretation – They wanted broad interpretations of exceptions and narrow interpretations of obligations
7. Refusal to remedy – They wouldn’t commit to deleting illegally collected data

THE REAL COST: Why This Matters Beyond Clearview

This investigation matters because Clearview’s mistakes are surprisingly common in the tech industry:

The “Move Fast and Break Things” Problem: Too many companies build first and think about privacy later. Building at speed on the wrong legal foundation is a recipe for disaster.

The “Data Is Oil” Problem:
Companies see massive data collection as inherently valuable. But unlike oil, you can’t just drill for data wherever you find it. There are rules.

The “Ask Forgiveness Not Permission” Problem: The strategy of launching first and dealing with regulators later doesn’t work when the remedy is “delete everything and stop operating.”

The “We’re Special” Problem: Every company thinks their use case is unique and important enough to justify exceptions to privacy rules. It almost never is.

 

WHAT TO DO INSTEAD: A Compliance Framework for Data-Driven Platforms

BEFORE You Build (The Design Phase):

1. Map Your Data Flows

• What data will you collect?
• Where will it come from?
• How will you use it?
• Who will you share it with?
• How long will you keep it?

2. Identify Your “Sensitive Data”

• Biometric information
• Children’s information
• Health data
• Financial information
• Location data
• Any data that could enable surveillance

3. Determine Required Consent Level

• Is this sensitive data? → Express opt-in consent required
• Is the use unexpected? → Express opt-in consent required
• Is there risk of significant harm? → Express opt-in consent required
• Everything else → Clear, conspicuous consent still required

4. Check for Legal Exceptions

• Don’t assume exceptions apply
• Get legal advice on whether your data sources qualify as “publicly available”
• Remember: the exceptions are NARROW, not broad

5. Test Your Purposes

• Would a reasonable person think this collection is appropriate?
• Are you a private company trying to do something that should only be done by government?
• Does the benefit to you outweigh the privacy cost to users?
• Could this enable discrimination or surveillance?

 

WHILE You Build (The Development Phase):

6. Build Privacy In (Not On)

• Data minimization: collect only what you actually need
• Purpose limitation: don’t collect data “just in case” for future uses
• Storage limitation: set retention periods and stick to them
• Security by design: protect the data you do collect

7. Create Clear Consent Mechanisms

• Make consent requests clear and specific
• Don’t bury consent in lengthy terms of service
• Allow people to say no (and respect that no)
• Make it as easy to withdraw consent as to give it

8. Document Everything

• Why you believe consent isn’t required (if you don’t seek it)
• Why you believe your purposes are appropriate
• What security measures you’ve implemented
• Which jurisdictions’ laws apply to you

 

AFTER You Launch (The Operation Phase):

9. Monitor for Compliance

• Regular privacy audits
• Tracking consent rates and withdrawal requests
• Checking for security incidents
• Reviewing whether actual use matches stated purposes

10. Have a Remediation Plan

• What will you do if you discover unauthorized collection?
• How quickly can you delete data if required?
• Who’s responsible for privacy compliance?
• What’s your process for responding to regulatory inquiries?

 

SPECIAL ADVICE FOR SURVEILLANCE TECHNOLOGIES

If your product enables surveillance, identification, or tracking of individuals, you face extra scrutiny:

1. Acknowledge What You’re Building Don’t call it a “search tool” if it’s a surveillance system. Be honest about what your technology does.

2. Question Whether It Should Exist Just because you CAN build it doesn’t mean you SHOULD. Some technologies may be technically feasible but socially unacceptable.

3. Engage With Critics When civil liberties organizations raise concerns, don’t dismiss them. They often identify risks you’ve overlooked.

4. Expect Stricter Rules Surveillance technology faces (and should face) higher bars for consent, purpose legitimacy, and oversight.

5. Accept That Some Markets May Be Closed Some jurisdictions are banning or severely restricting facial recognition and other surveillance tech. Accept this rather than fight it.

 

What Clearview Should Have Done

Looking back, here’s what a compliant version of Clearview might have looked like:

Option 1: Partnered with Platforms Work WITH Facebook, Google, etc. to create an authorized law enforcement search tool with proper consent and oversight.

Option 2: Worked with Government Contract directly with government to build a law enforcement-specific database with proper legal authorities and oversight.

Option 3: Used Only Opted-In Data Build a database ONLY from sources where individuals explicitly consented to identification use (which would make it much smaller and less useful, revealing why consent matters).

Option 4: Focused on Authentication, Not Surveillance Build a facial recognition tool for identity verification where people actively participate, not passive surveillance.

The fact that all of these options are less profitable or less technically impressive than what Clearview built doesn’t mean the company should have gone the route it did.

 

The Lesson for the AI Age

The Clearview case isn’t really about facial recognition. It’s about a mindset:

The Wrong Mindset: “This technology is powerful and useful. Data is publicly accessible. We’re helping solve crimes. Therefore, we should be allowed to do this.”

The Right Mindset:
“This technology is powerful and involves sensitive personal information. Before we build it, we need to ask: Do we have legal authority to collect this data? Would reasonable people expect their information to be used this way? Are we creating risks that outweigh benefits? How can we achieve legitimate goals while respecting privacy?”

As we move deeper into the age of AI, the Clearview case is a warning. The privacy violations of the past came from companies not thinking enough about privacy. The violations of the future will come from companies who thought about it, saw the problems, and decided to proceed anyway.

Don’t be Clearview.

If you’re building AI systems that use personal data:

• Get consent properly
• Define appropriate purposes
• Respect data you didn’t collect for surveillance
• Accept jurisdictional reality
• Prioritize compliance over growth
• Have the courage to not build something, even if you could

Remember these core principles:

• Build on the right legal foundation before you scale
• Good outcomes require good processes from the start
• Geographic withdrawal isn’t a substitute for true remediation

The technology we build today will shape the society we live in tomorrow. Clearview chose surveillance. We can choose better.

 

APPENDIX: Quick Reference Checklist

Before Collecting Any Data, Ask:

• Do I have legal authority to collect this?
• Is consent required? What type?
• Does the data source qualify as “publicly available” under law?
• Am I violating any terms of service?
• Would a reasonable person expect this use?

For Sensitive/Biometric Data, Confirm:

• Express opt-in consent obtained
• Purpose clearly communicated
• Retention period defined
• Security measures appropriate for sensitivity level
• Special requirements for biometric data met (e.g., Quebec’s reporting)

For Cross-Border Operations, Verify:

• All applicable jurisdictions identified
• Compliance plan for each jurisdiction
• Legal advice obtained for each market
• No assumption that “we’re not physically there” protects you

If Challenged by Regulators:

• Don’t rely on “publicly accessible” arguments without strong legal basis
• Don’t claim your good purposes override consent requirements
• Don’t raise jurisdiction challenges as a delay tactic
• DO commit to actual remediation (including data deletion)
• DO work cooperatively toward compliance

Final Thought:

The Canadian privacy commissioners gave Clearview a roadmap to compliance. Clearview refused to follow it.

Don’t make the same mistake.

Your users and prospects deserve better. The law requires better. And ultimately, your business will be more sustainable if you build on a foundation of trust rather than surveillance.