Operator of the Path social networking application agreed to settle Federal Trade Commission charges that it deceived users by collecting personal information from their mobile device address books without their knowledge and consent. Path agreed to establish a comprehensive privacy program to obtain an independent privacy assessment every other year for the next 20 years and to pay $800,000 to settle charges that it illegally collected personal information from children without first getting their parents’ consent.
The app allows users to upload, store and share photos, written “thoughts,” location updates and the names of songs to which the user is listening. For each contact in the user’s mobile device address book, Path automatically collected and stored any available first and last names, addresses, phone numbers, email addresses, Facebook and Twitter usernames.
Path was also charged with violating the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from an estimated 3,000 children under the age of 13 without first getting parents’ consent. COPPA requires operators of online sites or services directed to children, or operators who have actual knowledge of child users to notify parents and obtain their consent before they collect, use, or disclose personal information from children under 13. The FTC also charged Path with violating the COPPA rule by:
- • Not spelling out its collection, use and disclosure policy for children’s personal information;
- • Not providing parents with direct notice of its collection, use and disclosure policy for children’s personal information; and
- • Not obtaining verifiable parental consent before collecting children’s personal information.
For each contact in the user’s mobile device address book, Path automatically collected and retained user information, including any available first and last names, addresses, phone numbers email addresses and other available user names and dates of birth. Path must now delete information collected from children under the age of 13 and no longer make misrepresentations about the extent of its privacy and confidentiality.
To prevent app developers from encountering similar issues in the future, the FTC introduced the Mobile App Developers. The guide is designed to encourage developers to aim for reasonable data security and evaluate the app ecosystem before development.
Hopefully the Path settlement will serve as an example for future developers and raise awareness of COPPA concerns.