I'm mildly terrified that it's going into another training data set somewhere.

Agreed. Depending on which option you choose, this could further improve their model. For example, they could use it to confirm your identity and improve recognition of you. Even if they never disclosed your id, they could use it reject subjects that would otherwise have a possibility of being you.

Of course it is. These people are sociopaths.

Which category are you in?

I just submitted an access request under the EU resident category. If I don't get a response I will consider making another request in writing.

CCPA here. I submitted an info request, a data-deletion request, and an opt-out request. I got 0 responses.

At what point does an investigator take a look at this?

I would hope the state of California would care. I have no idea how you're meant to try to enforce your rights under CCPA other than by hiring a lawyer.

I filed a complaint with my local data protection authority a couple of years back. We had to integrate a credit reporting API and I noticed that it required no authentication other than a username. I also observed that who was preforming the check was a field we could specify in the request and it was not validated (I did a check on myself with the SoapUI default of '?'). I did not receive a response. So unfortunately I think our options for actually enforcing our rights are probably limited.

Still, I guess we'll find out if Clearview takes GDPR any more seriously than CCPA.