The FTC recently settled with OkCupid over allegations that the dating app shared millions of users' photos and personal data with a third-party AI company in ways not disclosed in its privacy policy. The case underscores that privacy policies are enforceable commitments. Businesses should ensure their disclosures are accurate and their practices align with those disclosures, or they may face similar enforcement action.

On March 30, 2026, the Federal Trade Commission announced a settlement with OkCupid and its affiliate Match Group Americas (“Match”) over allegations that the popular dating app deceived users by sharing their personal information with an unauthorized third party, contrary to the company's own privacy policy.  As companies increasingly explore data-sharing arrangements with third parties, this enforcement action highlights the importance of ensuring that privacy disclosures accurately reflect actual business practices.

The FTC's Allegations

For several years, OkCupid's privacy policy stated that the company would share users' personal information only with service providers, business partners, or businesses within its "family of businesses”—or when users were informed and given the opportunity to opt out. However, the FTC alleged that OkCupid's actual practices did not match these representations.

According to the FTC’s complaint, OkCupid provided a third-party artificial intelligence company, Clarifai, with access to nearly three million user photos, along with demographic and location data. The FTC alleged that Clarifai was not a service provider, business partner, or affiliate and had no business relationship with OkCupid. Rather, OkCupid's founders were financial investors in Clarifai. According to the FTC, Clarifai received this data without paying for it, without any formal agreements governing its use, and without providing any services to OkCupid in return. Users were never notified or given an opportunity to opt out.

The FTC further alleged that when news reports revealed Clarifai had obtained OkCupid's datasets, the company publicly denied involvement—including in statements to the media and to users. According to the agency, Match and OkCupid took extensive steps since September 2014 to conceal the data sharing, including attempting to obstruct the FTC's investigation.

The FTC brought its claims under Section 5(a) of the FTC Act, which prohibits unfair or deceptive acts or practices in commerce. While data-sharing practices continue to evolve, the underlying legal principle is well-established: the FTC has long maintained that sharing personal information in ways that contradict a company's privacy policy may constitute a deceptive trade practice under federal law.

The Settlement Terms

Under the proposed twenty-year consent order, OkCupid and Match must:

• Submit annual compliance reports to the FTC for ten years. These reports must include a list of covered services and the steps taken to comply with the order.
• Maintain records related to their services, including consumer complaints, refund requests, revenues, and all records necessary to demonstrate compliance.
• Notify the FTC prior to corporate restructuring activities.
• Accurately represent:
  • The extent to which they collect, maintain, use, disclose, delete, or protect any consumer’s information;
  • The purposes for which they collect, maintain, use, or disclose any consumer’s information; and
  • The function of any privacy controls presented to consumers.

For the duration of the order, the FTC may obtain discovery without further leave of court. Notably, the settlement does not impose monetary penalties, relying instead on injunctive relief and long-term compliance obligations.

Key Takeaways for Businesses

• Know What Your Privacy Policy Actually Says. Your privacy policy defines the boundaries of what you can do with customer data. Regulators will hold you to those boundaries.
• Ensure Your Practices Align with Your Policy. If your policy says one thing and your practices reflect another, that gap can create regulatory exposure.
• Update Policies as Your Business Evolves. When your company adopts new tools, enters new partnerships, or launches new initiatives involving personal data, revisit your privacy policy to ensure it remains accurate.
• Formalize Data-Sharing Arrangements. Even informal or one-off sharing arrangements should be documented and should comply with the categories disclosed in your privacy policy.
• Verify That User Controls Work as Described. If your privacy policy promises users the ability to opt out or manage how their data is shared, make sure those controls actually function as described.

As FTC Bureau of Consumer Protection Director Christopher Mufarrige stated in announcing the action: "The FTC enforces the privacy promises that companies make. We will investigate, and where appropriate, take action against companies that promise to safeguard your data but fail to follow through.” Maintaining accurate privacy policy disclosures—and honoring those commitments—remains critical for any business that handles personal data.

Koley Jessen monitors developments in data privacy and can provide guidance as new information emerges. If you have questions about your compliance obligations or need assistance evaluating your privacy practices, please contact a member of Koley Jessen's Data Privacy and Security Practice Area.

^{*Special thanks to Summer Associate Ellie Johnson for her contributions to this article.}

_{This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.}