diff --git a/app/controllers/api/v1/users_controller.rb b/app/controllers/api/v1/users_controller.rb
index 527da3c15..37d7ba239 100644
--- a/app/controllers/api/v1/users_controller.rb
+++ b/app/controllers/api/v1/users_controller.rb
@@ -108,11 +108,18 @@ def index
   api :GET, '/user', 'Gets the current user\'s data.'
   description <<-EOS
     Returns the current user's data.
+    For users that are not logged in, a 403 forbidden response is normally returned.
+    However, if always_200 is set to true, then a 200 OK with a blank object is returned instead.
 
     #{json_schema(Api::V1::UserRepresenter, include: :readable)}
   EOS
   def show
-    OSU::AccessPolicy.require_action_allowed!(:read, current_api_user, current_human_user)
+    begin
+      OSU::AccessPolicy.require_action_allowed!(:read, current_api_user, current_human_user)
+    rescue SecurityTransgression => error
+      return render(plain: {}) if params[:always_200] == 'true'
+      raise error
+    end
 
     SetGdprData.call(user: current_human_user,
                      headers: request.headers,
diff --git a/spec/controllers/api/v1/users_controller_spec.rb b/spec/controllers/api/v1/users_controller_spec.rb
index 51c0e686f..1b91f6331 100644
--- a/spec/controllers/api/v1/users_controller_spec.rb
+++ b/spec/controllers/api/v1/users_controller_spec.rb
@@ -116,19 +116,34 @@
     it "should let a User get his info" do
       api_get :show, user_1_token
       expect(response.code).to eq('200')
+      expected_response = user_matcher(user_1, include_private_data: true)
+      expect(response.body_as_hash).to match(expected_response)
+    end
+
+    it "should let a User get his info when if always_200 is set" do
+      api_get :show, user_1_token, params: { always_200: true }
+      expect(response.code).to eq('200')
+      expected_response = user_matcher(user_1, include_private_data: true)
+      expect(response.body_as_hash).to match(expected_response)
     end
 
     it "should not let id be specified" do
-      api_get :show, user_1_token, params: {id: admin_user.id}
+      api_get :show, user_1_token, params: { id: admin_user.id }
       expected_response = user_matcher(user_1, include_private_data: true)
       expect(response.body_as_hash).to match(expected_response)
     end
 
     it "should not let an application get a User without a token" do
-      api_get :show, trusted_application_token, params: {id: admin_user.id}
+      api_get :show, trusted_application_token, params: { id: admin_user.id }
       expect(response).to have_http_status :forbidden
     end
 
+    it "should return an empty object if always_200 is set" do
+      api_get :show, trusted_application_token, params: { always_200: true }
+      expect(response).to have_http_status :ok
+      expect(response.body_as_hash).to match({})
+    end
+
     it "should return a properly formatted JSON response for low-info user" do
       api_get :show, user_1_token
       expected_response = user_matcher(user_1, include_private_data: true)