FTC order bars OkCupid from misleading users about biometric data sharing

Dallas, Texas-based dating app company Match Group Americas and its subsidiary Humor Rainbow, Inc., doing business as OkCupid, have agreed to a proposed Federal Trade Commission (FTC) settlement that would bar the two companies from misrepresenting how they collect, use, disclose, delete or protect users’ personal data, including biometrics.

The FTC alleged the companies shared OkCupid user information with a third-party facial recognition company despite privacy promises to the contrary. That company has been identified as Clarifai, an AI company that makes facial recognition software.

In May 2022, the FTC filed a petition to force Match to comply with a demand for documents related to an alleged 2014 data-sharing deal between Match, its subsidiary OkCupid, and Clarifai.

The Washington, D.C.-based law firm Migliaccio & Rathod LLP said this week that it “is investigating OkCupid and its affiliate, Match Group Americas, following reports that OkCupid provided a third-party, Clarifai, with unauthorized access to millions of users’ personal data.”

The FTC order, filed in the Northern District of Texas, resolves the FTC’s claims against Match Group Americas and Humor Rainbow.

The FTC’s complaint alleges the companies engaged in deceptive acts or practices in violation of Section 5 of the FTC Act by providing OkCupid user data to a third-party facial recognition technology company in a way that contradicted statements in OkCupid’s privacy policies.

Match and OkCupid neither admit nor deny the allegations, but they waive any right to challenge the validity of the order and agree to its entry.

“The FTC enforces the privacy promises that companies make,” said Christopher Mufarrige, director of the FTC’s Bureau of Consumer Protection. “We will investigate, and where appropriate, take action against companies that promise to safeguard your data but fail to follow through – even if that means we have to enforce our Civil Investigative Demands in court.”

The proposed settlement does not impose a civil penalty. Instead, it centers on a broad, forward-looking injunction covering privacy representations tied to the OkCupid service and any successor online dating service.

Under the order, Match and OkCupid are permanently prohibited from misrepresenting the extent to which they collect, maintain, use, disclose, delete or protect covered information, the purposes for which they handle that information, and the function of privacy controls or consumer choices presented through their interfaces.

The definition of “covered information” in the order is expansive. It includes names, physical addresses, email addresses and other online contact information, phone numbers, financial account and payment card information, precise geolocation, photos and videos, and persistent identifiers such as cookies, static IP addresses and mobile device IDs.

The “covered service” is defined as OkCupid and any successor online dating service.

The order also puts in place a lengthy compliance regime. Within ten days of entry, each defendant must submit a sworn acknowledgement that it received the order, and for ten years, the companies must distribute the order to principals, officers, directors, managers, and employees with managerial responsibility for consumer-facing privacy representations and obtain signed acknowledgements from those recipients.

They also must submit a detailed compliance report after one year and notify the FTC within 14 days of key corporate changes or bankruptcy filings that could affect compliance.

Record keeping and monitoring provisions extend the oversight further. For 10 years the companies must create specified records and keep each for five years, including accounting records for the covered service, consumer complaints and refund requests related to privacy practices, and materials needed to demonstrate compliance.

The FTC may demand additional reports, take depositions, inspect documents and communicate directly with the companies for monitoring purposes. The order states it will remain in effect for 20 years.

The case traces back to a long-running dispute over the use of dating app photos in facial recognition systems.

Earlier, Match sought to keep FTC court proceedings secret while the commission investigated claims that the company shared users’ photos with a facial recognition business, an issue that followed earlier biometric data privacy litigation involving Match-owned services.

That earlier litigation was tied to the Illinois Biometric Information Privacy Act (BIPA), which has become one of the most important state laws governing the collection and use of biometric identifiers and biometric information.

Plaintiffs had alleged Match dating platforms improperly used or disclosed users’ facial geometry data through facial recognition-related practices.

The FTC matter ran on a parallel track, focusing not on BIPA directly but on whether OkCupid misled consumers about their privacy practices.

The case is notable because it sits at the intersection of biometric privacy, consumer protection law, and the especially sensitive nature of data held by dating services.

Photos, profile information and related identifiers on dating apps can reveal intimate details about users’ lives, relationships, and habits.

Even where biometric data itself is not singled out in a federal privacy statute, regulators have increasingly treated misleading statements about data sharing and privacy controls as potential deception under the FTC Act.

The Match order reflects that approach by focusing heavily on representations to users and on how privacy controls are described.

The settlement also shows the FTC’s continued reliance on long-duration conduct orders in privacy cases. Rather than requiring only a one-time change, the order creates an extended structure of accountability, with sworn submissions, preservation duties and access for agency investigators.

For a company operating a major online dating service, those provisions could shape internal privacy governance well beyond OkCupid itself, particularly because the order applies not just to the current service, but also to any successor dating service covered by the definition in the settlement document.

The order still requires court entry to take effect formally. Once entered, the court will retain jurisdiction to enforce or modify it. The stipulation was signed by FTC attorneys and by counsel and corporate officials for Match Group Americas and Humor Rainbow in February, indicating the parties had already reached agreement before the filing date.

For Match, the settlement closes a chapter that has lingered since at least 2021 and 2022, when the company was fighting both private biometric privacy claims and scrutiny over how user photos may have been made available to facial recognition technology.

For the FTC, it is another example of using deception authority to police promises around personal data handling in the absence of a comprehensive federal privacy law.

Article Topics

Biometric Information Privacy Act (BIPA)  |  biometrics  |  Clarifai  |  data collection  |  data privacy  |  facial recognition  |  FTC