FTC settlement forces Clarifai to delete millions of OkCupid photos

Millions of OkCupid users’ photos were collected for facial-recognition training after a 2014 transfer that the Federal Trade Commission said violated the dating site’s own privacy promises. The result was not a penalty but a cleanup order: Clarifai certified that it had deleted about 3 million OkCupid user photos and the models trained on them.

The FTC said OkCupid’s parent, Humor Rainbow, Inc., gave an unrelated third-party facial-recognition company access to user photos, demographic details and location information in September 2014. That disclosure conflicted with OkCupid’s 2014 privacy policy, which said personal information would not be shared except with service providers, business partners, family businesses or after notice and an opt-out opportunity. The agency said OkCupid never told users, never offered an opt-out and spent years trying to conceal and deny the transfer.

The commission also said the recipient had no business relationship with OkCupid and was connected to the dating service because OkCupid’s founders were personally invested in it. Court documents showed Clarifai had asked OkCupid for the data in 2014, underscoring how directly the facial-recognition company sought the trove of personal images. Reuters reported that Clarifai founder Matthew Zeiler wrote to OkCupid co-founder Maxwell Krohn, “We’re collecting data now and just realized that OKCupid must have a HUGE amount of awesome data for this.”

Clarifai certified to the FTC on April 7 that it had deleted the photos and the facial-recognition models trained on them. The company later told the Office of Rep. Lori Trahan on April 16 that it had not shared the data with third parties. Trahan called that confirmation “a step in the right direction” but said “the FTC should have never settled for less in the first place.” FTC spokesperson Joe Simonson dismissed the criticism as a “completely baseless issue.”

The settlement left a familiar question hanging over U.S. privacy enforcement: whether regulators are deterring misuse or only forcing companies to mop up after the fact. The FTC said Match Group Americas and Humor Rainbow will be barred from misrepresenting their privacy policies going forward, but the case closed without a financial penalty. For millions of users whose dating-app photos were repurposed for biometric training, the main remedy came years after the disclosure and only after the data had already circulated inside a commercial facial-recognition pipeline.