Path, the social networking app headed by ex-Facebooker Dave Morin, has agreed to an $800,000 settlement with the Federal Trade Commission over allegations that the app collected children's personal information without parental consent.
The FTC also issued comprehensive guidelines for app developers to protect user data.
Specifically, the charges alleged Path collected personal information about users' mobile device contacts even after Path users declined to opt-in to a feature that would allow Path to do so.
The Path 2.0 iOS app had an "Add Friends" feature that allowed users to add connections in the Path network. The feature had three options: "Find friends from your contacts," Find friends from Facebook" and "Invite friends to join Path by email or SMS." Path then automatically collected and stored data on users' contacts, regardless if they selected the "Find friends from your contacts" option or not.
That data included contacts' first and last names, addresses, phone numbers, email addresses, Facebook and Twitter account names and dates of birth.
The FTC further alleged Path deceived its users by only claiming to collect information including users' IP addresses, operating system, web browser and site activity, when they were actually storing personal information from users' address books each time they launched the Path 2.0 app.
By collecting data on 3,000 users who were under the age of 13, Path was allegedly in violation of the Children's Online Privacy Protection Act (COPPA). As part of the settlement, Path has agreed to privacy audits for the next 20 years and to establish a privacy program.
As expected, chairman Jon Liebowitz is stepping down Feb. 15 after nearly a decade at the FTC. But he said that FTC enforcement actions will continue.
"The industry is far more likely to face much more restrictions down the road because privacy is the quintessential bi-partisan issue in Congress," he said.
Those settling with the FTC generally do so without admitting wrongdoing. Path issued a blog post today that stopped short of an apology, but explains their side of it:
Today the United States Federal Trade Commission (FTC) announced that it reached a settlement pending court approval with Path regarding alleged violations of the Children's Online Privacy Protections Act (COPPA). The gist of the FTC's complaint is this: early in Path's history, children under the age of 13 were able to sign up for accounts. A very small number of affected accounts have since been closed by Path.
As you may know, we ask users' their birthdays during the process of creating an account. However, there was a period of time where our system was not automatically rejecting people who indicated that they were under 13. Before the FTC reached out to us, we discovered and fixed this sign-up process qualification, and took further action by suspending any under age accounts that had mistakenly been allowed to be created.
We want to share our experience and learnings in the hope that others in our industry are reminded of the importance of making sure services are in full compliance with rules like COPPA. From a developer's perspective, we understand the tendency to focus all attention on the process of building amazing new things. It wasn't until we gave our account verification system a second look that we realized there was a problem. We hope our experience can help others as a reminder to be cautious and diligent.
Throughout this experience and now, we stand by our number one commitment to serve our users first.