This morning, the U.S. Federal Trade Commission (FTC) announced that it had reached a settlement with mobile app developer Path for COPPA and privacy violations where users' entire address books were uploaded and stored without notice nor consent. The terms of the settlement require Path Inc. to:
"... establish a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years. The company also will pay $800,000 to settle charges that it illegally collected personal information from children without their parents’ consent."
The Path mobile app enables consumers to create and share journals with up to 150 friends. The app also enables users to upload, store, and share photos, notes, songs they are listening to, and their geolocation. At registration, users share their gender, phone number, and date of birth. The lawsuit filed by the FTC (Adobe PDF, 918 kbytes) alleged that Path:
"Congress enacted COPPA in 1998 to protect the safety and privacy of children online by prohibiting the unauthorized or unnecessary collection of children's personal information online by operators of lnternet websites or online services... In version 2.0 of the Path App for iOS, regardless of whether the user elected to "Add Friends," Defendant automatically collected personal information from users' mobile device contacts (also known as the user's "address book") and stored the personal information on Defendant's servers. For each contact in the user's mobile device address book, Defendant automatically collected and stored the following personal information, if available: first name; last name; address; phone numbers; email addresses; Facebook username; Twitter username; and date of birth. The automatic collection and storage of personal information from the user's mobile device contacts occurred the first time the user launched version 2.0 of the Path App and, if the user signed out of the service, each time the user signed in again. This practice continued until February 8, 2012."
The complaint also alleged:
"From November 14, 2010, through May 4, 2012, Defendant accepted registrations from users who entered a date of birth indicating that the user was under the age of 13. As a result, Defendant knowingly collected email address, first name, last name, date of birth, and if provided, gender and phone number, from approximately 3,000 children under age 13... From November 29, 2011, through February 8, 2012, Defendant also knowingly collected from these children the following personal information for each contact in the child's mobile device address book, if available: first name, last name, address, phone numbers, email addresses, and date of birth... Defendant did not provide parents with a direct notice of its information practices prior to collecting, using, or disclosing children's personal information. Defendant did not obtain verifiable consent from parents prior to collecting, using, or disclosing children's personal information."
However, Path Inc. faces other legal challenges including a class-action lawsuit about similar privacy violations. The class-action suit included more allegations that Path collected and shared more data with other companies, and tracked users with geo-tags.
To learn more, read about the COPPA Rule in the 2013 U.S. Federal Register (Adobe PDF, 590 kbytes).