FTC reaches privacy settlement with Path app

The app collected personal information from children and didn't tell users the extent of information it collected, the agency says

The maker of the Path social networking app will pay a US$800,000 civil penalty to settle U.S. Federal Trade Commission charges that it illegally collected personal information from children without parental consent, the agency said Friday.

Path has also settled FTC charges that it collected personal information from users' mobile address books without their knowledge and consent, the FTC said. The settlement requires Path to establish a comprehensive privacy program and to obtain independent privacy assessments every other year for 20 years, FTC Chairman Jon Leibowitz said during a press conference.

Path's social-networking service allows users to keep journals and share them with a network of up to 150 friends. Users can store and share photos, journal entries, their location and the names of songs they are listening to.

The FTC, in its complaint, charged that the user interface in Path's iOS app was misleading and provided users no meaningful choice about the collection of their personal information. Path's version 2.0 provided users with three options for inviting friends, through their contacts, through Facebook or by inviting them to join Path by email or SMS. However, Path automatically collected and stored personal information from the user's mobile device address book even if the user had not selected the "find friends from your contacts" option, the FTC said.

For each contact in the user's mobile device address book, Path automatically collected and stored any available first and last names, addresses, phone numbers, email addresses, Facebook and Twitter user names, and dates of birth, the FTC said.

Path's privacy policy deceived consumers by claiming that it automatically collected only certain user information such as IP address, operating system, browser type, address of referring site, and site activity information, the FTC also alleged. Version 2.0 of the Path app for iOS automatically collected and stored personal information from the user's mobile device address book when the user first launched version 2.0 of the app and each time the user signed back into the account, the agency said.

"This practice, we believe, was deceptive," Leibowitz said.

The agency also charged that Path, which collects birth date information during user registration, violated the U.S. Children's Online Privacy Protection Act by collecting personal information from approximately 3,000 children under the age of 13 without first getting parents' consent. 

Through its apps for both iOS and Android, as well as its website, Path enabled children to create personal journals and share photos, journal entries, their precise location, and the names of songs they were listening to.  Path version 2.0 also collected personal information from a child's address book, including full names, addresses, phone numbers, email addresses, dates of birth and other information, where available, the FTC said.

Path, in a statement on its website, said it has closed a "very small number" of accounts affected by the COPPA rule.

"There was a period of time where our system was not automatically rejecting people who indicated that they were under 13," Path said. "Before the FTC reached out to us, we discovered and fixed this sign-up process qualification, and took further action by suspending any under age accounts that had mistakenly been allowed to be created."

Path said it hopes it can help other developers learn from its experience.

The FTC action should remind others "of the importance of making sure services are in full compliance with rules like COPPA," the company said. "From a developer's perspective, we understand the tendency to focus all attention on the process of building amazing new things. It wasn't until we gave our account verification system a second look that we realized there was a problem."

The FTC announced the settlement with Path on the same day as the agency released recommendations for mobile privacy practices.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.

Join the CSO newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicesJon LeibowitzU.S. Federal Trade Commissionregulationsocial networkingmobilegovernmentPathinternetprivacymobile applicationssecurity

More about FacebookFederal Trade CommissionFTCIDG

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place