Last week a California jury rendered a $16.5 million verdict against a dating site for allegedly sharing user data with more than 1,000 third parties. Dating profiles are always somewhat embarrassing, but the data in question was particularly sensitive to users: their STI status. PositiveSingles billed its site as “100% Anonymous,” with a target audience of single adults wishing to escape the stigma associated with many STIs. Users may select from a dropdown menu of STIs, several of which are—bafflingly—fully treatable. What went wrong?

Unbeknownst to many users, PositiveSingles’ parent company, SuccessfulMatch, allegedly shared user data with hundreds of its other dating sites, which include illustrious titles such as RichDateBusty, EquestrianCupid, NudistFriends, and, according to one report, Herpesinmouth.

The state jury found PositiveSingles guilty of fraud, malice, and oppression in a case where the plaintiff’s profile showed up on a number of sites, allegedly misrepresenting his race, sexual orientation, HIV status, and religion by exporting his dating profile to niche sites associated with each trait. As a lawyer in the case explained, the “plaintiff is … not black, gay, Christian or HIV positive and was unaware that defendant was creating websites that focused on such traits that would include his profile, thus indicating that he was all of these things and more.” It’s kind of like having your JDate profile show up on Christian Mingle without your knowledge. (Except it also reveals your medical conditions in the process!) SuccessfulMatch’s webpage currently beckons prospective business partners with “Pre-populated Member Databases” sharing “thousands of profiles with other similar sites we have already set up.”

SuccessfulMatch’s terms of services said that it reserved the right to share user profiles with other sites within their network. A July 2013 court report recounts the website’s privacy policy statement: “information will not be disclosed knowingly or willfully to any third party without your authorization as described in detail in the SM.com Privacy Policy, except as may otherwise be permissible by this Agreement and required by the Services offered by SM.com.” But PositiveSingles users claim they had no idea, and on Oct. 29, the court found several parts of the terms of service to be unreasonable.

For privacy activists concerned with increasingly baffling website terms of service, this represents a small victory for user rights. A large majority of Internet users do not read terms of service at all before agreeing to them. That doesn’t mean, however, that websites can get away with putting anything in fine print. In this case, at least, misleading users had multimillion-dollar consequences.

This is also not the first lawsuit brought against SuccessfulMatch. In April, a judge dismissed a federal class action suit after two women claimed that SuccessfulMatch illegally shared their HIV-positive status and other personal identifying information with more than 1,000 other websites. This matter largely centered around the language of the original claims. The BBC reports that the women have filed an amended claim.