← Back to Blog

Clarifai Just Deleted 3 Million Faces. Your AI Training Data Is Next.

· Don Ho · 5 min read

Last updated: April 23, 2026

Clarifai, the New York facial recognition AI company, certified to the FTC on April 7, 2026 that it had deleted 3 million OkCupid user photos and every AI model trained on those photos. The certification became public on April 20 through a Reuters report. The deletion follows the FTC’s March 2026 settlement with OkCupid and Match Group over allegations that OkCupid handed user data to Clarifai in 2014 in violation of its own privacy policy, then concealed the practice and obstructed the FTC investigation for years.

Three million faces. Twelve years of training. All gone in a single compliance certification.

How this happened, in one email

In 2014, Clarifai CEO Matthew Zeiler wrote to OkCupid co-founder Maxwell Krohn: “We’re collecting data now and just realized that OKCupid must have a HUGE amount of awesome data for this.” OkCupid sent the photos. Clarifai used them to build a facial recognition model that could estimate age, sex, and race from a face. Executives at OkCupid had personally invested in Clarifai. Nobody told users. OkCupid’s own privacy policy prohibited this kind of third-party sharing.

That email is now Exhibit A in every privacy CLE for the next three years.

The FTC has a new playbook and it does not include fines

The FTC could not fine OkCupid or Match for this. First-time data privacy violations of this kind do not carry monetary penalties under the FTC Act. So the agency did the next best thing. It got a consent order that permanently prohibits Match Group from misrepresenting its data practices, and it pressured the downstream recipient (Clarifai) into deleting the data and the models.

The model deletion is the new punishment. You cannot un-train an AI on data you should not have used. The only remedy is to nuke the model. For Clarifai, that means destroying twelve years of computational work and any commercial product derived from it. The market value of a facial recognition model trained on three million labeled human faces is nontrivial. Now it is zero.

This is the enforcement template. Expect it to spread.

Every company sitting on training data should run the audit this quarter

If your company has any AI model trained on user data, customer photos, scraped web content, third-party datasets, or licensed media, you have a Clarifai problem in your future. The questions the FTC will ask, and that plaintiffs’ lawyers are already asking in discovery, are:

  1. Where did the training data come from?
  2. What did the source’s privacy policy say at the time you got it?
  3. Did the user consent specifically to AI model training, or did they consent to “service improvement”?
  4. Can you produce the contracts, terms of service, and consent flows in effect on the date of acquisition?
  5. If a regulator orders you to delete the data, can you also delete every downstream model and derivative?

Most companies cannot answer question five honestly. The training pipeline is not designed to be reversible. Models get fine-tuned, distilled, and deployed in customer-facing products. Telling a court you have deleted the data is easy. Telling the court you have deleted every model that touched it is a different problem.

The 12-year statute-of-limitations myth is dead

A common executive instinct on old data: “That happened years ago, we are past the statute of limitations.” The Clarifai timeline kills that argument. The data was acquired in 2014. The FTC investigation opened in 2019 after a New York Times article. The settlement came in March 2026. The deletion was certified in April 2026. Twelve years from the original sin to the enforcement action.

For AI training data, the limitations clock effectively does not start until the model is deployed and someone notices. Every model in production today is a live exposure for whatever data was used to train it, even if that data was acquired before the company had a privacy team.

What lawyers need from their AI engineering teams

If you are GC or privacy counsel at a company building or using AI, the conversation with engineering needs to be specific. Vague assurances that “we follow best practices” are not enough. Get the following in writing:

  • A complete inventory of every dataset used to train every production model, with provenance documentation.
  • A copy of the terms of service or license under which each dataset was obtained, dated to the acquisition date.
  • A technical capability statement confirming the team can identify, isolate, and delete any model derived from a specific dataset on demand.
  • A retention schedule that distinguishes raw training data, processed embeddings, model checkpoints, and deployed model artifacts.
  • A regulator-response runbook for what happens in the first 72 hours after an FTC, state AG, or class-action subpoena lands.

If engineering pushes back that this is overkill, point to Clarifai. Three million photos. Twelve years of work. Gone.

The state AG angle is going to bite next

The FTC is the headline regulator here, but state attorneys general are watching closely. California, Texas, Colorado, and Washington all have data privacy frameworks that allow them to pursue similar deletion remedies, and several have explicit authority to seek civil penalties that the FTC lacks. The Colorado AI Act in particular, currently being challenged by xAI in federal court, is structured to enable exactly this kind of training-data enforcement once it takes effect on June 30, 2026.

A federal-level FTC settlement with no fine looks lenient. The state AG follow-on with statutory damages will not.

What to do now

Pull your AI training data inventory this week. If you do not have one, that is the project. Cross-reference every dataset against the privacy policies in effect at the date of acquisition. For any dataset that came from a third party, find the contract and read the data-use clauses. For any dataset where the privacy policy at the time did not specifically authorize AI model training, flag it for legal review.

Then ask engineering one question: if a regulator orders us to delete dataset X tomorrow, how many production models go down with it, and how long does it take? The answer will tell you the size of your exposure.

Clarifai had to delete a flagship product. Match Group walked away with a consent order and bad press. The next case will not be that clean. The training-data reckoning is here. The companies that audit now will negotiate from strength. The ones that wait for the subpoena will negotiate from a deletion order.

DH

Don Ho, Esq.

Founder & CEO of Kaizen AI Lab. A practicing attorney for 19 years and former General Counsel, he builds compliance-first AI systems for mid-market companies operating in regulated industries.

Kaizen AI Labs

Ready to Deploy AI in Your Business?

Schedule a discovery call with our AI consulting team. We'll map your operations, identify leverage points, and show you exactly where AI moves the needle.

Book a Consulting Call
AI

Adjacent Media by Kaizen Labs

Is Your Brand Visible to the Bots?

Get a free GEO audit and find out if your brand is being cited, found, or completely invisible in AI-generated answers. Then let's fix it.

Get a Free GEO Audit
GEO