At a Glance
- The FTC alleges OkCupid shared user data with an AI company in ways that conflicted with its privacy policy.
- The case reinforces that data privacy compliance depends on accurate, up-to-date privacy policies.
- FTC enforcement continues to focus on transparency, even as AI data sharing and technologies evolve.
-
This year the FTC announced a proposed settlement with Match Group Americas and its affiliate, Humor Rainbow, Inc., which operates OkCupid. The agency alleged that OkCupid shared users’ personal information with a separate AI company in ways that conflicted with its privacy policy. The FTC called this deceptive conduct under Section 5 of the FTC Act.
The case is a reminder of the pillar in data privacy law when it comes to the FTC. The agency makes it clear that if a company says one thing in its data privacy policy but does another thing in practice, the FTC will go after it. AI is almost always the headline these days, but even still the FTC is holding on to a decades old enforcement pattern of making sure companies’ disclosures match their activities.
FTC Data Privacy Wake Up Call: When Privacy Policies Don’t Match Company Practices
It happens again and again. A company grows, new tools and vendors get added, and data starts being shared in ways that aren’t mapped out. It’s never intentional. Teams move quickly, priority is on revenue growth, and privacy policies are at the bottom of the to-do list. So, they don’t keep pace with company practices.
OkCupid’s Data Privacy Settlement Shows Happens When Privacy Policies and Company Behavior ad Disconnected
I don’t think most users review a privacy policy and question whether it reflects what the company is actually doing. That’s our job as data privacy lawyers. And it’s the gap where regulators like the FTC dig in.
The FTC is staying true to focusing on companies being honest about their data practices. The agency has consistently made its position clear by its privacy and data security actions.
For legal teams and executives, this is a real life, recurring enforcement theme.
Key Takeaway: your privacy policy is not just a disclosure on your website or app footer, it’s a promise to users that has to match your real-world data practices.
FTC Data Privacy Compliance and the OkCupid Settlement
Let’s zoom in on what the FTC alleged. The details in this case show how regulatory agencies evaluate a company’s data privacy compliance, especially a tech company.
At a high level, the FTC’s position is that if a company makes promises about how it handles personal data (as it is required to do), those promises need to be true at any point in time.
In the complaint the FTC alleges that OkCupid shared user data, including photos, demographic information and location information, with an unrelated third party AI company in direct conflict with the promises it made to users in its privacy policy.
The issue was not simply that data was shared, it was that the sharing was inconsistent with what users were promised.
Key Takeaway: if your privacy policy does not fully reflect your data-sharing practices, you are creating regulatory risk and potential litigation for the organization even if you didn’t intend to.
FTC’s Take on Data Sharing and Privacy Policy Mismatches
The FTC also points to how the data sharing happened. The third party didn’t have a formal business relationship with OkCupid. Instead, the arrangement was connected to financial interests related to the company’s founders.
OkCupid allegedly provided access to almost 3 million user photos without placing limits in a contract for how that data could be used.
This becomes a larger governance risk. When third-party access is not contractually defined or restricted, your company can’t ensure alignment with its privacy policies.
Third-Party Access, Lack of Data Governance Controls, Concealment and Misrepresentation
The complaint also alleges that the companies denied and attempted to conceal the data sharing. OkCupid even stated it was not involved with the third party.
This FTC statement boils it down perfectly in one sentence: “The FTC enforces the privacy promises that companies make… we will take action against companies that fail to follow through.”
Are Your Personal Data Sharing and Storing Disclosures True?
Under the proposed order, the companies are prohibited from misrepresenting:
- How they collect, use, or share personal data
- The purpose of that data use
- The effectiveness of privacy controls or user choices
Key Takeaway: the FTC is focused not just on what companies do with data, but whether their statements about those practices are accurate.
Section 5 of the FTC Act and Data Privacy Enforcement
The FTC’s authority in these cases stems from Section 5 of the FTC Act, which prohibits unfair or deceptive practices.
When a company makes statements about how it handles personal data, those statements must be accurate and not misleading.
In the data privacy context, even small inconsistencies can create big problems. The company can still be at fault even if it didn’t intend to be deceptive or unfair. A mismatch between privacy policy and practice can be enough.
This is where many organizations underestimate the privacy risks. Internal decisions about data handling have legal significance when the handling diverges from published privacy policies and contact.
Key Takeaway: FTC enforcement under Section 5 is all about whether an organization’s data privacy representations reflect its actual practices.
Do Your Privacy Policies Explain How AI Tools Use Data?
Many organizations treat AI adoption as a product decision first. Data may be shared with third-party providers for training or analytics, while privacy policies continue to reflect narrower use cases.
That disconnect is where expensive risk builds fast.
AI constantly expands how organizations use and share data. At the same time, a company’s disclosure practices don’t get updated in the privacy policies.
The FTC has made clear that new technologies do not change the expectation of transparency.
Key Takeaway: AI data sharing must be clearly disclosed and aligned with existing privacy policy commitments.
Data Governance and Privacy Policy Alignment
Enforceable date privacy policies rely on strong data governance to remain and up to date. Without visibility into data flows, even well-drafted policies start to become a focal point of legal risk.
Organizations discover gaps during legal reviews. Gaps include undocumented vendors, new analytics tools, or expanded data uses that were never reflected in privacy disclosures.
Have you conducted a recent data mapping exercise that reflects how data actually moves through your organization?
The FTC’s data privacy compliance settlement with OkCupid shows how these gaps can lead to enforcement exposure.
Key Takeaway: effective data governance requires continuous visibility into data flows and alignment with privacy policies.
FTC Enforcement Trends and Evolving Data Privacy Approach
The proposed consent order in the OKCupid case shines a light on how the FTC will continue to approach privacy enforcement.
In other words, preventing misrepresentations and strictly following reporting and recordkeeping requirements.
We may be seeing an evolving privacy enforcement approach that focuses on accuracy in disclosures rather than extremely detailed internal controls. Is the FTC going back to basics?
Key Takeaway: the FTC continues to prioritize accurate privacy policies as the foundation of data privacy compliance.
Building a Data Privacy Compliance Strategy That Holds Up
Privacy policies should be reviewed and updated at least annually. As data practices and regulations evolve, legal counsel needs to be monitoring this all year long. And data governance frameworks need to outline exactly how data is collected, used, and shared. Which means that coordination between legal, product development, IT and procurement departments is a non-negotiable.
Accurate Privacy Policies Mean Evaluating AI Tools and Third-Party Relationships Early
No doubt that AI data sharing is growing. And AI regulations are changing what seems like every quarter. Companies need to focus on the principles of transparency, strengthening data governance, and ensuring that policy and practice are consistent with each other. The FTC’s data privacy compliance settlement with OkCupid shows how misalignment between disclosures and operational practices can create litigation risk.
Key Takeaway: data privacy compliance depends on alignment between privacy policies, data governance, and operational decision-making.
If you want to discuss your data privacy practices, AI governance or global terms of use, send us a note. Gouchev Law’s Data Privacy and Information Security Group advises companies on global privacy policies, terms of use, AI governance, and marketing and advertising compliance.
About the Author
Jana Gouchev is recognized as one of the leading corporate lawyers in the country. She is regularly featured in publications such as Law360, Forbes, Bloomberg Law, and national law journals. Jana is a frequent speaker and commentator on business law, and recently ranked by Chambers 2026 New York.
More Resources For You
Artificial intelligence regulation reached an inflection point in 2026. What was once a patchwork of voluntary frameworks, agency guidance, and sector-specific rules is rapidly evolving into a more structured and enforceable compliance regime.
A well-drafted AI addendum should be a thoughtful, tailored instrument that complements the main agreement, aligns with corporate risk tolerance, and achieves an intelligent balance between innovation and protection.
According to the (FTC), companies that quietly rewrite their Privacy Policies or Terms of Service to attempt to cover new AI-driven data practices, especially retroactively, could be crossing the line into unfair or deceptive territory.