Path Social Networking App Settles FTC Charges it Deceived Consumers and Improperly Collected Personal Information from Users'

   Path Social Networking App Settles FTC Charges it Deceived Consumers and
  Improperly Collected Personal Information from Users' Mobile Address Books

PR Newswire

WASHINGTON, Feb. 1, 2013

Company also Will Pay $800,000 for Allegedly Collecting Kids' Personal
Information without their Parents' Consent

WASHINGTON, Feb. 1, 2013 /PRNewswire-USNewswire/ --  The operator of the Path
social networking app has agreed to settle Federal Trade Commission charges
that it deceived users by collecting personal information from their mobile
device address books without their knowledge and consent. The settlement
requires Path, Inc. to establish a comprehensive privacy program and to obtain
independent privacy assessments every other year for the next 20 years. The
company also will pay $800,000 to settle charges that it illegally collected
personal information from children without their parents' consent.

The settlement with Path is part of the FTC's ongoing effort to make sure
companies live up to the privacy promises they make to consumers, and that
kids' personal information isn't collected or shared online without their
parents' consent.

"Over the years the FTC has been vigilant in responding to a long list of
threats to consumer privacy, whether it's mortgage applications thrown into
open trash dumpsters, kids' information culled by music fan websites, or
unencrypted credit card information left vulnerable to hackers," said FTC
Chairman Jon Leibowitz. "This settlement with Path shows that no matter what
new technologies emerge, the agency will continue to safeguard the privacy of
Americans."

Path operates a social networking service that allows users to keep journals
about "moments" in their life and to share that journal with a network of up
to 150 friends. Through the Path app, users can upload, store, and share
photos, written "thoughts," the user's location, and the names of songs to
which the user is listening.

In its complaint, the FTC charged that the user interface in Path's iOS app
was misleading and provided consumers no meaningful choice regarding the
collection of their personal information. In version 2.0 of its app for iOS,
Path offered an "Add Friends" feature to help users add new connections to
their networks. The feature provided users with three options: "Find friends
from your contacts;" "Find friends from Facebook;" or "Invite friends to join
Path by email or SMS." However, Path automatically collected and stored
personal information from the user's mobile device address book even if the
user had not selected the "Find friends from your contacts" option. For each
contact in the user's mobile device address book, Path automatically collected
and stored any available first and last names, addresses, phone numbers, email
addresses, Facebook and Twitter usernames, and dates of birth.

The FTC also alleged that Path's privacy policy deceived consumers by claiming
that it automatically collected only certain user information such as IP
address, operating system, browser type, address of referring site, and site
activity information. In fact, version 2.0 of the Path app for iOS
automatically collected and stored personal information from the user's mobile
device address book when the user first launched version 2.0 of the app and
each time the user signed back into the account.

The agency also charged that Path, which collects birth date information
during user registration, violated the Children's Online Privacy Protection
Act (COPPA) Rule by collecting personal information from approximately 3,000
children under the age of 13 without first getting parents' consent. Through
its apps for both iOS and Android, as well as its website, Path enabled
children to create personal journals and upload, store and share photos,
written "thoughts," their precise location, and the names of songs to which
the child was listening. Path version 2.0 also collected personal information
from a child's address book, including full names, addresses, phone numbers,
email addresses, dates of birth and other information, where available.

The COPPA Rule requires that operators of online sites or services directed to
children, or operators that have actual knowledge of child users on their
sites or services, notify parents and obtain their consent before they
collect, use, or disclose personal information from children under 13.
Operators covered by the Rule also have to post a privacy policy that is
clear, understandable, and complete.

The FTC charged that Path violated the COPPA Rule by:

  onot spelling out its collection, use and disclosure policy for children's
    personal information;
  onot providing parents with direct notice of its collection, use and
    disclosure policy for children's personal information; and
  onot obtaining verifiable parental consent before collecting children's
    personal information.

In addition to the $800,000 civil penalty, Path is prohibited from making any
misrepresentations about the extent to which it maintains the privacy and
confidentiality of consumers' personal information. The proposed settlement
also requires Path to delete information collected from children under age 13
and bars future violations of COPPA. Path has already deleted the address
book information that it collected during the time period its deceptive
practices were in place.

The FTC also introduces Mobile App Developers: Start with Security, a new
business guide that encourages developers to aim for reasonable data security,
evaluate the app ecosystem before development, and includes tips such as
making someone responsible for data security and taking stock of the data
collected and maintained.

The Commission vote to authorize the staff to refer the complaint to the
Department of Justice and to approve the proposed consent decree was 5-0. The
DOJ filed the complaint on behalf of the Commission in U.S. District Court for
the Northern District of California on January 31, 2013. The proposed consent
decree will be filed with the same U.S. District Court today and is subject to
court approval.

NOTE: The Commission authorizes the filing of a complaint when it has "reason
to believe" that the law has been or is being violated, and it appears to the
Commission that a proceeding is in the public interest. The complaint is not
a finding or ruling that the defendants have actually violated the law. This
consent decree is for settlement purposes only and does not constitute an
admission by the defendants of a law violation. Consent decrees have the
force of law when signed by the District Court judge.

The Federal Trade Commission works for consumers to prevent fraudulent,
deceptive, and unfair business practices and to provide information to help
spot, stop, and avoid them. To file a complaint in English or Spanish, visit
the FTC's online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357).
The FTC enters complaints into Consumer Sentinel, a secure, online database
available to more than 2,000 civil and criminal law enforcement agencies in
the U.S. and abroad. The FTC's website provides free information on a variety
of consumer topics. Like the FTC on Facebook, follow us on Twitter, and
subscribe to press releases for the latest FTC news and resources.

SOURCE Federal Trade Commission

Website: http://www.ftc.gov
Contact: MEDIA CONTACTS: Peter Kaplan, Office of Public Affairs,
+1-202-326-2334; Jay Mayfield, Office of Public Affairs, +1-202-326-2181;
STAFF CONTACTS: Jamie Hine, Bureau of Consumer Protection, +1-202-326-2188;
Nithan Sannappa, Bureau of Consumer Protection, +1- 202-326-3185; or Mamie
Kresses, Bureau of Consumer Protection, +1-202-326-2070
 
Press spacebar to pause and continue. Press esc to stop.