FTC Takes Aim at Match & OkCupid Over Alleged Data Sharing That Contradicted Privacy Promises
INSIGHTRADARThird-Party & Supply Chain
Mar 30, 2026

FTC Takes Aim at Match & OkCupid Over Alleged Data Sharing That Contradicted Privacy Promises

By

GRC Report Staff
Key Takeaways
  • Misalignment Between Policy and Practice: The FTC alleges OkCupid shared user data with a third party despite privacy policy commitments limiting such disclosures.
  • Scale of Data Exposure: Nearly three million user photos, along with location and related personal data, were reportedly shared without user knowledge or opt-out.
  • Governance and Conflict Concerns: The third party’s connection to OkCupid’s founders raises questions around oversight and decision-making in data sharing arrangements.
  • Alleged Concealment and Obstruction: Regulators claim the companies denied the data sharing publicly and attempted to obstruct the FTC’s investigation, prompting court enforcement of information requests.
Deep Dive

The Federal Trade Commission has brought an enforcement action against OkCupid and its affiliate Match Group Americas, accusing the companies of quietly sharing users’ personal data with a third party despite telling users otherwise.

This case is about a familiar but increasingly consequential issue for privacy and compliance teams, whether companies are actually doing what their privacy policies say they are. According to the FTC’s complaint, OkCupid assured users that their personal information would only be shared in limited circumstances, such as with service providers, business partners, or affiliated entities and only with appropriate notice or an opportunity to opt out.

But regulators allege that, in practice, that line was crossed.

The agency claims OkCupid provided a third party with access to large datasets that included nearly three million user photos, along with location and other personal information. The third party, the FTC says, did not fall into any of the categories outlined in the company’s privacy policy. Users were not informed, and no opt-out option was offered.

The complaint adds another layer that will resonate with governance professionals. The third party reportedly sought the data because OkCupid’s founders were financial investors in the entity, raising questions about oversight, conflicts of interest, and how decisions around data sharing were made.

Compounding the issue, the FTC alleges that the data was shared without any formal contractual restrictions on how it could be used once accessed.

Scrutiny Extends Beyond the Data Transfer

The enforcement action does not stop at the sharing itself. The FTC also alleges that OkCupid and Match took steps over a period beginning in September 2014 to conceal or deny the arrangement.

When reports surfaced publicly that the third party had obtained large amounts of OkCupid data, the company allegedly told both users and the media that it was not involved. The FTC further claims the companies attempted to obstruct the agency’s investigation, prompting the Commission to enforce its Civil Investigative Demand in federal court to obtain the necessary information.

Christopher Mufarrige, Director of the FTC’s Bureau of Consumer Protection, framed the case in direct terms:

“The FTC enforces the privacy promises that companies make. We will investigate, and where appropriate, take action against companies that promise to safeguard your data but fail to follow through—even if that means we have to enforce our Civil Investigative Demands in court.”

Settlement Draws a Clear Line on Representations

The proposed settlement focuses squarely on how companies describe their data practices.

Under the order, OkCupid and Match are prohibited from misrepresenting how they collect, use, disclose, or protect personal information, including sensitive data such as photos and geolocation. They are also barred from mischaracterizing the purposes for which data is used or shared, as well as the effectiveness of any privacy controls offered to users.

Importantly, the order extends to how companies present user choices, whether through app interfaces, privacy settings, or mechanisms tied to state privacy rights.

While the agreement does not impose an immediate financial penalty, it carries teeth. Any future violations could expose the companies to monetary sanctions.

A Familiar Lesson, With Sharper Edges

The case lands on well-trodden ground, but with sharper enforcement signals. Privacy policies are no longer treated as static disclosures. They are operational commitments that regulators expect to be reflected in actual data practices, governance structures, and third-party relationships.

Where those elements drift out of alignment, especially when sensitive data is involved, the consequences are increasingly clear.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.

Oops! Something went wrong
Third-Party & Supply Chain
IT Security & Privacy
Compliance & Ethics
Risk & Resilience
INSIGHTRADARThird-Party & Supply Chain
Jan 20, 2026
Third-Party Risk & the Quiet Collapse of Accountability
INSIGHTRADARThird-Party & Supply Chain
Jan 8, 2025
Adjusting to New Supply Chain Paradigms: An Analysis of the KPMG Supply Chain Survey
INSIGHTRADARThird-Party & Supply Chain
Apr 10, 2024
European Supervisory Authorities Initiate Recruitment for Joint Oversight Team to Implement Digital Operational Resilience Act