Social networking application developer Path Inc. agreed to pay $800,000 to
settle Federal Trade Commission charges that it improperly received information
from children under 13 and secretly collected data from users' mobile address
books, in a federal court consent order filed
Feb. 1 (United States v. Path Inc., N.D. Cal., 3:13-cv-00448-JCS,
consent agreement filed 2/1/13).
The FTC alleged in a complaint, which was
filed Jan. 31 in the U.S. District Court for the Northern District of
California, that Path allowed the registration of approximately 3,000 users
whose dates of birth showed they were under 13. Path's collection of the
personal data of those children without notice and parental consent violated the
Children's Online Privacy Protection Act Rule, 16 C.F.R. Pt. 312, the commission
The FTC said Path also violated Section 5 of the FTC Act, which prohibits
unfair and deceptive commercial acts, by collecting personal information from
users' mobile address books. It alleged the social networking app deceptively
collected the data despite the fact that it appeared to offer users the choice
of whether to “Find friends from your contacts” and through representations in
As part of the proposed settlement, Path agreed to establish a comprehensive
privacy program and obtain privacy audits from a third party. The third-party
audit will include an initial audit after one year from the effective date of
the decree and then assessments every two years for a period of 20 years from
the date of the decree.
According to the FTC, Path's app is a social networking service that allows
users to share a journal that includes photos, thoughts, or their location with
up to 150 people. The agency said the app launched Nov. 14, 2010, and has been
downloaded over 2.5 million times.
Path's alleged collection of users' address book data also is the subject of
a putative class action lawsuit in the same district court, Hernandez v. Path
Inc., N.D. Cal., No. 4:12-cv-01515-YGR. An Oct. 19, 2012, ruling in that
case permitted state claims to proceed against the company, but dismissed
federal claims (11 PVLR 1586, 10/29/12).
During a Feb. 1 teleconference with reporters on a new mobile privacy report
concurrently released by the agency (see related report), FTC Chairman
Jon Leibowitz said Path was targeted because “there were two things that stood
out. One, clear deception. They said they would not do X and then they did. Two,
it involves kids. That is a sort of red flag combination for us.”
Leibowitz, who announced the same day that he would resign later this month
(see related report), said in a Feb. 1 statement that the agreement
“shows that no matter what new technologies emerge, the agency will continue to
safeguard the privacy of Americans.”
In a Feb. 1 blog post,
Path admitted it did not initially automatically reject users under the age of
13. However, it said, “Before the FTC reached out to us, we discovered and fixed
this sign-up process qualification, and took further action by suspending any
under age accounts that had mistakenly been allowed to be created.”
It said it hoped its experience would cause others companies to be “reminded
of the importance of making sure services are in full compliance with rules like
According to the FTC, Path collected email addresses, full names, gender,
phone numbers, and dates of birth from approximately 3,000 users under 13 who
registered between November 2010 and May 2012. The agency added that after Path
released version 2.0 of its app for Apple devices Nov. 29, 2011, it began
collecting personal information of the contacts in the address books of users
Section 312.4(b) of the COPPA Rule required Path to provide sufficient notice
regarding how it collected information from children, the agency said. Section
312.4(c) of the COPPA Rule, it added, also mandates a direct notice to parents
regarding information collection, and Section 312.5(a)(1) required Path to
obtain parental consent.
In the consent decree, Path agreed to injunctive relief requiring it to
provide notice and obtain parental consent in accordance with the requirements
of the COPPA Rule. It also agreed to delete any data it held from users under 13
and pay a $800,000 fine. The FTC's complaint said it is authorized to seek up to
$16,000 per COPPA Rule violation.
According to the agency, Path emphasized privacy as a value on its website.
It said the company stated, “Path should be private by default. Forever. You
should always be in control of your information and experience.”
The FTC said users were instead misled by the app's platform and privacy
policy, in violation of Section 5 of the FTC Act.
When Path released version 2.0 of its app for Apple devices, the agency said
users were presented with an “Add Friends” feature that included the ability to
“Find friends from your contacts” and “Find friends from Facebook.” The FTC said
that regardless of whether users chose to find friends from their contacts, the
Path app collected and stored that data.
Path obtained from users' address books their friends' full names, addresses,
phone numbers, email addresses, Facebook usernames, Twitter usernames, and dates
of birth, the FTC alleged.
collected information such as their IP address, operating system, browser type,
addresses of referring sites, and information regarding site activity. The FTC
Under the consent decree, Path must not misrepresent which personal
information it is collecting. It also must “[c]learly and prominently” share
with users how information is accessed and collected in a manner separate from
other similar document.”
The consent decree and order are available at http://www.ftc.gov/os/caselist/1223158/130201pathincdo.pdf.
The complaint is available at http://www.ftc.gov/os/caselist/1223158/130201pathinccmpt.pdf.
Path's blog post is available at http://blog.path.com/.
To view additional stories from Privacy & Data Security Law Resource Center™ register for a free trial now