The Federal Trade Commission has filed suit against Match Group and OkCupid, alleging the companies misled millions of users by sharing sensitive personal data – including photos, geolocation data, and demographic information -with a third party without proper disclosure.
In a complaint filed in the U.S. District Court for the Northern District of Texas, the FTC said Dallas-based Humor Rainbow Inc., which operates OkCupid, and Match Group Americas violated federal consumer protection laws by granting unauthorized third-party access to user information while publicly assuring consumers that their data would only be shared under limited, disclosed circumstances.
OkCupid’s privacy policy stated that personal data would not be shared outside of service providers, business partners, affiliated entities, or situations where users were notified and given an opportunity to opt out. The FTC alleges those commitments were inaccurate.
According to the complaint, OkCupid provided nearly three million user photos, along with location and related data, to a third party that did not have a formal business relationship with the platform. The FTC alleges the arrangement was tied to financial connections involving OkCupid’s founders.
The complaint also alleges that OkCupid did not establish formal contractual restrictions governing the third party’s use of the data.
“The FTC enforces the privacy promises that companies make,” said Christopher Mufarrige, director of the FTC’s Bureau of Consumer Protection. “We will investigate, and where appropriate, take action against companies that promise to safeguard your data but fail to follow through—even if that means we have to enforce our Civil Investigative Demands in court.”
The FTC further alleges that Match and OkCupid took steps over several years to conceal the data-sharing practices and deny involvement after media reports raised questions about the transfers.
Under the proposed settlement, Match and OkCupid are permanently prohibited from misrepresenting:
- How they collect, use, maintain, disclose, delete, or protect personal data;
- The purposes for which consumer data is collected or disclosed;
- The functionality of privacy controls, opt-out mechanisms, or consumer privacy rights tools.
Although the settlement does not include a monetary penalty, it imposes operational restrictions and compliance obligations related to privacy disclosures and data governance.
Some experts believe the FTC’s prior court enforcement of its Civil Investigative Demand in the case also demonstrates the agency’s willingness to pursue legal action to compel corporate transparency during investigations.
They add that the case underscores the regulatory importance of aligning public privacy statements with actual data practices, particularly regarding third-party access, governance controls, and compliance oversight.