Path Social Networking App Settles FTC Charges on Privacy Infringement

February 20, 2013  - By

The operator of the Path social networking app has agreed to settle Federal Trade Commission charges that it deceived users by collecting personal information from their mobile device address books without their knowledge and consent. The settlement requires Path, Inc. to establish a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years. The company also will pay $800,000 to settle charges that it illegally collected personal information from children without their parents’ consent.

The settlement with Path is part of the FTC’s ongoing effort to make sure companies live up to the privacy promises they make to consumers, and that kids’ personal information isn’t collected or shared online without their parents’ consent.

“Over the years the FTC has been vigilant in responding to a long list of threats to consumer privacy, whether it is mortgage applications thrown into open trash dumpsters, kids information culled by music fan websites, or unencrypted credit card information left vulnerable to hackers,” said FTC Chairman Jon Leibowitz. “This settlement with Path shows that no matter what new technologies emerge, the agency will continue to safeguard the privacy of Americans.”

Path operates a social networking service that allows users to keep journals about moments in their life and to share that journal with a network of up to 150 friends. Through the Path app, users can upload, store, and share photos, written thoughts, the user’s location, and the names of songs to which the user is listening.

In its complaint, the FTC charged that the user interface in Path’s iOS app was misleading and provided consumers no meaningful choice regarding the collection of their personal information. In version 2.0 of its app for iOS, Path offered an “Add Friends” feature to help users add new connections to their networks. The feature provided users with three options: “Find friends from your contacts;” “Find friends from Facebook;” or “Invite friends to join Path by email or SMS.” However, Path automatically collected and stored personal information from the user’s mobile device address book even if the user had not selected the “Find friends from your contacts” option. For each contact in the user’s mobile device address book, Path automatically collected and stored any available first and last names, addresses, phone numbers, email addresses, Facebook and Twitter usernames, and dates of birth.

The FTC also alleged that Path’s privacy policy deceived consumers by claiming that it automatically collected only certain user information such as IP address, operating system, browser type, address of referring site, and site activity information. In fact, version 2.0 of the Path app for iOS automatically collected and stored personal information from the user’s mobile device address book when the user first launched version 2.0 of the app and each time the user signed back into the account.

The agency also charged that Path, which collects birth date information during user registration, violated the Children’s Online Privacy Protection Act (COPPA) Rule by collecting personal information from approximately 3,000 children under the age of 13 without first getting parents’ consent. Through its apps for both iOS and Android, as well as its website, Path enabled children to create personal journals and upload, store and share photos, written thoughts, their precise location, and the names of songs to which the child was listening. Path version 2.0 also collected personal information from a child’s address book, including full names, addresses, phone numbers, email addresses, dates of birth and other information, where available.

The COPPA Rule requires that operators of online sites or services directed to children, or operators that have actual knowledge of child users on their sites or services, notify parents and obtain their consent before they collect, use, or disclose personal information from children under 13. Operators covered by the Rule also have to post a privacy policy that is clear, understandable, and complete.

The FTC charged that Path violated the COPPA Rule by:

  • not spelling out its collection, use and disclosure policy for children’s personal information;
  • not providing parents with direct notice of its collection, use and disclosure policy for children’s personal information; and
  • not obtaining verifiable parental consent before collecting children’s personal information.

In addition to the $800,000 civil penalty, Path is prohibited from making any misrepresentations about the extent to which it maintains the privacy and confidentiality of consumers’ personal information. The proposed settlement also requires Path to delete information collected from children under age 13 and bars future violations of COPPA. Path has already deleted the address book information that it collected during the time period its deceptive practices were in place.

The FTC has also introduced Mobile App Developers: Start with Security, a business guide that encourages developers to aim for reasonable data security, evaluate the app ecosystem before development, and includes tips such as making someone responsible for data security and taking stock of the data collected and maintained.

The commission vote to authorize the staff to refer the complaint to the Department of Justice and to approve the proposed consent decree was 5-0. The DOJ filed the complaint on behalf of the Commission in U.S. District Court for the Northern District of California on January 31, 2013.  The proposed consent decree will be filed with the same U.S. District Court today and is subject to court approval.

This article is tagged with , and posted in Latest News, LBS/Wireless News, Social Networking & Advertising
Janice Partyka

About the Author:

Janice Partyka is principal of JGP Services, www.jgpservices.net, a consulting practice that helps companies with marketing strategy, including investigating new markets, ensuring product roadmaps match market needs, and creating marketing campaigns. Janice develops websites, social media, public relations and overall marketing communication. She also works as an expert witness for the mobile industry and conducts prior art searches for patent cases. Janice has served in leadership capacities in the wireless industry, leading marketing, business development, media and government relations, including serving as vice president of external affairs for TechnoCom Corporation. She briefed the Obama transition team on broadband issues. Janice was a twice-elected member of the board of directors of the E9-1-1 Institute, which supports the work of the U.S. Congressional E9-1-1 Caucus to ensure implementation of wireless E9-1-1, and she was telecom liaison to the Intelligent Transportation Society's World Congress. Janice is a frequent speaker at mobile and location industry events. Her webinars on mobile applications and technologies draw audiences from more than 40 countries. Janice Partyka is also the founder of www.majorstocareers.com, a web service that helps college students find the right major that will lead to a satisfying career. Contact: Janice Partyka at jpartyka@jgpservices.net, www.jgpservices.net. Free subscriptions to Wireless LBS Insider are available at http://www.gpsworld.com/subscriptions.

Comments are currently closed.