FTC Action Against Match and OkCupid for Deceiving Users, Sharing Personal Data

The Federal Trade Commission is taking action against OkCupid and its affiliate Match Group Americas over allegations OkCupid deceived users of its dating app by sharing their personal information, including photos and location information, with an unrelated third party, contrary to OkCupid’s privacy promises.

As part of a settlement, OkCupid, operated by Dallas-based Humor Rainbow, Inc., and Match Group Americas, which provides services for Humor Rainbow, will be prohibited from misrepresenting its privacy policies.

In a federal complaint, the FTC alleged that OkCupid gave an unauthorized third party access to the personal data of millions of OkCupid users in violation of its privacy policies. The FTC’s action follows the Commission’s successful enforcement in federal court of its Civil Investigative Demand, which required OkCupid to turn over information requested by the agency.

“The FTC enforces the privacy promises that companies make,” said Christopher Mufarrige, Director of the FTC’s Bureau of Consumer Protection. “We will investigate, and where appropriate, take action against companies that promise to safeguard your data but fail to follow through—even if that means we have to enforce our Civil Investigative Demands in court.”

As alleged in the complaint, OkCupid told consumers that it doesn’t share “your personal information with others except as indicated in this Privacy Policy or when we inform you and give you an opportunity to opt out of having your personal information shared.” Its privacy policy at the time claimed it may share personal information with service providers, business partners, other entities within its family of businesses or when it informed consumers about such data sharing and gave consumers the chance to opt out.

Despite these promises, the FTC alleged that OkCupid shared users’ personal data with a third party—even though it was not a service provider, business partner, or family affiliate—and did not inform consumers or give them the chance to opt out of such sharing.

Even though it did not have any business relationship with OkCupid, the third-party data recipient asked the company to share large datasets of OkCupid user photos and related data with it because OkCupid’s founders were financial investors in the third party. OkCupid provided the third party with access to nearly three million OkCupid user photos as well as location and other information without placing any formal or contractual restrictions on how the information could be used, the FTC alleged.

The FTC also alleged that, since September 2014, Match and OkCupid took extensive steps to conceal—including through trying to obstruct the FTC’s investigation—and deny that OkCupid shared users’ personal information with the data recipient. For example, when a news story revealed that the third party had obtained large OkCupid datasets, OkCupid claimed to the media and OkCupid users that it was not involved with the third party.

Under the proposed settlement, OkCupid and Match are permanently prohibited from misrepresenting or assisting others in misrepresenting:

• The extent to which the companies collect, maintain, use, disclose, delete or protect any personal information such as photos and demographic and geolocation data;
• The purpose for which they collect, maintain, use or disclose such personal data; and
• The function of privacy controls they provide consumers through user interfaces, any consumer choices afforded to consumers under applicable state privacy laws, or any other mechanisms the companies offer consumers to limit or manage the processing of personal data.

The Commission vote authorizing the staff to file the complaint and stipulated final order was 2-0.

The FTC filed the complaint and final order in the U.S. District Court for the Northern District of Texas, Dallas Division.