Business Blog
FTC Path case helps app developers stay on the right, er, path
In the few years it’s been up and running, Path has billed itself as a different kind of social network. According to a description of its "Values," "Path should be private by default. Forever. You should always be in control of your information and experience." It’s a lovely sentiment. Except that according to an FTC law enforcement action, it wasn’t private by default. It wasn’t private forever. Users weren’t in control of their information and experience. And let’s not forget the alleged violation of the Children’s Online Privacy Protection Act.
In addition to the just-released staff report, Mobile Privacy Disclosures: Building Trust through Transparency, and a new brochure, Mobile App Developers: Start with Security (more about those in our next post), the FTC's settlement with Path offers a lot for the app industry to consider. Path — primarily available to users through a mobile app — calls itself a "smart journal that helps you share life with the ones you love." At the risk of sounding like Jack Handy from a Saturday Night Live episode, users could share "thoughts" and "moments" with a network limited to 150 people. They also could share with that small circle of friends things like photos, the music they were listening to, and even their location. (We say “small,” but the app itself was pervasive, with more than 2.5 million downloads and installs.)
In version 2.0 of the Path App for iOS, the company included a new “Add Friends” feature that offered users three choices: "Find friends from your contacts," "Find friends from Facebook," and "Invite friends to join Path by email or SMS." But regardless of the option users chose, Path automatically collected personal data from users’ mobile device contacts — their address books — and stored it on Path’s servers. What did Path collect? To the extent the information was available, the first name, last name, address, phone numbers, email addresses, Facebook username, Twitter username, and date of birth of each person in the address book.
And according to the FTC, it wasn’t a one-time thing. The automatic collection of information from the address book occurred the first time users launched version 2.0 of the Path App and, if they signed out of the service, each time they signed in again. The practice continued until February 8, 2012.
The FTC’s complaint charges that what Path told people it was doing with personal information contrasted sharply with what was going on behind the scenes. Count #1 challenges the operation of the company’s "Add Friends" feature. According to the complaint, Path represented that personal information from the user’s mobile device contacts would be collected only if the user clicked on "Add Friends" and then chose the “Find friends from your contacts” option. But despite that promise, Path automatically collected and stored personal data the first time the user launched the app and, if they signed out, each time they signed back in again. That, says the FTC, made Path’s statement false.
Count #2 alleges that Path also made false claims in its privacy policy. Users were told that Path automatically collected only data like an IP address, operating system, browser type, address of referring site, and site activity information. But by automatically collecting all that additional info from users’ address books, Path grabbed way more than that.
What about the COPPA allegations? The complaint charges that in connection with operating the Path App for iOS, the Path App for Android, and its path.com website, the company (which collected birth dates during the registration process) had actual knowledge that about 3,000 users were under 13. That kicked in COPPA’s requirement that Path get parents’ consent before collecting, using, or disclosing information about their kids — an obligation Path didn’t live up to. The FTC says Path also violated the requirement that operators covered by COPPA post a privacy policy that’s clear, understandable, and complete. The upshot of Path’s alleged COPPA violations? Kids under 13 could create journals, share photos and “thoughts,” and share their precise location. The FTC says the address book problem of Path version 2.0 affected kids’ address books, too.
To settle the case, Path will pay an $800,000 civil penalty for COPPA violations and will delete information collected from kids under 13. In addition, the company will honor the claims it makes about how it maintains the privacy and confidentiality of personal information. Some good news for users: Path has already deleted the address book information it collected during the period the FTC says the illegal practice was in place.
Four key points businesses can take from the Path settlement:
- The main message comes as no surprise: Honor your privacy promises and be especially careful when it comes to kids’ information. What’s a little different is that the message is going out with ATTN: MOBILE APP DEVELOPERS across the top. Well-established consumer protection principles apply across the board, including to companies in the mobile market.
- The default mindset about data collection used to be to gather as much as possible whenever possible. We’ve said it before, but that approach is <Valley Girl voice> like soooo 20th Century </Valley Girl voice>. As savvy companies know, the wiser approach — and a central tenet of “Privacy by Design” — is to think through your needs and ask only for information you have a legitimate reason to collect. Gathering data “just ‘cuz” doesn’t cut ice with consumers anymore.
- Just because a platform gives you the technological capability to do something, doesn’t mean it’s the right thing for your business or your users. It’s a mistake to assume that somebody else — for instance, a mobile operating system provider or a device manufacturer — has thought through the privacy implications. When it comes to your app and your users, the buck stops with you.
- COPPA isn’t just for kids’ sites. Yes, the rules apply when sites and online services are specifically designed for the under-13 set, but don’t be too quick to assume you’re not covered. The Rule also imposes legal responsibilities on operators who have actual knowledge they’re collecting personal info from kids.
Join us on Twitter from 1:00-2:00 ET on Friday, February 1, 2013, talk about the Path case and the Report. Follow @FTC and submit questions with the hashtag #FTCpriv.
It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.