App Developer Settles FTC COPPA Charges Over Secretly Uploaded Address Book Data

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Social networking application developer Path Inc. agreed to pay $800,000 to settle Federal Trade Commission charges that it improperly received information from children under 13 and secretly collected data from users' mobile address books, in a federal court consent order filed Feb. 1 (United States v. Path Inc., N.D. Cal., 3:13-cv-00448-JCS, consent agreement filed 2/1/13).

The FTC alleged in a complaint, which was filed Jan. 31 in the U.S. District Court for the Northern District of California, that Path allowed the registration of approximately 3,000 users whose dates of birth showed they were under 13. Path's collection of the personal data of those children without notice and parental consent violated the Children's Online Privacy Protection Act Rule, 16 C.F.R. Pt. 312, the commission asserted.

The FTC said Path also violated Section 5 of the FTC Act, which prohibits unfair and deceptive commercial acts, by collecting personal information from users' mobile address books. It alleged the social networking app deceptively collected the data despite the fact that it appeared to offer users the choice of whether to “Find friends from your contacts” and through representations in its privacy policy that such data were not being collected.

As part of the proposed settlement, Path agreed to establish a comprehensive privacy program and obtain privacy audits from a third party. The third-party audit will include an initial audit after one year from the effective date of the decree and then assessments every two years for a period of 20 years from the date of the decree.

According to the FTC, Path's app is a social networking service that allows users to share a journal that includes photos, thoughts, or their location with up to 150 people. The agency said the app launched Nov. 14, 2010, and has been downloaded over 2.5 million times.

Path's alleged collection of users' address book data also is the subject of a putative class action lawsuit in the same district court, Hernandez v. Path Inc., N.D. Cal., No. 4:12-cv-01515-YGR. An Oct. 19, 2012, ruling in that case permitted state claims to proceed against the company, but dismissed federal claims (11 PVLR 1586, 10/29/12).

Conduct in FTC Crosshairs

During a Feb. 1 teleconference with reporters on a new mobile privacy report concurrently released by the agency (see related report), FTC Chairman Jon Leibowitz said Path was targeted because “there were two things that stood out. One, clear deception. They said they would not do X and then they did. Two, it involves kids. That is a sort of red flag combination for us.”

Leibowitz, who announced the same day that he would resign later this month (see related report), said in a Feb. 1 statement that the agreement “shows that no matter what new technologies emerge, the agency will continue to safeguard the privacy of Americans.”

In a Feb. 1 blog post, Path admitted it did not initially automatically reject users under the age of 13. However, it said, “Before the FTC reached out to us, we discovered and fixed this sign-up process qualification, and took further action by suspending any under age accounts that had mistakenly been allowed to be created.”

It said it hoped its experience would cause others companies to be “reminded of the importance of making sure services are in full compliance with rules like COPPA.”

COPPA Rule Violation

According to the FTC, Path collected email addresses, full names, gender, phone numbers, and dates of birth from approximately 3,000 users under 13 who registered between November 2010 and May 2012. The agency added that after Path released version 2.0 of its app for Apple devices Nov. 29, 2011, it began collecting personal information of the contacts in the address books of users under 13.

Section 312.4(b) of the COPPA Rule required Path to provide sufficient notice regarding how it collected information from children, the agency said. Section 312.4(c) of the COPPA Rule, it added, also mandates a direct notice to parents regarding information collection, and Section 312.5(a)(1) required Path to obtain parental consent.

In the consent decree, Path agreed to injunctive relief requiring it to provide notice and obtain parental consent in accordance with the requirements of the COPPA Rule. It also agreed to delete any data it held from users under 13 and pay a $800,000 fine. The FTC's complaint said it is authorized to seek up to $16,000 per COPPA Rule violation.

Address Book Data

According to the agency, Path emphasized privacy as a value on its website. It said the company stated, “Path should be private by default. Forever. You should always be in control of your information and experience.”

The FTC said users were instead misled by the app's platform and privacy policy, in violation of Section 5 of the FTC Act.

When Path released version 2.0 of its app for Apple devices, the agency said users were presented with an “Add Friends” feature that included the ability to “Find friends from your contacts” and “Find friends from Facebook.” The FTC said that regardless of whether users chose to find friends from their contacts, the Path app collected and stored that data.

Path obtained from users' address books their friends' full names, addresses, phone numbers, email addresses, Facebook usernames, Twitter usernames, and dates of birth, the FTC alleged.

The complaint said that Path's privacy policy told users that it only collected information such as their IP address, operating system, browser type, addresses of referring sites, and information regarding site activity. The FTC said the privacy policy failed to disclose the full range of information collected.

Under the consent decree, Path must not misrepresent which personal information it is collecting. It also must “[c]learly and prominently” share with users how information is accessed and collected in a manner separate from “any 'privacy policy,' 'terms of use,' 'blog,' 'statement of values' page, or other similar document.”

The consent decree and order are available at

The complaint is available at

Path's blog post is available at

Request Bloomberg Law: Privacy & Data Security