The FTC filed a complaint against Match Group and OkCupid on March 30 for sharing nearly 3 million user photos, location data, and demographic information with Clarifai, a facial recognition AI company. The transfer happened in 2014. The concealment lasted 12 years. And one of OkCupid's co-founders sent the data through his personal email to Clarifai's CEO. That co-founder was also an investor in Clarifai.
That's not a data breach. That's a business decision someone made over email, with no contract, no consent mechanism, and no user notification. And it's exactly the kind of decision the FTC will pursue for over a decade.
This is Match Group's second FTC enforcement action in seven months (they paid $14 million in August 2025 for deceptive advertising). The settlement here carries no monetary penalty, but imposes permanent prohibitions on misrepresenting data practices and 10 years of mandatory compliance reporting. The dollar amount matters less than the timeline. The FTC spent 12 years on this. They will spend 12 years on yours.
What Should You Audit This Week?
1. Does your privacy policy match what you actually do with data?
The FTC's entire case rests on Section 5(a) of the FTC Act (the federal prohibition on deceptive practices), and the theory is simple: OkCupid's privacy policy said it wouldn't share data with unrelated third parties, and it did. Review every data flow in your product against the actual text of your privacy policy. If the policy says one thing and your engineers are doing another, that's the same gap that got Match in trouble.
2. Are informal data transfers happening outside your systems?
This data moved via a co-founder's personal email. No data sharing agreement, no access controls, no audit trail. If anyone at your company can share user data through personal channels, Slack DMs, or ad hoc file transfers, that's a problem you need to fix before the FTC finds it for you.
3. Do your vendor and partner relationships have written data use restrictions?
Clarifai received 3 million photos with zero contractual restrictions on use. They built a facial recognition database with OkCupid user images, and they still have the data today. The FTC's order doesn't require Clarifai to delete anything, because Clarifai wasn't a party to the settlement. Your data sharing agreements need to specify exactly what the recipient can do, for how long, and what happens when the relationship ends.
4. Can you respond to an FTC Civil Investigative Demand?
A Civil Investigative Demand (CID) is the FTC's equivalent of a subpoena in an investigation. Match Group withheld nearly every responsive document under overbroad privilege claims. The FTC had to go to federal court (D.C. District Court, Case No. 1:22-mc-00054) to compel production. Obstruction doesn't make investigations go away. It makes them worse. Your legal team should know where your data sharing records live and be able to produce them within 30 days.
5. Is your public denial strategy aligned with your legal strategy?
When the New York Times reported the data sharing in 2019, OkCupid's response was evasive. They acknowledged Clarifai had "contacted" them but didn't disclose the actual data transfer. That evasion became part of the FTC's deception case. If a journalist or regulator asks about your data practices, the answer needs to be accurate, not aspirational. Your comms team and your legal team should be in the same room before anyone issues a statement.
Frequently Asked Questions
Does this apply to my company if we're not a dating app?
Yes. The FTC's theory here has nothing to do with dating apps specifically. It's about the gap between what your privacy policy promises and what you actually do with user data. Any company that collects personal information and shares it with third parties outside the scope of its stated policy faces the same risk under Section 5(a) of the FTC Act.
What if we shared data with a vendor years ago and forgot about it?
That's exactly the scenario the FTC pursued here. The data transfer happened in 2014 and the complaint was filed in 2026. The FTC doesn't have a statute of limitations on deceptive practices in the same way criminal law does. If the deception is ongoing (your privacy policy still misrepresents your practices), the clock hasn't started.
Do we need to worry about the third party that received our data?
You should, but the FTC won't help you. In this case, Clarifai kept the photos and the trained facial recognition models. The settlement imposes no obligations on Clarifai at all. If you've shared data with a vendor without contractual restrictions, you may have no legal mechanism to get it back or require deletion.
What's the first thing we should do this week?
Map every data flow that involves sharing user information with a third party. Compare each one against the text of your current privacy policy. If you find a mismatch, update the policy or stop the data flow. Don't wait for the FTC to do the audit for you.
The Takeaway
The FTC doesn't need a data breach to come after you. It needs a gap between what you promised and what you did. Under Chair Ferguson, the agency isn't pursuing sweeping new privacy regulations. It's enforcing the commitments you already made. Your privacy policy is the standard they'll hold you to.
If you haven't audited your data practices against your privacy policy in the last year, this week is a good time to start. And if the audit turns up something uncomfortable, fix it now. The FTC just showed you they're patient enough to wait.
---
This article is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel before making compliance decisions based on the developments discussed here.
If your privacy policy hasn't been audited against your actual data practices in the past 12 months, it's time. Consilium Law helps growth companies build compliance programs that match how they actually operate.