Path fined $800K, forced to revamp privacy policy

FTC says social network collected info from its users, including children, without permission

Back in February 2011, Path found itself in trouble for uploading the contact list of its iPhone users without permission. CEO Dave Morin posted an apology, saying that Path deleted all the address book data, but that was not enough for the Federal Trade Commission. The FTC spent the next year figuring out what punishment to levy against the photo sharing social network for violating the privacy of its users.

The FTC has brought its investigation to a close, announcing Friday that Path has agreed to a settlement in which it will pay a $800,000 fine. The social network is also being forced to establish a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years for "allegedly collecting kids' personal information without their parents’ consent."

“Over the years the FTC has been vigilant in responding to a long list of threats to consumer privacy, whether it’s mortgage applications thrown into open trash dumpsters, kids information culled by music fan websites, or unencrypted credit card information left vulnerable to hackers,” outgoing FTC Chairman Jon Leibowitz said in a statement. “This settlement with Path shows that no matter what new technologies emerge, the agency will continue to safeguard the privacy of Americans.

In its complaint, the FTC said that Path had mislead consumers and did not give them a "meaningful choice regarding the collection of their personal information."

In version 2.0 of its app, Path offered an “Add Friends” feature to help users add new connections to their networks. The feature gave users three options: “Find friends from your contacts;” “Find friends from Facebook;” or “Invite friends to join Path by email or SMS.” But even if the user did not select “Find friends from your contacts," the network would automatically collect and store information about that person's contacts anyway, including first and last names, addresses, phone numbers, email addresses, Facebook and Twitter usernames, and dates of birth.

Path is also accused of lying to consumers about what type of data was automatically collected. The FTC alleged that the company's policy claimed that it would only collect only certain user information, including IP address, operating system, browser type, address of referring site, and site activity information. Instead, the app was automatically collecting and storing personal information from the user’s mobile device address book.

But perhaps the most serious charge against path was its apparent violation of the Children’s Online Privacy Protection Act (COPPA) Rule, which it violated by collecting personal information from roughly 3,000 children under the age of 13 without first getting parents’ consent. It also violated the rule by not specifically disclosing its policy regarding the collection of the information of children, and not providing the parents of those children with that policy.

The settlement also prohibits Path from "making any misrepresentations about the extent to which it maintains the privacy and confidentiality of consumers’ personal information" and forces the network to delete the information that was collected from any child under the age of 13.

Perhaps in an effort to stop this type of issue from copping up again, the FTC introduced a new business guideline called Mobile App Developers: Start with Security to help apps avoid the same type of privacy issues Path found itself violating. 

"We want to share our experience and learnings in the hope that others in our industry are reminded of the importance of making sure services are in full compliance with rules like COPPA. From a developer’s perspective, we understand the tendency to focus all attention on the process of building amazing new things. It wasn’t until we gave our account verification system a second look that we realized there was a problem. We hope our experience can help others as a reminder to be cautious and diligent," Path wrote in a blogpost regarding the settlement Friday.

Path is a social network built around exclusivity, meaning that it only allows users to have a maximum of 150 friends. The limitation is meant to foster greater connections between people, and to encourage the sharing of more personal information. The idea is that you will only choose the people you are closest to, and will feel more comfortable telling those people more personal things about yourself. It is a more personal kind of social network.

The social network has raised over $40 million, including a $8.65 million Series A from Kleiner Perkins Caufield & Byers, Index Ventures and Digital Garage Japan at the beginning of 2011 and a $30 million Series B round from Greylock Partners, Redpoint Ventures, Jerry Murdock , Sir Richard Branson, Kleiner Perkins Caufield & Byers, Index Ventures, Mark Pincus, Yuri Milner and Allen & Company in April 2012.

(Image source: https://www.digitaltrends.com)