Last year, CPW covered a litigation win by Clarifai, Inc., a technology company specializing in artificial intelligence, when a federal court granted its motion to dismiss claims brought under Illinois’ Biometric Information Privacy Act (“BIPA”) in Stein v. Clarifai, Inc., No. 20 C 1937, 2021 U.S. Dist. LEXIS 49516 (N.D. Ill. Mar. 16, 2021). While the court’s findings dismissed a putative class action, the Federal Trade Commission (“the Commission”) had already opened an investigation into a data-sharing incident in 2014 that gave way to the litigation. Last month, the FTC took a big step to further that investigation regarding Match Group (“Match”), the parent company of the entity from whom Clarifai pulled facial data.

As a brief reminder, last year the Northern District of Illinois found that it lacked personal jurisdiction over Clarifai, which Plaintiff claimed had violated BIPA by harvesting facial data from dating site OkCupid without obtaining consent from the website’s users or making the necessary disclosures. The court found that Clarifai had only sold data to two customers in Illinois, which had resulted in only seven cents of revenue; these de minimis sales did not suffice to establish personal jurisdiction over Clarifai.

Although the civil litigation was dismissed last year, in 2020, the Commission issued a civil investigative demand (“CID”) to Match, the parent company of OkCupid, as part of its investigation into the 2014 data-sharing incident between OkCupid and Clarifai that gave rise to the litigation. The investigation, which remains ongoing, is aimed at determining whether “unnamed persons, partnerships, corporations, or others are engaged in, or may have engaged in, deceptive or unfair acts or practices related to consumer privacy and/or data security,” based on information indicating that Clarifai had obtained photos and user data from OkCupid and used the data in a face database Clarifai had built to train its facial recognition technology.

Last month, the Commission filed a petition in the U.S. District Court for the District of Columbia requesting compliance with the CID. While the petition acknowledges that Match has produced some responsive documents, the Commission claims that numerous other documents and communications related to the data-sharing incident were being withheld since 2020 based on “improper and overbroad assertions of attorney-client privilege and the work product doctrine.” The petition requests that Match produce the documents it has withheld, or, alternatively, that the Court conduct an in-camera review of the documents.

CPW will continue to keep an eye on this investigation, and how its resolution might impact similar inquiries into data privacy incidents, for you.