A spokesperson for Match Group, which also owns dating apps OkCupid, PlentyofFish and Tinder, confirmed to The Verge that a “limited number” of old accounts had been mistakenly reactivated and that any account affected received a password reset.
While the site’s current privacy statement says that the company can “retain certain information associated with your account” even after it is closed, the spokesperson revealed that Match will soon launch a new privacy policy to comply with the EU’s General Data Protection Regulation (GDPR).
While there is no federal data destruction law in the United States, 32 states — including Texas, where Match Group is headquartered — have legislation that require “entities to destroy, dispose, or otherwise make personal information unreadable or undecipherable.”
Still, it has been common practice in the past for dating websites to use and retain data for research, marketing, or, as Match.com’s current privacy policy states, “record-keeping integrity.” In 2009, eHarmony’s then-VP of technology Joseph Essas admitted that they site has “an archiving strategy, but we don’t delete you out of our database. We’ll remember who you are.”
This isn’t the first time Match Group has faced complaints about its data policy. A 2010 class action lawsuit by former subscribers alleged that Match.com deceived users by keeping inactive and fraudulent accounts viewable. The suit was dismissed in 2012 after a US District Judge found that the site’s user agreement didn’t require it to remove these profiles.
Then in 2015, California resident Zeke Graf filed a class action lawsuit against Match claiming the company was knowingly violating a state civil code which requires every dating service contract to include a statement allowing the user to cancel their subscription. That lawsuit was later voluntarily dismissed by Graf.
But many are in agreement that there is no reason for a site to indefinitely hold onto a deleted account’s information.
“There probably are good reasons to keep deleted profiles for some period of time — for example, to prevent or detect repeat users or fake users, etc.,” Albert Gidari, consulting director of privacy at the Stanford Center for Internet and Society, wrote in an email. “But that doesn’t mean forever.”