On March 30, 2026, the Federal Trade Commission filed and settled an enforcement action against OkCupid LLC and its parent company Match Group Americas LLC for sharing usersโ€™ personal data โ€” including nearly three million user photos and location information โ€” with an unrelated third party, contrary to OkCupidโ€™s own privacy representations.

No monetary penalty was imposed. The settlement order prohibits OkCupid and Match Group from misrepresenting their data handling practices going forward, and imposes compliance reporting obligations.

The case is less notable for its financial consequence than for its enforcement theory, which is direct and broadly applicable: a privacy policy is a legal commitment. When a companyโ€™s actual data practices diverge from what its privacy policy says, the FTC treats that divergence as a deceptive act or practice under Section 5 of the FTC Act. The FTC does not need to prove consumer harm. It needs to prove the misrepresentation.

What OkCupid Did

OkCupidโ€™s privacy policy, at the time relevant to the FTCโ€™s action, stated that OkCupid does not share personal information except as described in the policy or when users are informed and given the opportunity to opt out.

OkCupid violated that commitment by sharing user data with Clarifai, Inc.

Clarifai is an AI company specializing in computer vision and image recognition โ€” the kind of company that trains models to identify faces, objects, and patterns in images. It was not an OkCupid service provider. It was not a business partner in the traditional sense. It was not a family affiliate of OkCupid or Match Group.

What Clarifai was: a company in which an OkCupid founder held a financial investment.

OkCupid provided Clarifai with access to nearly three million OkCupid user photos as well as location information and other user data. The disclosure was not described in OkCupidโ€™s privacy policy. Users were not informed. Users were not given an opportunity to opt out. OkCupid placed no formal or contractual restrictions on how Clarifai could use the data it received.

The FTCโ€™s March 30, 2026 action alleged that this transfer โ€” undisclosed, contractually uncontrolled, to a third party with no legitimate service relationship โ€” constituted a deceptive practice under Section 5 of the FTC Act.

The Match/OkCupid case is the latest in a long series of FTC enforcement actions built on the same theory, and understanding that theory is more useful than studying the specific facts of OkCupidโ€™s conduct.

Under Section 5 of the FTC Act, a deceptive act or practice is one that is likely to mislead a reasonable consumer in a material way. When a company publishes a privacy policy, that policy is a representation to consumers about how their data will be handled. Consumers rely on that representation when deciding whether to use the service, what information to share, and what expectations to hold about their privacy.

When actual data practices diverge materially from the privacy policy, the FTC treats the divergence as a material misrepresentation โ€” regardless of whether any individual consumer was harmed. The FTC does not need a class of damaged plaintiffs or documented instances of misuse. It needs the gap between the stated policy and the actual practice.

This is why privacy policy accuracy is a legal compliance obligation, not just a good practice. Policies that are vague, aspirational, or technically accurate at drafting but outdated as practices evolve create ongoing Section 5 exposure. The OkCupid case is a clear illustration.

The Clarifai Relationship and the Conflict of Interest

The structure of the OkCupid-Clarifai data transfer is unusual in one dimension: the recipient was a company in which an OkCupid founder had a personal financial interest.

This creates a conflict of interest dimension beyond the basic privacy misrepresentation. A company executive or founder directing data transfers to an entity in which they are personally invested โ€” without disclosure to users or governance oversight โ€” raises questions that go beyond whether the privacy policy was accurate.

The FTCโ€™s complaint does not appear to have charged the conflict of interest separately from the deceptive practice claim. But the structure of the transfer is relevant to understanding why OkCupid made no effort to disclose it to users or to place contractual restrictions on Clarifaiโ€™s use of the data. If the purpose of the transfer was to benefit an entity in which an insider was invested, rather than to provide any service to OkCupid users, the absence of controls and the absence of disclosure are both explicable โ€” and both increase the severity of the underlying conduct.

The Data Transferred: Photos and Location

The categories of data transferred in the OkCupid-Clarifai transfer merit attention.

Photos. Dating app users upload photos that are personal, context-specific, and often sensitive. A photo uploaded to a dating app carries an implicit expectation of use within that appโ€™s ecosystem โ€” not distribution to third-party AI training pipelines. Three million photos transferred to an AI image recognition company, for purposes that were unrelated to any OkCupid service, represents a significant departure from that expectation.

Location data. Location data is treated as a sensitive category of personal information by federal and state regulators, and the FTC has been specifically focused on location data practices in its recent enforcement work. The May 2026 Kochava settlement โ€” which prohibited Kochava from selling sensitive location data without affirmative consent โ€” reflects the same enforcement priority. Location data transferred to an unrestricted third party creates the same risks of tracking and targeting that the Kochava settlement addressed.

The combination of photos and location data โ€” both sensitive categories โ€” transferred to a company with no contractual restrictions makes the OkCupid case a more serious data governance failure than it might appear from the headline.

No Fine: What That Means

The OkCupid settlement imposed no monetary penalty. This warrants explanation.

The FTCโ€™s authority to impose civil monetary penalties in privacy cases under Section 5 is limited. The FTC can seek civil penalties only when a company violates a prior FTC order โ€” meaning it has been caught and sanctioned before and then repeated the conduct. For first-time deception cases under Section 5, the FTC typically obtains injunctive relief: a prohibition on the specific conduct at issue, broader misrepresentation prohibitions, and compliance monitoring.

This is the standard outcome in Section 5 first-time privacy misrepresentation cases. The absence of a fine does not mean the enforcement action is inconsequential. It means the FTCโ€™s civil penalty authority was not triggered.

What the order does impose: a permanent prohibition on misrepresenting privacy practices, meaning any future gap between OkCupidโ€™s stated policies and its actual practices carries the full weight of a prior-order violation and opens the company to civil penalties up to $53,088 per violation per day.

Lessons for App Operators and Data Governance Teams

The OkCupid case, together with the broader FTC enforcement record in privacy, produces a set of practical compliance obligations that apply across the consumer app landscape.

Your privacy policy is a legal contract with your users and the FTC. Every statement in your privacy policy about how data is collected, used, shared, and retained creates a legal commitment. Practices that diverge from those statements โ€” even with good intentions, technical constraints, or legacy arrangements โ€” create Section 5 exposure. Review your policy against your actual practices at least annually and whenever data practices change.

Third-party data transfers require governance controls. Any disclosure of user data to a third party should be: (1) described in your privacy policy, or (2) disclosed to users with an opt-out opportunity, or (3) structured as a legitimate service provider relationship with contractual restrictions. An undisclosed, contractually uncontrolled disclosure to a third party with no service relationship satisfies none of these requirements.

Conflict of interest governance matters for data decisions. Data transfers to entities in which company insiders have financial interests are high-risk transactions. They require board-level or senior governance oversight, documented business justification, and typically user disclosure. Insider-benefit data transfers that go undisclosed create both Section 5 exposure and governance liability that extends beyond the FTC.

Dating apps and consumer-facing platforms with sensitive data face heightened scrutiny. OkCupid is the second major dating app enforcement action involving data practices โ€” following the 2020 action against Grindr for sharing HIV status data with advertisers. The FTC is attentive to the sensitivity of dating app data โ€” which frequently includes health information, sexual orientation, and location data โ€” and has demonstrated enforcement commitment in this category.

Location data and photos require explicit handling policies. Both categories are treated as sensitive by the FTCโ€™s current enforcement posture. If your app collects photos, location data, or health-adjacent information, your privacy policy and your data governance practices need to address these categories specifically, and any third-party sharing requires explicit user disclosure or consent.

The Broader FTC Enforcement Context

The OkCupid action is one of several FTC enforcement actions in 2026 focused on the gap between privacy policy representations and actual data practices. The Kochava settlement (May 4, 2026) addressed a similar theory in the data broker context โ€” the FTCโ€™s position that data collected and shared in ways consumers did not expect constitutes an unfair trade practice.

The common thread across these enforcement actions: the FTC is using Section 5 as a general data governance enforcement tool. Companies that maintain accurate privacy policies, implement governance controls over third-party data sharing, and verify that technical practices match stated commitments are substantially less exposed than companies operating on the assumption that the FTC will only act in cases of obvious consumer harm.

For context on FTC location data enforcement, see our analysis of the FTC vs. Kochava settlement. For the full California enforcement picture, see our coverage of CPPAโ€™s Q1 2026 enforcement wave.

Sources: FTC Press Release (March 30, 2026, FTC Takes Action Against Match and OkCupid); FTC Legal Library, OkCupid/Match case timeline; Inside Privacy (FTC Alleges OkCupid Data Sharing Amounted to a Deceptive Practice); Venable LLP (FTC OkCupid Settlement: Deceptive Data Sharing, Privacy Policy Compliance, and Section 5 Takeaways); ComplyAuto (FTC v. OkCupid & Match Group: A Reminder That Your Privacy Policy Must Reflect Reality); Bloomberg Law (Match Group, OkCupid Reach FTC Agreement on Data Protection); McDermott Will & Emery. This article is provided for informational purposes only and does not constitute legal advice.