Image and video hosting service Photobucket is facing a class action lawsuit for allegedly selling user data – photos and biometric information included – without consent.
The legal action comes in the wake of the company, founded in 2003, changing its privacy policy in order to allow for the user’s personal data to be sold to third parties that train generative AI models.
We obtained a copy of the lawsuit for you here.
Photobucket, whose heyday coincided with that of MySpace, appears to have come up with the scheme as a way to monetize the data it has at its disposal, particularly from inactive users.
Photobucket’s database contains over 13 billion images, and reports in October cited the company as announcing half of that number are public, and therefore “eligible for AI licensing.”
But the affected users taking action – and their number could be as high as 100 million – say they were not asked, or have been misled to agree to this, and now the lawsuit claims that Photobucket failed to comply with privacy laws in California, Illinois, and New York.
Moreover, the lawsuit claims that a majority of those who could join the class action weren’t aware of Photobucket’s move, even as the company had already started selling and licensing their biometric data.
The Pierce v. Photobucket complaint, filed with the US District Court of Colorado, seeks to prohibit the company from continuing to sell user data without first obtaining written consent and pay compensation to those whose data is believed to have already been sold.
And given the massive number of users potentially harmed in this way, and the size of the dataset in question – the sale of a portion of which could be found to have violated privacy laws in the three states – Photobucket might end up having to pay astronomical damages.
Users who are suing are worried that, as a result of their biometric data being available for AI training, they are more likely to become the victim of deepfakes, but also an easier target of surveillance in public places.
On top of that, Photobucket is accused of misleading users to accept the new privacy policy via emails luring them to the site to “reactivate,” “unlock,” or “delete” accounts.
But, stated the plaintiffs’ legal representatives, “Instead, no matter which link the user clicked on, they were taken to a page where the user was forced to accept Photobucket’s updated Terms of Use to agree to Photobucket’s brand-new Biometric Information Privacy Policy.”
