FTC investigation/action around “privacy promises vs reality”
- Katarzyna Celińska
- 2 hours ago
- 2 min read
One of the most recurring patterns in privacy and cybersecurity enforcement is simple: What companies declare in their Privacy Policy is one thing, what they actually do in business operations is another.
The FTC recent action involving OkCupid and Match Group Americas is a good example of this “gap between promise and practice.” The FTC alleges OkCupid shared users’ personal information, including photos and location data, with an unrelated third party, contrary to OkCupid’s privacy promises.
Photo: Freepik
According to the FTC:
OkCupid told consumers it would not share personal information except as described in its Privacy Policy or where users were informed and given an opportunity to optout. Despite those promises, the FTC alleges OkCupid gave a third party access to personal data of millions of users, including access to nearly three million user photos, as well as location and other information.
The FTC also alleges the third party requested the data because OkCupid founders were financial investors in that third party, and that OkCupid did not put formal contractual restrictions on how the data could be used. Additionally, the FTC alleges that steps were taken to conceal and deny the data sharing, including attempts to obstruct the FTC investigation.
The proposed settlement prohibits OkCupid and Match from misrepresenting (or helping others misrepresent):
➡️ how they collect/use/disclose/delete/protect personal data (including photos, demographics, geolocation),
➡️ the purpose for collection/use/disclosure,
➡️ and the function of privacy controls and consumer choice mechanisms under privacy laws.
That last point is important: regulators are increasingly looking at whether controls in user interfaces work as advertised, not just whether the policy “mentions opt-out.”
For me, this case shows again that public declarations by companies are one thing, while real business practices are another.
I don’t know whether in this case the behavior was intentionally deceptive or the result of misunderstanding / poor governance (I have doubts). But after many years in this industry, I have seen many “creative” practices.
Compliance is not what you say. Compliance is what you can prove.
Author: Sebastian Burgemejster
Comments