The FTC has determined that OkCupid and their owner Match Group don’t have to pay a fine after settling a case in which they shared 3 million user photos and location information to a facial recognition firm.
OkCupid is a dating app. The company is based in the U.S. and operates internationally. Their privacy policy has a number of red flags.
Firstly, this caught my eye. What health information does a dating app retain?
Residents of Washington and Nevada, please see our Consumer Health Data Privacy Policy, which supplements this Privacy Policy.
If you go into the Consumer Health Data Privacy Policy you see this
From time to time, OkCupid may collect information from you that may be considered “consumer health data” under applicable law.
I can’t find where they actually define the “consumer health data” (why is that in quotes?). I suppose it’s your facial recognition data? Or health related information you list on your profile?
Checking out the CCPA addendum, perhaps this is the health data:
Inferences drawn from any of the information identified above to create a profile about you reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Intelligence! What does that mean?
The “Contents of your messages on our services” is disclosed to “Vendors and professional services organizations who assist us in relation to the business or commercial purposes laid out herein”.
Go to the How Our Age Detection and Face Photo Checks Work section:
If I am comprehending this correctly, they automatically scan solo photos of you when you upload them to your profile:
We use automated technology to confirm that at least one of your profile photos is a solo photo of you and to detect your face. When we detect a face photo, we’ll scan the photo to assess the likelihood that you’re over the age of 18.
If the tool detects that you are most likely underage, we may restrict access and refer the photo to a trained moderator for manual review, which may lead to us asking for additional verification (like an ID check) to confirm your age.
Rest assure, your data is stored securely on their AWS servers:
As we use Match Group’s own technology, data sharing is limited, with all output data stored securely on our AWS servers.
The results of your age check may be used to train select machine learning models that power our trust and safety tools, as well as to test and audit such models and tools.
Your photo is stored for 3 months or a year if they think your photo is someone under 18.
In the main Privacy Policy section, they define “Content” as
[…] photos, videos, audio, text and other types of content, such as your chats with other members.
Which is one of many things they may provide to their service providers:
Specifically, we may use Facebook tools, such as Facebook Login, Pixel, Social plugins, and Facebook SDK for App Events. When using these tools we are considered “Joint Data Controllers” with Meta Ireland. To learn more about how Facebook processes your data and allows you to exercise your rights, check out Meta Ireland’s Privacy Policy.
Wow. This privacy policy despite them saying:
We put a lot of effort into making this policy as clear and engaging as possible, because we actually want you to read it! Think of us as your digital wingmate, here to guide you through the ins and outs of what data we collect, and why and how we use it. So get cozy, grab your favorite drink, and let’s make privacy make sense – together
and the FTC is OkStupid. 
And their owners Match Group own pretty much every big dating app. I love all the choice we get at the hands of our benevolent tech barons.