Four landmark rulings between 2020 and 2024 made it illegal for Big Tech and data brokers to do what they were doing. Here is how Aletheos operationalizes each one.
See the dashboard →Privacy statutes like the GDPR, CCPA/CPRA, PIPEDA, and the EU AI Act create rights in theory: the right to be forgotten, the right to know what data is held about you, the right to object to automated inference, the right to refuse surveillance dressed up as a product feature.
Between 2020 and 2024, courts and regulators confirmed those rights in practice. A U.S. federal court certified a class action over Google's Incognito Mode tracking. Canada's Privacy Commissioner ruled Clearview AI's biometric scraping unlawful. The FTC sued Kochava for selling sensitive geolocation. Ireland's DPC fined Meta €1.2 billion for unlawful transatlantic transfers.
But enforcement is manual, slow, and expensive for a natural person. Reading the rulings does not remove your data from the broker. Knowing the law exists does not get you an erasure certificate. Aletheos automates the enforcement — one human, one click, one cryptographically-signed paper trail. The law is already on your side. We just make it run.
One card per case. Citations follow the McGill Canadian Guide to Uniform Legal Citation (9th ed.) style used in our research brief.
Chrome users sued Google in the U.S. District Court for the Northern District of California alleging that "Incognito Mode" was deceptive: Google continued to collect browsing data through Google Analytics, Ad Manager, and its embedded SDKs even when users had explicitly opted into private browsing. The court denied Google's motion to dismiss in 2020 and the parties reached a settlement requiring the destruction of billions of private-browsing records in 2024.
What the court foundThe court accepted that a reasonable user could have understood Incognito Mode as preventing this collection, making Google's continued tracking actionable under California's privacy and consumer-protection statutes. "Private" was a promise, not a marketing word.
Why it matters for youEvery mainstream browser, extension, and embedded SDK is still running some form of fingerprinting — canvas, WebGL, font enumeration, audio-stack hashing — even when you think you are browsing privately. The ruling establishes that undisclosed fingerprinting is a legal harm, not a feature.
Fingerprint Shield — our browser extension normalizes and rotates the twelve most-abused fingerprint surfaces, blocks tracker beacons before they fire, and issues you a monthly report of every attempted fingerprint so you have evidence if you ever need to file. Open Fingerprint Shield in the dashboard →
Clearview AI scraped more than three billion face images from public websites and social media platforms without the consent of the individuals depicted, then sold the resulting biometric search index to police forces and private actors. Canadian privacy commissioners opened a joint investigation after journalists reported Canadian law-enforcement use.
What the regulators foundThe investigation concluded that Clearview's collection, use, and disclosure of facial biometrics constituted mass surveillance and violated federal and provincial privacy law. The Commissioners ordered Clearview to cease offering the service in Canada and to delete images of Canadians from its database.
Why it matters for youA photograph of your face posted to a public platform is not consent to be enrolled in a biometric search engine or a generative-AI training corpus. Your image can sit inside a frontier model's weights for years — inferable on demand, never truly "deleted" by a normal takedown request.
MIA Verification + Machine Unlearning — our Membership Inference Attack probes frontier models to prove whether your data was used in training, then files a verified machine-unlearning request with each vendor and tests the post-unlearning weights to confirm the memorization score has actually dropped. Run an MIA scan →
The U.S. Federal Trade Commission sued Kochava, a mobile-ad data broker, alleging it sold precise geolocation traces from hundreds of millions of phones — including visits to reproductive-health clinics, places of worship, and domestic-violence shelters — on the open data market with no meaningful user consent or anonymization.
What the court foundThe District of Idaho held in 2023 that the FTC had stated a plausible claim that Kochava's sale of sensitive geolocation constituted an unfair practice under Section 5 of the FTC Act. The ruling confirmed that dark-pattern consent flows do not launder the sale of sensitive data.
Why it matters for youYour location history is on sale. Right now, via roughly four thousand data brokers, most of whom will never have heard your name but will happily sell a file on you. The Kochava ruling means those sales are legally vulnerable — if someone submits the right deletion request.
Data Broker Removal — we submit continuous, legally-grounded deletion and opt-out requests to the full cohort of U.S., Canadian, and EU data brokers, track compliance per broker, and re-submit automatically when a broker re-adds you. Every request is CCPA / CPRA / PIPEDA / GDPR-cited. Open Data Broker Removal →
Ireland's Data Protection Commission — Meta's lead EU supervisory authority — concluded a cross-border inquiry into Meta's transfer of Facebook user personal data from the EU/EEA to the United States. Following the Schrems II judgment of the Court of Justice of the EU, the DPC found Meta's reliance on standard contractual clauses was insufficient in the face of U.S. surveillance law.
What the regulator foundThe DPC issued a record €1.2 billion fine, ordered Meta to suspend further transfers of EU personal data to the U.S., and ordered the repatriation or deletion of data already transferred. The ruling confirmed that jurisdiction of processing is a live legal question — not a back-office implementation detail.
Why it matters for youWhere your data lives determines which laws protect it. A Canadian or European user whose data is silently transferred to a U.S. processor loses the protections their home statute promised. You are entitled to know where your data is stored and to object when the transfer mechanism is invalid.
Jurisdiction & Data Residency transparency — our Data Processing Agreement itemises every sub-processor, the country of processing, and the legal transfer mechanism in force (SCCs, adequacy decision, or binding corporate rules). If a mechanism falls, we notify affected users and pause transfers before resuming under the replacement basis.
Aletheos operates inside a multi-jurisdictional web of privacy and AI-governance statutes. We publish our position on each one — draft banners where a document is still awaiting final counsel review are deliberate, not oversight. These are the public positions we bind ourselves to.
Each line below names the statute, the jurisdiction it governs, and — where published — our corresponding public document.
Honest limitations, stated plainly. Aletheos is not a law firm and nothing on this page is legal advice. We do not guarantee deletion from a given processor — what we guarantee is a cryptographically-signed proof of submission and, for AI models, a pre- and post-unlearning memorization probe that tells you whether the weights actually forgot you.
We do not hack back. We do not probe systems we have no lawful basis to probe. Our active-defense features — honey tokens, adversarial perturbations, counter-scraping — are gated per jurisdiction and only enabled where the legal review has been completed. Where a feature is not legally reviewed in your jurisdiction (see UK CMA and India DPDP drafts), it is turned off by default for your account until it is.
This page summarizes publicly-reported cases and does not constitute legal advice. Consult a lawyer for your specific situation.