A company's privacy policy says it won't share your data with third parties without your consent. Then you find out it did anyway — maybe through a data broker opt-out search, maybe through a news story. It can feel like privacy policies are just legal cover that companies ignore whenever convenient. They're not supposed to be, and there's a federal regulator whose entire enforcement history says otherwise.
The legal basis: Section 5 of the FTC Act
Section 5 of the FTC Act prohibits "unfair or deceptive acts or practices" in commerce. It doesn't mention privacy by name, but the FTC has used it as the legal foundation for well over a hundred privacy and data security enforcement actions — the core principle being simple: if a company tells you it handles your data one way and then does something else, that mismatch itself is a violation, regardless of whether the company intended to deceive anyone.
A real, recent example: the FTC's case against OkCupid
This isn't theoretical. In March 2026, the FTC took action against Match Group Americas and its OkCupid affiliate, alleging the dating app shared users' personal information — including photos and location data — with an unrelated third-party AI company, in direct conflict with what OkCupid's own privacy policy promised. The resulting settlement permanently prohibits the companies from misrepresenting how they collect, use, or share user data going forward. The FTC's own statement on the case put it plainly: the agency enforces the privacy promises companies make, and takes action against those that fail to follow through. This is a pattern going back decades — companies have been settled with the FTC for renting out user data despite promising not to, retroactively applying weakened privacy policies without telling users, and secretly selling sensitive location data despite public claims otherwise.
Be realistic about what filing a complaint does
As with other FTC complaint categories, it's worth being precise: filing an individual complaint does not resolve your specific situation directly, and the FTC does not act as an arbitrator between you and the company. Your report goes into the Consumer Sentinel Network, the same intelligence database used across federal, state, and local law enforcement, where it's aggregated with other reports to identify patterns. Cases like OkCupid typically build from accumulated evidence and complaints over time, not a single report — but that accumulated evidence is exactly what your report contributes to.
What to gather before you file
- The exact privacy policy language that was violated — a screenshot or saved copy of the specific clause, ideally with a timestamp or archive link showing what it said at the time
- Evidence of what actually happened — an email notification, a data broker listing, a news report, or anything documenting the data sharing or misuse you're reporting
- Dates — when you agreed to the policy, and when you discovered the discrepancy
- Any prior attempts to resolve it — if you contacted the company directly first, keep that correspondence too
How to file
- Go to reportfraud.ftc.gov and select the category that best matches your situation (privacy, data misuse, or the closest fit among the guided options).
- Describe specifically which privacy policy claim was broken and how.
- Upload your evidence — screenshots, the policy text, and any supporting documentation.
- Submit — you'll get a confirmation and can download a copy of what you reported.