On March 30, 2026, the Federal Trade Commission (FTC) announced a settlement with OkCupid and its affiliate Match Group Americas over allegations that OkCupid deceived millions of users by sharing their personal data—including photographs, geolocation information, and other sensitive details—with an unauthorized third party in direct violation of the company’s own published privacy policy.
The FTC alleged that although OkCupid’s privacy policy expressly promised users that their personal information would only be shared with service providers, business partners, or affiliates of the company, OkCupid quietly granted a financially connected but contractually unrelated third party access to nearly three million user photos and associated data. Critically, no formal or contractual restrictions governed how that third party could use the information, and users were never informed or given the opportunity to opt out.
Why Dealers Should Care
The OkCupid enforcement action is part of a sustained FTC effort to hold companies accountable when their data practices diverge from their privacy representations. This action is another reminder that your privacy policy is a legal commitment, not aspirational marketing copy. Any gap between what you promise consumers and what you actually do with their data can create regulatory exposure.
Practical Action Steps: Your Privacy Policy Must Be Accurate…And More
To mitigate risk and ensure your privacy infrastructure is legally defensible, your organization should evaluate three core compliance touchpoints:
1. Your Privacy Policy Must Accurately Reflect Current Practices
Conduct a data mapping exercise at least annually to verify that every category of data sharing described in your privacy policy matches your actual vendor relationships, data flows, and contractual arrangements. Any third party receiving personal data must be appropriately categorized (both as a practical matter and, in some cases, as required under state law) and governed by a written agreement. Ensure your team understands the implications of a change, and if your data practices change, update your policy before, not after, the change takes effect.
2. Your Cookie Banner Must Be Tied Directly to Your Privacy Policy
A cookie consent banner that does not accurately reflect the categories of data collected, the purposes of processing, or the third parties to whom data is transmitted can independently trigger regulatory liability. Your banner should link directly to your current privacy policy, present consent choices that are genuinely operationalized in your technology stack, and be reviewed whenever your privacy policy is updated. Consent strings must be honored in practice—a banner that offers an opt-out that is never implemented is arguably worse than offering none. This is true in all 50 states, regardless of the presence of a state privacy law.
3. In States with Privacy Laws, Your DSAR Portal Must Be Functional and Accurate
Under state privacy laws (now at 20 states and counting), consumers have legally enforceable rights to their data, including the right to access, correct, delete, and opt out of the sale or sharing of their personal data. Your Data Subject Access Request (DSAR) portal must be: (a) prominently linked from your privacy policy; (b) capable of authenticating and routing requests as required under state law, and efficiently within statutory deadlines; and (c) operationally connected to your data inventory so that responses are accurate and complete. A DSAR portal that is broken, misdirected, or cosmetic in nature—much like OkCupid’s misleading privacy representations—invites enforcement.
The good news is that ComplyAuto can help. We have helped thousands of dealers across the country update their privacy policies, ensuring compliance under federal and state law. Contact ComplyAuto today to learn more.