At a Glance
- On March 30, 2026, the FTC filed a complaint and proposed stipulated order against Match Group Americas, LLC and Humor Rainbow, Inc. (OkCupid's corporate parent), No. 3:26-cv-00996-K (N.D. Tex., Dallas Division). The FTC's complaint alleges that OkCupid secretly shared approximately three million user photos and associated demographic and location data with Clarifai, a facial recognition AI company — in violation of OkCupid's own privacy policy. The proposed order, if approved by the court, would impose a 20-year compliance regime with no monetary payment provision, permanently bar misrepresentations about data practices, and require 10 years of enhanced compliance reporting. The Commission voted 2-0.
- The FTC's legal theory was not AI-specific. The Commission used its existing Section 5 authority — the general prohibition on unfair and deceptive acts — applied to a privacy policy that said one thing while the company did another. No new statute was needed.
- Three months earlier, the same FTC reversed course on AI-generated fake reviews, vacating its own 2024 consent order against a company called Rytr because, under two executive orders directing federal agencies to reduce barriers to AI innovation, the agency concluded the original complaint had not adequately alleged a Section 5 violation. The Rytr press release also stated that the FTC would continue to pursue AI actors who violate the law. Taken together, the two actions suggest — but do not definitively establish — a distinction in the current FTC's enforcement priorities: AI data practices remain a target; AI output quality, standing alone, may not be.
- The practical gap: businesses that use AI-powered software whose vendors may train models on customer interaction data — call recordings, chat transcripts, uploaded documents, form submissions — should examine whether their privacy policies address those uses. Under the FTC's theory in the OkCupid complaint, silence about a material data practice, combined with privacy-policy representations that create contrary expectations, could support a deception claim. This is an enforcement signal, not a binding rule for nonparties — but it identifies an evident compliance risk.
- The prudent response: audit AI vendor contracts for training data provisions, then review whether the business's privacy notice accurately describes those uses.
A typical business privacy policy describes data collection, storage, and sharing in familiar categories — marketing purposes, legal compliance, service improvement — without addressing whether a software vendor might use customer data to train an AI model. That gap is starting to look like a legal exposure. The Federal Trade Commission signaled as much on March 30, 2026, when it filed a complaint and proposed stipulated order against Match Group Americas, LLC and Humor Rainbow, Inc. — the corporate parents of OkCupid — alleging that OkCupid shared approximately three million users' personal data with a facial recognition AI company without disclosing the transfer. The FTC did not invoke any AI-specific privacy statute; no such federal statute governed the conduct at issue. It used the same tool it has always used: Section 5's prohibition on deceptive trade practices. The result — still subject to court approval — is one that businesses using AI-powered software should examine carefully.
The Tension
Two forces are pressing against each other. On one side: AI companies need data to build and improve their models. That data often comes from the platforms where real people interact — consumer apps, business software, communication tools. The vendors who build those platforms have access to enormous amounts of behavioral data, and the temptation to use it for AI training is real and commercially rational.
On the other side: consumers and businesses share that data with specific expectations, often created by privacy policies that describe its use in bounded terms. When data shared under one set of representations is then used for a materially different purpose — training an AI model for a separate company — the gap between what was promised and what happened is exactly what the FTC's deception framework is designed to address.
The OkCupid action sits at the collision point between those two forces. And because it relies on existing law rather than new regulation, it applies broadly. Any business whose software vendor is using customer interaction data to train AI faces the same question OkCupid couldn't answer: does your privacy policy say that's happening?
Why This Is Not Getting Framed Correctly
The coverage of the OkCupid action has largely focused on the facts: a founder-to-founder data request, nearly three million photos shared with a facial recognition company, active concealment from users and reporters, a 2014 transfer that took twelve years to produce an FTC complaint. Those facts are extreme. And the coverage has generally treated the case as a story about extreme facts — an outlier about OkCupid specifically, rather than a signal about something broader.
In our analysis, that framing understates what the FTC's legal theory implies. The theory does not depend on the extreme facts. It depends on a privacy policy that made specific representations about data sharing, and a company that violated those representations. The factual extremity of OkCupid's conduct — the founder relationship with Clarifai, the active concealment, the facial recognition application — made the FTC's case straightforward. But the doctrinal proposition, if the proposed order is approved and if the FTC applies it in future actions, is not inherently limited to extreme facts.
The OkCupid action, read alongside the Rytr reversal, begins to suggest the contours of the current administration's AI enforcement priorities. In December 2025, according to the FTC's own press release and consistent reports by multiple legal publications, the FTC vacated its 2024 consent order against Rytr LLC, an AI service that helped users generate fake reviews. The agency stated that the original complaint had failed to adequately allege a Section 5 violation and that the order unduly burdened AI innovation. The FTC cited two executive orders: the January 23, 2025 executive order titled "Removing Barriers to American Leadership in Artificial Intelligence" and the December 11, 2025 executive order titled "Ensuring a National Policy Framework for Artificial Intelligence." The same press release stated that the FTC would continue to pursue AI actors who violate the law — a qualifier that limits the Rytr vacatur's signal value.
The strongest objection to reading these two actions as a coherent pattern is that they rest on different doctrinal bases: Rytr was about whether enabling fake reviews satisfies Section 5's "unfair practices" prong; OkCupid is about affirmative misrepresentation in a privacy policy. That distinction is real. These are different legal theories, not mirror images. But in our analysis, the practical result still suggests a discernible pattern: the current FTC has declined to pursue a company for what AI produces for users, and it has pursued a company for what it does with user data in an AI context. Businesses that understand this distinction may be better positioned than those reading each action in isolation — though only future enforcement actions will confirm whether the pattern holds.
What the Law Currently Says
Section 5 of the FTC Act, 15 U.S.C. § 45, prohibits unfair or deceptive acts or practices in or affecting commerce. It is not AI-specific — it predates the internet by decades. It reaches any commercial conduct involving a material representation that is likely to mislead a reasonable consumer.
The deception prong has two components. First, there must be a representation, omission, or practice that is likely to mislead consumers acting reasonably under the circumstances. Second, the misleading representation must be material — meaning it is likely to affect consumers' choices about whether to use a product or service. A privacy policy is a representation about how user data will be treated. When a company's actual data practices diverge materially from what the policy says, the deception theory follows.
There is no federal statute specifically requiring disclosure of AI training use of consumer data. No federal AI-specific privacy statute governed the conduct at issue in the OkCupid complaint. What exists is Section 5's general prohibition on deceptive practices — which has always been flexible enough to apply to whatever commercial conduct the FTC's current leadership determines is material to consumers. The Commission has now, through the OkCupid complaint and proposed order, provided a concrete example of what that means in the AI data context.
Where It Breaks Down
The OkCupid framework has an obvious limitation: it requires a misrepresentation. OkCupid's privacy policy apparently said the company would not share user data with third parties for purposes like Clarifai's — and then the company did exactly that. The FTC's deception theory required that gap between representation and practice. A company with no privacy policy at all, or a policy so vague it makes no specific representation about data sharing, might not face the same deception analysis — though it might face other risks, including under state data protection laws.
But the limitation is narrower than it first appears. Most businesses do have privacy policies. And most of those policies describe data sharing in ways that create at least an implicit expectation that customer data will not flow to unrelated third parties for AI training. The typical language — "we share data with service providers who assist us in operating our business" or "we may share data for analytics and service improvement purposes" — was written to describe hosting services, analytics platforms, and customer support tools. Whether that language covers AI training by a vendor or sub-processor is genuinely unclear.
This is where, in our analysis, the compliance risk is most evident. Not in cases where a company has actively promised not to share data, as OkCupid apparently did. The risk is in the gap between what a privacy policy's drafters intended and what an AI vendor's terms of service actually permit. Some enterprise AI tools — CRM platforms, call center software, document review tools, customer communication platforms — include provisions in their terms of service allowing the vendor to use customer interaction data to improve AI models. If a business agreed to those terms, its customers' data may be flowing into AI training pipelines. If that business's privacy policy does not describe this use in terms that would give a reasonable consumer notice, the gap between representation and practice is structurally similar to the gap the FTC alleged at OkCupid. Whether the FTC would pursue such a case remains to be seen, but the legal theory the complaint articulates is not inherently limited to the OkCupid facts.
There is also a secondary exposure that has received almost no attention: the OkCupid action involved sharing data with a third party AI company. But the FTC's deception theory doesn't depend on third-party involvement. A company that trains its own AI model on customer data — customer service conversations, purchase history, behavioral data — without disclosing that use in its privacy policy faces the same analytical question. The representation about data use either covers that purpose or it doesn't.
The FTC's legal theory doesn't depend on extreme facts. It depends on a privacy policy that made representations about data sharing, and a company that violated those representations.
The Signals Worth Watching
The most important development to watch is whether the FTC brings additional enforcement actions applying the OkCupid theory to first-party AI training — that is, to companies using their own customer data to train their own models, rather than sharing with an outside AI firm. The OkCupid facts involved a third-party transfer, which made the deception easier to identify. An action based on first-party training would require the FTC to articulate a more specific standard for when a privacy policy's existing language is insufficient to cover AI training use.
State attorneys general are an important second front. Several states have enacted data protection and AI-related requirements, though each targets different conduct. Colorado's AI Act (SB 21-169, effective 2026) addresses algorithmic discrimination in high-risk AI decision-making. California's AB 2013 (effective 2026) requires training-data transparency disclosures for certain generative AI developers. Illinois's Biometric Information Privacy Act (BIPA) imposes consent requirements for the collection and use of biometric identifiers — a theory directly implicated when AI training involves facial images, as in the OkCupid facts. These are distinct statutes with different scopes, not a single unified regime. But state AG offices have historically been more aggressive than the federal FTC in consumer data enforcement. A state AG action applying a deception or biometric-privacy theory to AI training data — particularly under BIPA or California's consumer protection statutes — could extend the OkCupid principle to different fact patterns without waiting for the federal Commission to act.
Congress remains a factor. Multiple bills addressing AI data practices have been introduced, and a federal AI privacy standard would either confirm or expand the OkCupid principle. Businesses should track legislative movement in this area not because passage is certain, but because bill text and committee hearings provide signal about what disclosure obligations Congress considers appropriate — signal that regulators and courts tend to find persuasive even before legislation passes.
Finally, watch the FTC's own public statements on data and AI. The Commission has authority to issue guidance and policy statements without formal rulemaking. A formal policy statement articulating when AI training constitutes a material data practice requiring disclosure would clarify the OkCupid principle substantially — either expanding it to cover first-party training or limiting it to third-party transfers.
What This Means for Your Business
The FTC's complaint and proposed order against OkCupid's parent companies identify a practical compliance risk that is straightforward to state, if not always easy to address: a business's privacy policy should accurately describe what is actually happening to customer data. In 2026, for a growing number of businesses, "what is actually happening" may include AI model training by vendors and sub-processors. If the privacy policy does not describe that use, there is a gap — and the gap is structurally the same gap the FTC alleged in the OkCupid complaint.
The first step is a vendor audit. Review the terms of service and data processing agreements for every AI-powered tool the business uses — CRM platforms, call recording software, document management tools, customer service chatbots, email and communication platforms, loan processing or underwriting tools. Look specifically for provisions allowing the vendor to use interaction data or uploaded content to train or improve AI models. These provisions exist and are common. They are often buried in master subscription agreements or data processing addenda, not in the main service terms.
The second step is a privacy policy review. If vendors are training AI on customer interaction data, the privacy policy should say so — clearly enough that a reasonable customer would understand that their information may be used for that purpose. The description doesn't need to be technical; it needs to be accurate. "We use AI tools that may improve their performance through analysis of customer interactions" is more protective than silence on the point.
Businesses in regulated industries — mortgage lenders and brokers, financial service providers, healthcare companies — face an additional layer. The Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, HIPAA, and analogous state statutes impose data sharing restrictions that predate AI but apply to it. A vendor using customer financial or health data to train an AI model may trigger notice and consent requirements under those statutes that are separate from and more demanding than the general FTC deception framework. Regulated businesses should review both sets of obligations.
The underlying conduct at OkCupid dates to 2014. The FTC filed its complaint in 2026 because the facts were egregious and the concealment was active. Most businesses are not OkCupid. But the legal theory the FTC's complaint articulates — that a privacy policy creating expectations about data use, combined with undisclosed AI-related data transfers, can support a Section 5 deception claim — is not inherently limited to egregious cases. The question it raises, in our analysis, is one every business using AI-powered software should be able to answer: does your privacy policy accurately describe what your AI vendors are doing with customer data?
This article is a summary prepared for general information and discussion purposes only. It does not constitute legal advice, is not a full analysis of the matters presented, and may not be relied upon as a substitute for competent legal counsel. Wright Law Firm, PLC provides no warranties, express or implied, regarding the accuracy or completeness of this information. Consult an attorney for advice specific to your situation.
This article reflects the author's analysis of emerging developments in artificial intelligence, technology, and related law. The FTC complaint allegations, proposed stipulated order terms, and Rytr vacatur details discussed here have not been verified against the full text of those filings. Factual assertions about the OkCupid data transfer are drawn from the FTC's complaint and press release as reported by secondary sources. Readers should consult qualified counsel before making decisions based on the matters discussed.