← All breach guides

Clearview AI facial recognition — exercise your GDPR rights

Clearview AI scraped over 10 billion facial photographs from social media platforms, news sites, and other public web sources — without consent — to build a biometric identification database sold to law enforcement and commercial clients. French, Italian, and Greek data protection authorities each fined Clearview AI €20 million. If you have ever posted a photograph of yourself online, your facial biometric data may be in their database.

Enforcement record

What happened

2020 Over 10 billion images; hundreds of millions of people affected

Clearview AI systematically scraped public photographs from social media platforms (Facebook, Instagram, LinkedIn, Twitter/X), news websites, and other public sources, extracting unique facial recognition vectors from each image. These biometric identifiers were indexed in a searchable database without the knowledge or consent of the people photographed. The database was marketed to law enforcement agencies and commercial clients in the US, UK, EU, and beyond.

Data exposed:
  • Facial biometric vectors (derived from scraped photographs)
  • Linked names and online identities
  • Social media profile URLs
  • Original photographs from public sources
  • Location and contextual metadata from images

What you can do

Under Article 17 GDPR, you have the right to demand erasure of your biometric data from Clearview AI's database. Under Article 21, you have the right to object to processing. As biometric data is Article 9 special category data — the most protected category under GDPR — Clearview AI faces a very high bar to justify retention. Multiple EU regulators have ordered Clearview AI to delete EU resident data.

You have two key rights under GDPR:

Note: Clearview AI is a US company with no EU office. EU regulators have confirmed GDPR applies extraterritorially under Article 3(2). Submit erasure and access requests via their privacy portal or email privacy@clearview.ai. Privacy portal ↗

Generate your access request

This letter is pre-addressed to Clearview AI, Inc., the official EU data controller for Clearview AI.

To: Clearview AI, Inc.
600 Fifth Avenue, New York, NY 10020, USA

Dear Data Protection Officer,

I am writing to exercise my rights under the General Data Protection Regulation (GDPR). As an individual whose personal data you process, I am requesting the following information:

  1. Confirmation that you are processing my personal data.
  2. A copy of my personal data.
  3. The purposes of the processing.
  4. The categories of personal data concerned.
  5. The recipients or categories of recipients to whom my personal data has been or will be disclosed.
  6. The envisaged period for which my personal data will be stored, or the criteria used to determine that period.
  7. The existence of my right to request rectification or erasure of my personal data, or restriction of processing, or to object to such processing.
  8. Information about the source of my personal data if it was not collected directly from me.
  9. The existence of automated decision-making, including profiling, and meaningful information about the logic involved.

Below is my information for your reference:

Name:
Email:
Address:

This request is of utmost importance to me and should not be ignored. The GDPR mandates that you respond within one month. Failure to comply may result in further action being taken.

Thank you for your prompt attention to this matter.

Sincerely,

Text copied to clipboard

1. Copy and send this letter to the data controller of the organisation.

2. Follow up until you hear back. The GDPR requires a response within one month.

3. No response? Lodge a complaint with your local data protection authority.

No response after one month? File a complaint with your DPA →

Select your country to find your data protection authority:

Share: