CLIENT ALERT: Colorado Federal Court Allows Privacy and AI Training Claims to Proceed Against Photobucket

As more companies incorporate artificial intelligence into their operations, it is critical to review and update online terms and conditions, privacy policies, and form agreements to ensure they properly disclose AI-related data uses and, where applicable, obtain appropriate consent from individuals.

A recent case in the U.S. District Court for the District of Colorado illustrates the risks when a company begins using new technology without ensuring its terms and policies have been properly updated and without obtaining proper consent from individuals affected. In Pierce v. Photobucket Inc., plaintiffs allege that Photobucket, a photo hosting service, planned to license over 13 billion user-uploaded images for biometric analysis and AI training without obtaining valid consent. While no final decision on the merits has been reached, businesses can take steps now to reduce the risk of facing similar claims.

Background

The plaintiffs allege that at its peak, Photobucket had over 100 million registered users and more than 13 billion images. According to the complaint, in 2024, Photobucket’s CEO publicly announced plans to license this image archive to AI companies for training generative AI models and building biometric facial recognition databases. Because Photobucket’s online terms and conditions did not account for such AI usage, Photobucket updated its terms and then attempted to obtain “consent” from existing users by sending emails informing them they could opt out of having their photos used in this manner. It is also alleged that Photobucket’s opt-out method was not straightforward, allowed only an initial opt-out period (after which users were deemed to have opted in) and gave users only two options: either allow Photobucket to use the photos for AI training or have their photos deleted.

Four former Photobucket users filed a class action complaint alleging violations of the privacy laws of various states. The plaintiffs allege that Photobucket did not have the necessary consent to use their biometric data in connection with AI.

Key Privacy Law Implications

Pierce v. Photobucket sits at the intersection of several rapidly evolving areas of privacy law and merits close attention from businesses that collect, store, or monetize consumer data.

At the heart of this case is whether a company can retroactively impose consent to new data uses, such as biometric extraction and AI training, through updated terms of service and emails with automatic opt-ins. In ruling on Photobucket’s motion to dismiss, the court stated that passive account maintenance does not constitute “continued use” sufficient to bind users to amended terms. Companies that hold historical user data should not assume that a boilerplate amendment provision will constitute valid consent for changed uses of user data, particularly where the new uses are qualitatively different from the original uses and the services for which users originally signed up.

Photobucket’s approach—sending emails to long-dormant users, burying biometric consent behind account recovery links, and treating failure to opt out within 45 days as affirmative consent—could also be considered an illegal “dark pattern,” subjecting the business to further liability.

What Your Business Should Do

Businesses that maintain user data and wish to use such data for AI training or other purposes not disclosed at the time of collection should take the following steps:

• Review the terms under which data was originally collected to determine what uses were disclosed and whether users gave affirmative consent for such uses.
• Assess whether proposed expanded data uses (including AI training) are consistent with existing disclosures and consents.
• Obtain clear, opt-in consent before using personal data, especially biometric data or sensitive data, for AI training purposes.
• Continue monitoring legal developments in privacy, biometrics, and AI regulation at both the state and federal levels.

Please contact the Olshan attorney with whom you regularly work or the attorney listed below if you would like to discuss further or have questions.

This publication is issued by Olshan Frome Wolosky LLP for informational purposes only and does not constitute legal advice or establish an attorney-client relationship. In some jurisdictions, this publication may be considered attorney advertising.
Copyright © 2026 Olshan Frome Wolosky LLP. All Rights Reserved.