The U.S. Federal Trade Commission has finalised an enforcement action against OkCupid and its parent affiliate Match Group Americas, imposing permanent prohibitions on the companies’ data practices after concluding that OkCupid secretly shared the personal information of millions of users, including nearly three million photographs, demographic records and location data, with an unrelated facial recognition company, in direct violation of the platform’s own published privacy policy.
The settlement, announced on 30 March 2026 and filed in the U.S. District Court for the Northern District of Texas, marks the conclusion of one of the most protracted data privacy investigations the FTC has pursued in the consumer technology sector. The case raises immediate compliance questions for every business that collects personal data under a published privacy policy, and offers a sharp warning about the legal exposure of concealment.
What Happened
The FTC alleged that OkCupid quietly granted a financially connected but contractually unrelated third party access to nearly three million user photos and associated data, with no formal or contractual restrictions governing how that third party could use the information, and users were never informed or given the opportunity to opt out.
The third party in question was Clarifai, an artificial intelligence and facial recognition company. OkCupid’s own founders were personal investors in Clarifai, and the firm requested the data on that basis. One of OkCupid’s founders allegedly supplied the photos via his personal email account.
OkCupid’s privacy policy at the time specified that user data would only be shared with service providers, business partners, or affiliated entities, and only with appropriate notice and opt-out rights. The FTC alleged the third party did not qualify under any of those categories and that OkCupid provided access without informing users or allowing opt-out.
Years of Concealment
What elevated this case beyond a standard compliance failure was the conduct that followed the initial data transfer. Since September 2014, Match and OkCupid took extensive steps to conceal the sharing, including efforts to obstruct the FTC’s investigation, and publicly denied that OkCupid had shared users’ personal information with the data recipient. When a news story revealed that Clarifai had obtained large OkCupid datasets, OkCupid claimed to the media and its users that it was not involved.
The FTC’s action followed the Commission’s successful enforcement in federal court of its Civil Investigative Demand, which required OkCupid to turn over information requested by the agency. Regulators were compelled to litigate for access to the information before the investigation could proceed.
Terms of the Settlement
Under the proposed settlement, OkCupid and Match are permanently prohibited from misrepresenting the extent to which the companies collect, maintain, use, disclose, delete or protect any personal information such as photos and demographic and geolocation data; the purpose for which they collect, maintain, use or disclose such personal data; and the function of privacy controls they provide consumers.
Match Group acknowledged the practices were outdated and stated they “do not reflect how OkCupid operates today.” The settlement carries no immediate monetary penalty, but future violations would expose the companies to substantial civil fines. OkCupid must certify compliance to the FTC for ten years.
Why This Matters
The absence of a financial penalty has drawn attention, but the structural and reputational implications of the settlement are significant. The case establishes, in binding legal terms, that a privacy policy is a contractual commitment, not a marketing statement, and that any divergence between published policy and actual data practice creates direct federal enforcement exposure.
The OkCupid enforcement action is part of a sustained FTC effort to hold companies accountable when their data practices diverge from their privacy representations. This pattern is accelerating: the FTC has also recently settled with General Motors and OnStar over undisclosed collection and sale of geolocation and driving behaviour data, with Disney over the unlawful collection of children’s data on YouTube, and dispatched formal compliance warnings to thirteen data brokers operating near sensitive government data flows.
For multinational businesses, particularly those operating across the U.S., EU, and emerging markets where data localisation and consent frameworks are tightening simultaneously, the OkCupid case reinforces a compliance imperative that regulators on multiple continents are now actively enforcing: what a company says it does with data must match, precisely, what it actually does.
The case also shines a light on the particular risks created by founder-investor relationships. Where company leadership holds personal financial stakes in third-party entities that receive corporate data, the absence of formal contractual safeguards and user disclosure creates compounded exposure, both for the business and for individual executives.
The Broader Enforcement Climate
The FTC settlement arrives against a backdrop of intensifying data enforcement globally. In February 2026, the UK Information Commissioner’s Office fined Reddit £14.47 million for unlawfully processing the personal data of children under 13. France’s data protection authority, the CNIL, levied a combined €42 million in penalties against Free Mobile and Free for GDPR failures linked to a 2024 data breach. California’s Attorney General reached a record $2.75 million CCPA settlement with the Walt Disney Company the same month over opt-out rights failures.
Taken together, these enforcement actions signal a coordinated directional shift among regulators across jurisdictions: the tolerance period for good-faith privacy non-compliance is closing. What regulators are now targeting, with increasing precision, is the gap between what companies tell users and what companies actually do, and the steps taken to conceal that gap.
