The Federal Trade Commission on March 30, 2026, filed a complaint and proposed settlement against OkCupid and its corporate affiliate Match Group Americas, alleging that the dating platform secretly transferred nearly three million user photos - along with location and demographic data - to a facial recognition technology company, in direct contradiction of OkCupid's own privacy policy. The case was filed in the U.S. District Court for the Northern District of Texas, Dallas Division. OkCupid operates globally, and the complaint does not restrict the affected user population to any specific country - meaning the nearly three million users whose photos were transferred may have included people from outside the United States.

The data transfer and the company behind it

According to the FTC complaint, the chain of events began in September 2014. The CEO of Clarifai, Inc. - a company developing facial recognition technology - sent an email to one of OkCupid's founders requesting access to large datasets of OkCupid photos. The request was unusual: Clarifai had no formal business relationship with OkCupid, and no service contract existed between the two companies. What connected them was money. According to the complaint, each of OkCupid's founders, including the company's president and the CEO of Match Group, LLC, were personal financial investors in Clarifai.

In response to that request, OkCupid's parent company Humor Rainbow, Inc. - the Dallas-based corporation that owns and operates the OkCupid service - gave Clarifai access to approximately three million OkCupid user photos. The transfer also included each user's demographic data and location information. OkCupid's president and chief technology officer were directly involved in facilitating the transfer, according to the complaint.

What Humor Rainbow did not do is notable: it did not execute a formal agreement with Clarifai. It placed no contractual restrictions on how the data could be used. Clarifai paid nothing for the data and provided no services to OkCupid in return. Users were given no notification and no option to opt out.

What OkCupid's privacy policy actually said

The legal problem, according to the FTC, is that OkCupid's own privacy policy at the time expressly stated that it does not share "your personal information with others except as indicated in this Privacy Policy or when we inform you and give you an opportunity to opt out of having your personal information shared." The policy identified four permissible categories for sharing: service providers, business partners, other businesses within OkCupid's family of companies, and situations governed by legal obligations such as court orders or subpoenas.

Clarifai satisfied none of those categories. It was not a service provider, not a business partner, not a Match-affiliated entity, and the sharing was not legally compelled. According to the complaint, Humor Rainbow violated its own stated policy by facilitating the transfer and then compounded that violation by failing to notify users or give them any mechanism to decline.

The data transferred qualifies as what the settlement order defines as "Covered Information" - a term encompassing names, physical and email addresses, phone numbers, financial account information, credit or debit card data, geolocation data sufficient to identify a street name and city, photos and videos, and persistent identifiers such as device IDs or IP addresses.

Twelve years of alleged concealment

The FTC's account of what followed the 2014 data transfer is, in some respects, as significant as the transfer itself. According to the complaint, Match and Humor Rainbow engaged in "extensive efforts to conceal and deny" that OkCupid had provided Clarifai with access to user data. These efforts lasted from September 2014 until the complaint was filed.

A specific episode illustrates the pattern. When the New York Times prepared a story about Clarifai's use of OkCupid data - noting that the dating platform's founders had invested in the facial recognition company - executives across Match and Humor Rainbow crafted a statement for the newspaper that, according to the complaint, "obscured OkCupid's relationship with the Data Recipient and what had transpired." Humor Rainbow's statement to the press disavowed any involvement. When OkCupid users subsequently raised questions about the connection, the company told them that "any implication that OkCupid released users' information to [the Data Recipient] is false."

The FTC's action also follows a legal confrontation over the investigation itself. According to the agency's announcement, the Commission successfully enforced its Civil Investigative Demand - a formal legal tool requiring a company to produce documents and information - against OkCupid in federal court. That enforcement effort preceded the filing of the complaint and proposed settlement.

The corporate structure

Understanding who the defendants are requires mapping a corporate structure involving several entities. Humor Rainbow, Inc. is a New York corporation headquartered at 8750 N. Central Expressway, Suite 1400, Dallas, Texas. It owns and operates OkCupid. OkCupid was founded in 2001 by four friends and operated independently until Match acquired it in 2011. After the acquisition, one co-founder remained as Humor Rainbow's president, while another became CEO of Match Group, LLC.

Match Group, Inc. - referred to in the complaint as MGI - is Humor Rainbow's ultimate parent company. According to the complaint, MGI currently owns and operates approximately forty-five different dating platforms, including Match.com, Tinder, and Hinge. OkCupid is one of those platforms. Match Group Americas, LLC - a Delaware limited liability company with the same Dallas address as Humor Rainbow - is the second defendant. It took over the shared services function previously held by Match Group, LLC (which was renamed Tinder LLC in May 2024), including legal support, communications, finance, investor relations, and information technology for Humor Rainbow.

Critically, Humor Rainbow employs no legal personnel of its own. Legal support is entirely provided through the Match corporate network. Officers, directors, and in-house counsel of Match Group Americas have simultaneously held positions at Humor Rainbow, according to the complaint.

What the settlement requires

The proposed settlement takes the form of a Stipulated Order for Permanent Injunction and Other Relief, filed as Case 3:26-cv-00996-K on March 30, 2026. Defendants neither admit nor deny the allegations, except as necessary to establish the court's jurisdiction. Both companies waive their rights to appeal the order.

The core prohibition is broad. Under Section I, OkCupid and Match are permanently barred from misrepresenting - expressly or by implication - three categories of information: the extent to which they collect, maintain, use, disclose, delete, or protect any covered personal information; the purposes for which they collect, maintain, use, or disclose such information; and the function of any privacy controls presented to users, including any consumer choices available under applicable state privacy laws or other mechanisms the companies offer to limit data processing.

Compliance obligations are extensive. Within ten days of the order's entry, each defendant must submit an acknowledgment of receipt, sworn under penalty of perjury. For ten years following entry, defendants must deliver copies of the order to all principals, officers, directors, LLC managers and members, and to all employees with managerial responsibilities relating to consumer-facing privacy representations. Recipients must return signed acknowledgments within thirty days.

A compliance report, sworn under penalty of perjury, must be submitted one year after the order's entry. For ten years thereafter, defendants must report any material changes within fourteen days - including structural changes such as mergers, sales, creation of subsidiaries, or dissolution of any entity subject to the order. Defendants must also notify the Commission within fourteen days of any bankruptcy filing.

Recordkeeping and monitoring

The order mandates creation of records for ten years and retention of those records for five years. Specifically, defendants must maintain accounting records showing revenues from the OkCupid service, records of all consumer complaints and refund requests related to privacy practices, and all documentation necessary to demonstrate compliance with each provision of the order.

The FTC retains extensive monitoring authority. Within fourteen days of a written request, defendants must submit additional compliance reports, appear for depositions, and produce documents. The Commission is authorized to conduct discovery using Federal Rules of Civil Procedure 29, 30 (including remote depositions), 31, 33, 34, 36, 45, and 69, without requiring further court approval. The Commission may also communicate directly with defendants and interview employees. Undercover methods are expressly permitted - the Commission may pose as consumers, suppliers, or other individuals without identifying itself or providing advance notice.

The order itself will remain in effect for twenty years from the date of entry, at which point it expires automatically.

The Commission voted 2-0 to authorize staff to file the complaint and proposed settlement. The complaint invokes Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), which prohibits unfair or deceptive acts or practices in or affecting commerce. The FTC seeks relief under Section 13(b) of the FTC Act, 15 U.S.C. § 53(b). Lead staff attorneys on the matter are Sarah Choi and Alejandro Rosenberg, both of the FTC's Bureau of Consumer Protection. Local counsel is Anne LeJeune of the FTC's Dallas office.

According to Christopher Mufarrige, Director of the FTC's Bureau of Consumer Protection, "The FTC enforces the privacy promises that companies make. We will investigate, and where appropriate, take action against companies that promise to safeguard your data but fail to follow through - even if that means we have to enforce our Civil Investigative Demands in court."

The stipulated order was signed by defendants' legal representatives - counsel Laura Riposo VanDruff of Kelley Drye & Warren LLP on February 23, 2026, and Sean Edgett, Chief Legal Officer and Secretary of both Match Group Americas and Humor Rainbow, also on February 23, 2026. The FTC's attorneys signed on March 27, 2026. The order was formally filed with the court on March 30, 2026, and awaits signature from a United States District Judge to carry the force of law.

Why this matters for platforms and the marketing community

The OkCupid case cuts to the center of a tension that has shaped digital advertising and data-driven marketing for years: the gap between what companies' privacy policies say and what companies actually do with user data. Dating platforms sit at a particularly sensitive intersection. Users of OkCupid and its competitors routinely share photos, location data, sexual orientation, and relationship preferences - information they disclose on the assumption that it stays within a defined perimeter.

The allegation that nearly three million user photos were transferred to a facial recognition company without any contractual restrictions on further use illustrates a specific risk category: investor-driven data flows. The data did not move because of a business deal, a vendor relationship, or a legal obligation. It moved because the company's founders had financial stakes in the recipient. That category of data transfer is not one that typical privacy policies address explicitly - and the FTC's action suggests the agency views that omission, when combined with affirmative privacy promises, as a deceptive practice.

As PPC Land has documented, the FTC has made clear that it evaluates companies' privacy representations against their actual data handling practices, and that discrepancies lead to enforcement action. The agency's consistent position, articulated repeatedly across cases involving hashed identifiers, data clean rooms, and now transferred photo datasets, is that the legal obligation runs to the substance of the privacy promise, not to the technical form of the data transfer.

Dating app users have themselves signaled growing distrust, with research published in February 2026 showing that willingness to share names on dating platforms fell by 3.6 percentage points between 2024 and 2025, the largest single-category decline recorded. Research in that data showed 75% of major dating apps maintain poor cybersecurity practices. The OkCupid complaint adds legal weight to what was previously a consumer sentiment finding.

The enforcement action also arrives against a backdrop of intensifying FTC activity across the broader data ecosystem. The agency has warned that data clean rooms do not automatically protect companies from liability when data is transferred without genuine constraints. The OkCupid case, involving a transfer where Humor Rainbow "never executed a formal agreement or set forth restrictions governing the Data Recipient's access to, or use of, the OkCupid user data," according to the complaint, is an extreme version of that problem - no clean room, no restrictions, no payment, no services rendered.

For marketers and advertising technology professionals, the case reinforces that platform-level privacy policies are not abstract documents. They create enforceable expectations. Where a company's actual data sharing practices diverge from those documents - and where the company then denies and conceals that divergence - the FTC has demonstrated it will pursue enforcement regardless of how long ago the underlying conduct occurred. The conduct here began in 2014. The complaint was filed twelve years later.

Timeline

Summary

Who: The Federal Trade Commission filed action against Match Group Americas, LLC and Humor Rainbow, Inc. (operating OkCupid). The data recipient - not named as a defendant - is Clarifai, Inc., a facial recognition technology company whose CEO requested the user data in September 2014.

What: The FTC alleged that OkCupid secretly transferred nearly three million user photos, along with demographic and location data, to Clarifai without any contractual restrictions, without user notification, and without any opt-out mechanism - in direct violation of OkCupid's then-current privacy policy. The FTC further alleged that Match and Humor Rainbow subsequently spent approximately twelve years concealing and denying the transfer. The proposed settlement permanently prohibits both companies from misrepresenting their privacy practices and imposes compliance, recordkeeping, and monitoring obligations lasting between ten and twenty years.

When: The data transfer took place in September 2014. Concealment efforts allegedly continued from that date until the present. Defendants signed the stipulated order on February 23, 2026. The FTC filed the complaint and proposed settlement on March 30, 2026, and the case was announced publicly on the same date.

Where: The data transfer involved OkCupid user data held in Dallas, Texas, where both Match Group Americas and Humor Rainbow are headquartered at 8750 N. Central Expressway, Suite 1400. The complaint was filed in the U.S. District Court for the Northern District of Texas, Dallas Division, as Case 3:26-cv-00996-K. The FTC is headquartered in Washington, D.C.

Why: According to the FTC, OkCupid's founders were personally invested in Clarifai, which prompted the data request and Humor Rainbow's willingness to comply - despite having no legitimate business basis for the transfer under its own privacy policy. The FTC's broader rationale for enforcement is that companies that make privacy promises to consumers must honor them, and that the agency will take action even when it must first compel document production through court-enforced investigative demands. The case illustrates the regulatory risk created when investor relationships drive data-sharing decisions outside the scope of published privacy policies.

Share this article
The link has been copied!