A popular social-networking app has reached a settlement with federal regulators over allegations that it collected address book information from users’ mobile phones without their knowledge or consent, the Federal Trade Commission announced Friday.
The company that operates the app, San Francisco-based Path Inc., agreed to implement a comprehensive privacy program and to submit to independent privacy audits for 20 years. Path also will pay a fine of $800,000 over accusations that it collected personal information from about 3,000 children under the age of 13 without parental consent, a violation of the Children’s Online Privacy Protection Act.
FTC officials said the case should serve as a warning to other mobile companies.
“If other companies don’t wake up and do better, my sense is the industry is much more likely to face regulation down the road,” FTC Chairman Jon Leibowitz said in a conference call Friday.
“Tell your customers what you’re doing with their data, don’t mislead them and then once you have that data don’t misuse it,” said Leibowitz, who’s stepping down from his post this month.
Path is a so-called “digital journal” that allows users to share their locations, photos, thoughts and music with a network of up to 150 friends through their smartphones.
In its complaint, the FTC accuses Path of deceiving consumers by leading them to believe that their personal information would be collected only if they clicked on a “find friends from your contacts” option. In fact, Path automatically downloaded address books from users’ mobile devices without their permission and without notifying them, according to the FTC’s complaint. The information included first and last names, addresses, email addresses, dates of birth and user names for Facebook and Twitter, the complaint said.
The complaint also alleged that Path had violated the law by failing to notify parents and obtain their consent before collecting children’s personal data and allowing the kids to post their precise locations, photos and other private information online.
In a statement posted on its website, Path said the company had allowed “a very small number” of children to sign up for accounts early in its history but those accounts have since been closed.
“As you may know, we ask users their birthdays during the process of creating an account,” the company said. “However, there was a period of time where our system was not automatically rejecting people who indicated that they were under 13. Before the FTC reached out to us, we discovered and fixed this sign-up process qualification, and took further action by suspending any under age accounts that had mistakenly been allowed to be created.”
Path added that the company wants to share its experience to remind others in the industry of the importance of making sure that mobile services are in full compliance with the law.
“From a developer’s perspective, we understand the tendency to focus all attention on the process of building amazing new things,” the company said. “It wasn’t until we gave our account verification system a second look that we realized there was a problem. We hope our experience can help others as a reminder to be cautious and diligent.”
The settlement with Path reflects the FTC’s growing scrutiny of online social networks and mobile apps. Last year the commission reached similar settlements with Internet giants Google and Facebook over alleged privacy violations.
A report the FTC released Friday warned that mobile devices “can facilitate unprecedented amounts of data collection” because they’re almost always on and with the users.
The report outlined recommendations for the mobile industry, urging companies to better inform consumers about privacy practices, to obtain “express consent” before allowing apps to access sensitive content and to consider offering a “do not track” mechanism that would let people opt out of tracking by advertisers, data brokers and other third parties.