Match and OkCupid are facing a proposed 20-year privacy crackdown after the FTC said the dating apps deceived users by sharing nearly three million private photos and other sensitive information with AI firm Clarifai.

The FTC announced the settlement agreement with OkCupid (operating under Humor Rainbow, Inc.) and its parent company, Match Group Americas, on Monday.

The proposed action follows allegations dating back to September 2014 that accuse OkCupid of sharing sensitive personal information with the unrelated third-party facial recognition firm Clarifai, despite its privacy policy stating the opposite.

The FTC also says that Match and OkCupid took “extensive steps" to not only "conceal from" and "obstruct" the FTC’s investigation, but also deny that OkCupid shared the users’ personal information with Clarifai to begin with. This included claiming to the media, after the story broke, that it had no involvement with the AI firm.

Founded in 2013, Clarifai specializes in the enterprise AI development lifecycle, including machine learning, dataset preparation, model training, and deployment.

How OkCupid user data ended up with Clarifai

The FTC says OkCupid provided Clarifai access to user photos and other personal data despite telling users their information would only be shared in limited circumstances.

According to the complaint, OkCupid’s privacy policy said it would not share users’ personal information except with service providers, business partners, other companies in its family of businesses, in response to legal obligations, or after informing users and giving them a chance to opt out.

Instead, the FTC alleges OkCupid gave the Washington DC-based AI solutions firm unfettered access to the personal data of millions of users, including nearly three million photos as well as demographic and location data – without giving users an opt-out opportunity.

Another main sticking point of the case was that Clarifai had no documented business relationship with OkCupid, nor did it pay for the data or provide any services in return.

Turns out, the original OkCupid founders were investors in Clarifai, which the FTC says was the reason behind the insider data offering.

According to court documents, Clarifai’s CEO emailed an OkCupid founder in September 2014 asking for access to large datasets of OkCupid photos.

What the FTC’s order would change

The complaint alleges that OkCupid never executed a formal agreement with Clarifai and never put any restrictions on how that data could be used.

The settlement requires OkCupid and Match to be permanently barred from misrepresenting how they collect, use, disclose, delete, or protect what the order calls “covered information.”

Additionally, OkCupid will now have to specify how the app’s sensitive data categories will be handled, including for:

• Photos
• Videos
• Audio recordings
• Precise location or street-level geolocation
• Messages and communications
• Health information
• Sexual orientation and other intimate data
• Contacts
• Persistent identifiers

Covered geolocation data would have to be specific enough to identify a street name and town or city, as well as financial account or card information, plus persistent identifiers such as cookies, static IP addresses, and mobile device IDs.

The order will also bar the companies from misleading users about why they collect or share their personal data, as well as how privacy controls work inside the app – including tools or settings that allow users to limit or manage how their information is processed.

If approved by the court, the order would remain in effect for 20 years, possibly setting a new precedent for how other dating apps must describe how they process user data.

The new rules would additionally require the two companies, for the next ten years, to keep records, submit compliance reports to the FTC, and respond to FTC monitoring requests, including requests for reports, documents, and interviews.

Match and OkCupid have not admitted to any wrongdoing. The other roughly 45 dating apps in the Match portfolio, including Tinder and Hinge, would not be subject to the new FTC compliance regulations.

In January, the Match Group was targeted by the ShinyHunters ransomware group, which claimed to have siphoned over 10 million records from the parent company, including user IDs, transaction details, IP addresses, dating profiles, and internal corporate documents.

---

Unlock more exclusive Cybernews content on YouTube.