A photograph is two records in one file. The pixels show the scene. The metadata describes the camera, the timestamp, the GPS coordinates, the editing history, and often the copyright holder. In a courtroom, an investigation, or a copyright dispute, both layers count. Photo metadata law is increasingly the layer that decides the case.
This article walks through how EXIF and related metadata are treated by courts, copyright systems, and privacy regulators in 2026. It is not legal advice, but it is the working knowledge anyone publishing photos online benefits from having.
Metadata as digital evidence
In most common-law jurisdictions, including the United States, the United Kingdom, Canada, and Australia, EXIF data is admissible as digital evidence under the same rules that govern any electronic record. A party that wants to introduce a photo as evidence must establish that the file is what it claims to be, and metadata is the standard tool for doing so. Courts look at the EXIF timestamp to establish when a photo was taken, the GPS coordinates to establish where, and the camera serial number to tie a photo to a specific device.
The reverse also happens. Metadata is routinely used to challenge a photo. If the EXIF software field shows that a JPEG has been opened in Photoshop, or if the timestamp was edited after the fact, opposing counsel will use that to argue tampering. Forensic examiners look for inconsistencies between EXIF tags, between the EXIF time and the file system time, and between the embedded thumbnail and the visible image.
Cases where metadata changed the verdict
The most famous example is John McAfee, who in 2012 was fleeing authorities in Belize and gave an interview to a Vice journalist in Guatemala. Vice published a photo of him taken with an iPhone 4S. The photo contained GPS coordinates accurate to a few meters, and within hours those coordinates had been read off the file by anyone who cared to look. McAfee was located, arrested, and deported.
The 2018 Strava heatmap incident is another well-documented case. The fitness platform published a global heatmap of user activity that aggregated GPS tracks from devices people wore while jogging. Analysts quickly realized that bright clusters in otherwise dark regions of the Middle East and Africa mapped neatly onto previously unacknowledged US military bases. The metadata was not even EXIF in that case, but the lesson generalized: location data published in good faith becomes intelligence the moment it is published.
In domestic-violence and stalking cases, metadata regularly comes up on both sides. A victim who took a photo of an injury can use the EXIF timestamp to corroborate when the assault occurred. A defendant accused of harassment may use metadata to show that a photo was actually taken months before the dates alleged in the complaint. Family courts use EXIF data to establish where a parent was on a given day in custody disputes. None of this is exotic. It is now routine.
If a photo on your phone could ever become evidence, do not strip its metadata. Stripping preserved evidence may itself be sanctionable. The advice in this article is about photos you publish, not photos you may need to produce in litigation.
Copyright and the IPTC standard
Beyond EXIF, photographers and news agencies use the IPTC metadata standard to embed copyright information directly into image files: the photographer's name, contact details, licensing terms, captions, and usage restrictions. Stripping IPTC tags is treated differently from stripping EXIF in many jurisdictions.
In the United States, Section 1202 of the Digital Millennium Copyright Act prohibits the intentional removal of copyright management information, which courts have interpreted to include IPTC author and copyright fields. Removing a photographer's credit before reposting their work can give rise to statutory damages independent of any infringement claim about the image itself. The Mango v. BuzzFeed decision in 2020 reinforced this reading at the Second Circuit. The European Union's Copyright Directive contains a parallel provision.
The practical consequence: if you are stripping metadata from your own photos before posting, you are exercising a privacy right. If you are stripping metadata from someone else's photos before reusing them, you may be creating a separate cause of action against yourself.
GDPR, CCPA, and metadata as personal data
European data protection authorities have repeatedly held that EXIF GPS coordinates, when linked to an identifiable person, constitute personal data under the General Data Protection Regulation. The same logic applies to camera serial numbers, which can act as persistent device identifiers. A company that hosts user-uploaded photos and does not strip or secure that metadata is processing personal data, with all the consent and breach-notification duties that follow.
The California Consumer Privacy Act and its successor, the CPRA, define personal information broadly enough that GPS metadata in photos counts. Brazil's LGPD takes a similar position. None of these statutes single out photo metadata by name, but the definitions they use sweep it in.
For ordinary users this rarely matters directly. For anyone running a photo-sharing service, social platform, dating app, or marketplace, it matters quite a lot. Platforms that strip EXIF on upload do so partly to reduce their own regulatory exposure.
When you can be compelled to produce metadata
In civil litigation, parties can be required to produce relevant electronic records, and the metadata of those records is part of what gets produced. A subpoena for "all photographs related to the events of June 12" includes the EXIF data on those photos by default. Deleting metadata after a subpoena is served, or after litigation is reasonably anticipated, can constitute spoliation of evidence, which carries adverse inferences and in some cases sanctions.
In criminal cases, law enforcement can obtain photos and their metadata through search warrants, and platforms regularly comply with requests for the metadata of uploaded files even when they have stripped it from public view. The takeaway is that "the platform strips it" is not the same as "the platform forgets it." If you are concerned about a specific photo, strip it before it leaves your device.
Decide what your photos reveal before you share them
StripIt removes EXIF metadata from your photos on-device, so you control what travels with the image when you post, send, or upload it.
Download StripItThe bottom line
Metadata is not a technical curiosity. It is evidence, it is copyright information, and it is regulated personal data. The rules around it vary by jurisdiction but converge on a single point: the hidden layer of a photo is treated as part of the photo. If you publish photos, behave accordingly. Keep your own evidentiary metadata intact. Respect other people's copyright tags. Strip the GPS coordinates and device identifiers off anything you post publicly. The law has not caught up to every nuance of digital images, but it has caught up to that much.