TL;DR: In September 2014, OkCupid handed nearly 3 million user photos, plus location data and demographic details, to Clarifai, a facial recognition startup. OkCupid’s founders were personally invested in Clarifai through their VC fund. The company’s CTO transferred the data using a personal email account. No formal agreement. No user notification. No restrictions on use. Clarifai used the photos to train AI models that identify age, sex, and race from faces. It took the FTC 12 years to settle the case. The penalty: zero dollars.
How 3 Million Faces Left a Dating App
In September 2014, Matt Zeiler, CEO of a young AI company called Clarifai, emailed OkCupid’s founder with a request: he needed large photo datasets to train facial recognition models [1].
He got them.
OkCupid’s president and CTO facilitated the transfer. Max Krohn used his personal email to send the data, bypassing whatever corporate oversight might have flagged the move [2]. Nearly 3 million user photos, along with demographic information and location data, went to Clarifai.
Here’s the catch: OkCupid’s founders Sam Yagan and Max Krohn held financial stakes in Clarifai through their venture capital fund, Corazon [2]. They weren’t just giving away user data. They were feeding it to a company they had money in.
No formal contract governed the transfer. No restrictions on how Clarifai could use the data. No services were provided to OkCupid in return [3]. It was a pure handoff: millions of intimate photos from people looking for dates, delivered free to a company building facial recognition tools.
Where Those Photos Ended Up
Clarifai didn’t just store the photos. It used them to train AI models that could identify age, sex, and race from facial features [2]. Your selfie from a dating profile became training data for commercial facial recognition.
And Clarifai didn’t stay small. The company pivoted hard into government and military work:
- U.S. Air Force: Clarifai won a contract with the Air Force Research Laboratory for AI-powered video analysis [4]
- U.S. Army: Partnership with Crimson Phoenix for combat casualty care AI systems [5]
- Defense and intelligence: Clarifai holds “Awardable” status through the Pentagon’s Chief Digital and Artificial Intelligence Office [6]
CEO Matt Zeiler initially said he’d avoid military contracts. He changed his mind and opened a Washington, D.C. subsidiary to chase defense dollars [7]. The company’s own government page advertises AI solutions for “military, intelligence” and more [6].
Did OkCupid photos directly train military systems? Clarifai hasn’t said. But the photos trained their core facial recognition capabilities, the same capabilities they sell to the Pentagon.
Deny, Conceal, Settle
When the New York Times started asking questions about the data transfer in 2019, OkCupid didn’t come clean. According to the FTC, the company “engaged in extensive efforts to conceal and deny” the transfers [2].
OkCupid’s privacy policy at the time promised it would only share personal information with “service providers, business partners, or other entities within its family of businesses”, or in response to legal obligations [3]. Clarifai was none of those things. It was a separate company that OkCupid’s founders happened to have invested in.
The FTC says OkCupid “did not offer either protection” of notifying users or giving them a chance to opt out [3].
12 Years, Zero Dollars
On March 30, 2026, nearly 12 years after the data transfer, the FTC announced its settlement with Match Group Americas and Humor Rainbow, Inc. (OkCupid’s legal entity) [1].
The penalty: nothing.
No fine. No user compensation. No requirement to notify the 3 million people whose photos were taken. The settlement includes:
- A permanent ban on misrepresenting data collection practices
- A 10-year compliance reporting requirement
- Sworn employee acknowledgments of privacy obligations
- FTC monitoring rights including depositions and inspections [8]
“The FTC enforces the privacy promises that companies make,” said Christopher Mufarrige, director of the FTC’s Bureau of Consumer Protection. “We will investigate, and where appropriate, take action” [9].
Action, in this case, meaning: a strongly worded promise not to do it again.
OkCupid’s response? The practices are “outdated and this does not reflect how OkCupid operates today” [9]. The company “does not admit any wrongdoing.”
Why Zero?
The FTC lacks authority to issue monetary penalties for first-time violations of Section 5 of the FTC Act. It can only get fines if a company violates a consent order, which is what this settlement creates [8]. So the first offense is free. The next one costs money.
This is the second time the FTC has gone after Match Group. In August 2025, the company paid $14 million for deceptive advertising and billing practices [10]. That case involved money. This one, where millions of people’s biometric data was handed to a facial recognition company without consent, got the warning letter treatment.
“The fact that these dating apps lied about the privacy protections, I think, is very troubling,” said Lorrie Cranor, a privacy researcher at Carnegie Mellon University [9].
Dating Apps to Biometric Databases: The Pipeline
This case exposes something bigger than one company’s bad behavior. It shows how intimate personal data flows from consumer apps into surveillance systems with zero user awareness.
The pipeline works like this:
- You upload a photo to a dating app, expecting it to help you find a date
- The company shares it with an AI startup its executives invested in
- The startup trains facial recognition models on your face
- Those models get sold to military and intelligence agencies
- 12 years later, a regulator says “please don’t do that again”
OkCupid isn’t the only dating app with biometric problems. Hinge started using FaceTec biometric age verification in 2026 [11]. The ShinyHunters breach hit Bumble and Match Group earlier this year [12]. And dating app privacy policies remain some of the most permissive in the tech industry.
What You Can Do
If you used OkCupid before 2019, your photos may have been part of this transfer. The FTC settlement doesn’t require OkCupid to tell you. So here’s what you can do:
- Request your data: Under state privacy laws (California, Virginia, Colorado, Connecticut, and now Maryland), you can request what data dating apps hold on you
- Request deletion: Same laws let you demand they delete it. Whether Clarifai still has your photos is another question, they’re not covered by this settlement
- Check your state’s biometric laws: Illinois BIPA, Texas CUBI, and Washington state all have biometric privacy protections. BIPA litigation against Clarifai is already underway [8]
- Use fewer photos: Every photo you upload to a dating app is a photo that could end up training AI. Use the minimum needed
- Read the privacy policy: Not that it helped OkCupid users, the company violated its own policy. But at least know what they claim
The Real Lesson
A company violated its own privacy policy. Its executives had financial interests in the company receiving the data. The data transfer was done through a personal email account. When caught, they tried to cover it up.
And the federal agency charged with protecting consumers said: we’ll need you to promise not to do it again.
Without a federal privacy law with real teeth, one that includes meaningful fines, a private right of action, and actual data deletion requirements, this is what enforcement looks like in America. 12 years and a finger wag.
The 3 million faces are still out there. The AI models are already trained. And the next company considering the same move just learned the cost: zero.
References
- Engadget: OkCupid Settles FTC Case on Alleged Misuse of Its Users’ Personal Data (March 2026)
- ByteIota: OkCupid Gave 3M Photos to Facial Recognition Firm: FTC (March 2026)
- ClaimDepot: FTC Sues Match Group, OkCupid Over Secret Sharing of Nearly 3 Million User Photos (March 2026)
- Clarifai: U.S. Air Force Research Laboratory Awards Clarifai Contract for AI-Powered Full Motion Video Analysis
- Clarifai: Crimson Phoenix Partnership for Defense and Intelligence AI
- Clarifai: AI for Government, Military, Intelligence
- Bloomberg: How One AI Startup Decided to Embrace Military Work, Despite Controversy (December 2018)
- Biometric Update: FTC Order Bars OkCupid From Misleading Users About Biometric Data Sharing (March 2026)
- SAN: FTC Levies No Fines After Dating Site Caught Giving AI Company User Data (March 2026)
- Global Dating Insights: FTC Settles with Match Group Over OkCupid User Data Sharing (March 2026)
- State of Surveillance: Hinge FaceTec Biometric Age Verification
- State of Surveillance: ShinyHunters Bumble/Match Group Breach
Published: April 1, 2026