In September 2014, the CEO of an AI startup called Clarifai sent an email to one of OkCupid’s co-founders asking for “access to large datasets of OkCupid photos.” The request was granted. Nearly three million user photos — along with location data and demographic details — were handed over to a facial recognition company. No contracts governed how the data could be used. Users were never told. And the whole arrangement stayed hidden for over a decade.
On March 31, 2026, the Federal Trade Commission announced a settlement with Match Group Americas and its subsidiary Humor Rainbow (which operates OkCupid) for deceptive data practices in violation of Section 5 of the FTC Act.
What OkCupid Actually Did
According to the FTC’s complaint, OkCupid’s privacy policy explicitly promised users that their personal information would only be shared with service providers, business partners, or company affiliates. Clarifai was none of these.
What connected Clarifai to OkCupid wasn’t a business contract — it was personal investment. OkCupid’s founders held financial stakes in Clarifai. The data transfer was reportedly initiated through a founder’s personal email. The AI firm received nearly three million user photos, plus demographic and geolocation data, without paying for it, without a data processing agreement, and without providing any services to OkCupid in return.
Clarifai is a computer vision company that builds facial recognition and image classification systems. Those systems need massive datasets of human faces to train on. OkCupid’s user base — people who uploaded photos expecting them to be seen only by potential dates — provided exactly that.
The FTC found that OkCupid and Match Group took “extensive steps to conceal these practices and impede the investigation.” The agency had to enforce a Civil Investigative Demand in federal court just to obtain evidence. The concealment lasted roughly twelve years, from 2014 until the FTC filed its petition in May 2022.
The Settlement: No Fine
The settlement imposes no monetary penalty. Zero.
Match Group and OkCupid are now permanently barred from misrepresenting how they collect, use, disclose, delete, or protect personal information. OkCupid must file compliance reports with the FTC for ten years. The order must be distributed to relevant employees, with signed acknowledgments, for a decade. And FTC agents can demand reports, conduct depositions, and inspect documents for twenty years.
But no compensation fund exists for affected users. No claim process. No financial consequence for twelve years of undisclosed data sharing with a facial recognition firm.
Lorrie Cranor, director of Carnegie Mellon’s CyLab Security and Privacy Institute, called the situation “very troubling” — noting that while the FTC has authority to impose fines, “there’s only so much that the FTC has the authority to do.”
This is the second FTC enforcement action against Match Group in seven months. In August 2025, the company settled a separate case over deceptive subscription and advertising practices, paying $14 million.
What OkCupid Says
An OkCupid spokesperson stated: “While we do not admit any wrongdoing, we have settled this matter with the FTC with no monetary penalty to resolve an issue from 2014.” The company added that the settlement “does not reflect how OkCupid operates today” and cited strengthened privacy protections since the incident.
The framing is telling. “An issue from 2014” minimises a twelve-year concealment that the FTC had to go to federal court to uncover.
Why This Matters
Dating apps collect some of the most intimate data on the internet: photos of your face, your location, your age, your sexual orientation, your preferences. When you upload a photo to a dating profile, you’re trusting that platform with biometric data — data that, once fed into a facial recognition system, cannot be taken back.
This case shows what happens when that trust is treated as a resource to be exploited. OkCupid’s founders didn’t share user data because of a security breach or a technical failure. They did it as a favour to a company they had invested in. The privacy policy was a fiction.
And the penalty — or rather, the absence of one — sends a clear message about the cost of getting caught. A decade of deception, three million people’s faces sent to an AI company for facial recognition training, and the consequence is a promise not to do it again.
For anyone using free platforms that monetise personal data, this is worth sitting with. The business model creates the incentive. A dating app that depends on advertising and data-driven revenue doesn’t treat your photos as something sacred — it treats them as inventory.
Privacy-respecting alternatives to Big Tech platforms exist. Open-source tools let you verify what’s happening with your data. Services hosted in jurisdictions like Switzerland operate under data protection frameworks — like the nDSG and GDPR — that treat this kind of undisclosed data sharing as a violation with real financial consequences, not just a compliance checklist.
Your face is biometric data. Once it’s been used to train a facial recognition model, you can’t un-train it. Choosing where you store that data — and who you trust with it — is one of the most consequential privacy decisions you can make.