The developer of the popular Path social networking app for mobile devices has agreed to settle Federal Trade Commission charges that it deceived users by collecting their personal information without their consent. As part of a settlement reached last Friday, the FTC fined the start-up company $800,00 on claims that it improperly collected user data and stored information on underage users.
In its complaint, the FTC charged that the user interface in Path's iOS app was misleading and provided consumers no meaningful choice regarding the storage and collection of their personal information. According to the complaint, Path represented that personal information from the user's mobile device contacts would only be collected if the user clicked on a particular feature "Add Friends " when in reality, Path automatically collected and stored personal information from the user's mobile device contacts each time the user launched the app and, if the user signed out, each time the user signed in again.
Other FTC claims were aimed at Path's knowing collection of personal information from children under the age of 13 without first obtaining verifiable parental consent in violation of the Children's Online Privacy Protection Act ("COPPA"). The FTC alleged that its app for iOS, for Android, and Path's website, while all intended for a general audience, also attracted a significant number of children enabling them "to create a journal and upload, store and share photos, written 'thoughts' , the child's precise location, and the names of songs to which the child was listening."
In addition to the $800,000 penalty that Path will pay for its COPPA violation, the social networking service must establish a comprehensive privacy program and is subject to independent privacy audits for the next 20 years.
The FTC settlement is a lesson for both start-ups and established companies as the FTC is getting increasingly aggressive in addressing privacy breaches. As illustrated by the outgoing FTC Commissioner's comment on the Path settlement: "[o]ver the years the FTC has been vigilant in responding to a long list of threats to consumer privacy, whether it's mortgage applications thrown into open trash dumpsters, kids information culled by music fan websites, or unencrypted credit card information left vulnerable to hackers...This settlement with Path shows that no matter what new technologies emerge, the agency will continue to safeguard the privacy of Americans."
While the $800,000 fine may not be significant for behemoth companies like Facebook or Google, it is certainly significant for a start-up one like Path. It remains to be seen if the FTC fines will increase. Rather than wait and see, companies should implement, monitor, update, and strictly adhere to a comprehensive privacy program.