FTC swipes right on consumer protection, alleging dating app overshared with third parties

Allegations

According to the FTC’s complaint, OkCupid and Match violated Section 5 of the FTC Act in 2014 by sharing user data, including profile photos, demographic details, and location information, with a third-party company without adequate notice or user consent. The FTC claimed that OkCupid shared the data because its founders were financially invested in the third-party company, but that OkCupid had no existing business relationship with it. This conduct allegedly was not covered by OkCupid’s privacy policy, which indicated data sharing was limited to affiliates, business partners, service providers, and in response to legal obligations. The agency further alleged that users were not given an opportunity to opt out of the sharing, despite the privacy policy indicating that such an opportunity would be given.

Required remediation

OkCupid and Match Group are required to submit a compliance report to the FTC annually for 10 years, including a list of covered services and steps they have taken to comply with the order. In addition, OkCupid and Match are required to maintain records related to their services, including consumer complaints and refund requests, revenues, and all records necessary to demonstrate full compliance with each provision of the order.

Lastly, for 20 years, both OkCupid and Match are:

• Required to submit notices to the FTC prior to corporate restructuring activities.
• Prohibited from misrepresenting the extent to which they collect, maintain, use, disclose, or delete, or protect any consumer’s information; the purpose(s) for which they collect, maintain, use, or disclose any consumer’s information; and the function of privacy control(s) presented to consumers through their user interfaces.
• Required to respond to any further requests from the FTC for compliance reports or information within 14 days of receipt.

For the duration of the order, the FTC is authorized to obtain discovery without further leave of the court.

Takeaways

This enforcement provides several important reminders:

• Privacy enforcement is alive at the FTC. Despite a slow start, the FTC will continue privacy enforcement under the current administration.
• Details matter. The FTC looked carefully at the exact words used in OkCupid’s privacy policy and determined that the third-party data recipient didn’t qualify as a “business partner” or “service provider” to OkCupid, even though these are common descriptors used in privacy policies.
• FTC expects data-sharing contracts. The complaint mentioned that OkCupid never executed a formal agreement or set forth instructions governing the data recipient’s access to, or use of, the shared data. Similar to state privacy regulators, the FTC cares about contracting and formal data governance.
• Investigations have long lifespans. The alleged conduct at issue occurred more than a decade ago. The FTC is not afraid to aggressively pursue enforcement even against conduct that occurred in the distant past.

Companies should:

• Review their privacy policies to ensure they accurately represent their data-sharing practices.
• Review governance controls to ensure they properly function, including third-party contracting.
• Ensure consumers are allowed to exercise any rights promised in privacy policies, including the opportunity to opt out of data sharing if they are told they will have that opportunity.

If you have questions or would like to discuss any issues related to this enforcement action, contact your regular McDermott Will & Schulte lawyer or one of the authors.