It’s Not You, It’s Your Privacy Policy: FTC Takes Aim at OkCupid and Match

Many companies treat privacy policies as an afterthought, copying language from free templates. That approach can create real risk.

On March 30, 2026, the Federal Trade Commission (FTC) announced action against OkCupid and Match Group Americas, underscoring a simple point: regulators do not care how polished your policy sounds. They care whether it accurately reflects what your company actually does with data.

In this case, OkCupid represented that it only shared personal information in limited scenarios, such as with service providers, business partners, or affiliated companies, or after notifying users and offering an opt-out. The FTC alleges that, despite those statements, the company shared sensitive user data with an unrelated third party.

That data included millions of user photos, along with location and demographic information. The third party was not a vendor, partner, or affiliate, and users were not informed or given any opportunity to opt out. The FTC also alleged the companies denied or obscured the sharing when it became public.

The FTC brought its claims under Section 5(a) of the FTC Act, which prohibits unfair or deceptive acts or practices. Here, the alleged gap between what the policy said and what the company did was enough to support a deception claim.

The resulting order reflects that focus. It broadly prohibits misrepresentations about what data is collected, how it is used or shared, and how user controls function. Notably, the settlement does not impose monetary penalties. Instead, it relies on injunctive relief and long-term compliance obligations.

Where Companies Get This Wrong and What to Do About It

Most privacy risk comes from drift between policy language and actual practices. The same areas that create risk also point to what companies should fix:

• Unstructured data sharing: Data shared for testing, analytics, or investment purposes outside defined categories

→ Map your data sharing so every recipient and purpose is clearly identified

• Outdated policy language: Policies that no longer reflect current practices

→ Update policies as your business evolves, especially after new tools, partnerships, or initiatives

• Informal arrangements: Data shared without contracts or usage restrictions

→ Address edge cases, since one-off sharing creates the same exposure as core features

• Overstated user controls: Promised notice or opt-out rights not consistently implemented

→ Verify user controls to ensure they function as described

• Policies drafted in isolation: Legal language disconnected from operations

→ Treat your privacy policy as operational, grounded in real data flows

The FTC is not requiring perfection. It is requiring alignment. If your policy says one thing and your practices reflect another, that gap alone can create enforcement risk.