On the same day that the FTC released its new report on mobile privacy, the Commission also announced its latest online mobile privacy enforcement action, an $800,000 settlement with the operator of the Path social networking app. According to the FTC's news release:
Path operates a social networking service that allows users to keep journals about "moments" in their life and to share that journal with a network of up to 150 friends. Through the Path app, users can upload, store, and share photos, written "thoughts," the user's location, and the names of songs to which the user is listening.
In its complaint, the FTC charged that the user interface in Path's iOS app was misleading and provided consumers no meaningful choice regarding the collection of their personal information. In version 2.0 of its app for iOS, Path offered an "Add Friends" feature to help users add new connections to their networks. The feature provided users with three options: "Find friends from your contacts;" "Find friends from Facebook;" or "Invite friends to join Path by email or SMS." However, Path automatically collected and stored personal information from the user's mobile device address book even if the user had not selected the "Find friends from your contacts" option. For each contact in the user's mobile device address book, Path automatically collected and stored any available first and last names, addresses, phone numbers, email addresses, Facebook and Twitter usernames, and dates of birth.
The FTC also alleged that Path's privacy policy deceived consumers by claiming that it automatically collected only certain user information such as IP address, operating system, browser type, address of referring site, and site activity information. In fact, version 2.0 of the Path app for iOS automatically collected and stored personal information from the user's mobile device address book when the user first launched version 2.0 of the app and each time the user signed back into the account.
The agency also charged that Path, which collects birth date information during user registration, violated the Children's Online Privacy Protection Act (COPPA) Rule by collecting personal information from approximately 3,000 children under the age of 13 without first getting parents' consent. Through its apps for both iOS and Android, as well as its website, Path enabled children to create personal journals and upload, store and share photos, written "thoughts," their precise location, and the names of songs to which the child was listening. Path version 2.0 also collected personal information from a child's address book, including full names, addresses, phone numbers, email addresses, dates of birth and other information, where available....
The case documents may be found here.
The FTC has been actively enforcing violations of children's privacy for more than ten years, and is explicitly increasing its enforcement activities in mobile privacy and data security. (The FTC recently announced changes to its COPPA rule, but those have not yet gone into affect; the Path enforcement arises out of the current rule.) This latest action is consistent with the Commission's ongoing efforts to both encourage proper practices with regard to consumers' personal information, and punish those firms that fail to appropriately respect privacy and data security.
(NOTE: This blog entry was originally published by Olshan counsel Jonathan I. Ezor on the IBLT Privacy and Technology Law Blog)