by Brent Dirks
February 1, 2013
Developer of the iOS app Path, has agreed to settle with the Federal Trade Commission over charges that it collected the address books of users without their knowledge or consent. As part of the settlement, Path must establish a comprehensive privacy program and obtain independent privacy assessments every other year for the next two decades. And the company will also pay $800,000 to settle charges that it illegally collected personal information from children under 13 without permission of their parents a violation of the Children’s Online Privacy Protection Act.
"Over the years the FTC has been vigilant in responding to a long list of threats to consumer privacy, whether it's mortgage applications thrown into open trash dumpsters, kids information culled by music fan websites, or unencrypted credit card information left vulnerable to hackers," said FTC Chairman Jon Leibowitz. "This settlement with Path shows that no matter what new technologies emerge, the agency will continue to safeguard the privacy of Americans."Path also issued a statement on its blog:
Today the United States Federal Trade Commission (FTC) announced that it reached a settlement pending court approval with Path regarding alleged violations of the Children’s Online Privacy Protections Act (COPPA). The gist of the FTC’s complaint is this: early in Path’s history, children under the age of 13 were able to sign up for accounts. A very small number of affected accounts have since been closed by Path. As you may know, we ask users’ their birthdays during the process of creating an account. However, there was a period of time where our system was not automatically rejecting people who indicated that they were under 13. Before the FTC reached out to us, we discovered and fixed this sign-up process qualification, and took further action by suspending any under age accounts that had mistakenly been allowed to be created.The controversy kicked off last February. A Path fan and iOS developer discovered that version 2.0 of the app automatically collected private information, including any available first and last names, addresses, phone numbers, email addresses, Facebook and Twitter usernames, and dates of birth from a user’s address book without permission. Path quickly apologized and issued an updated version of the social networking app that stopped the practice. All user data that was collected without permission was also deleted from the company’s servers. Thanks to the publicity from the Path incident, Apple designed a feature in iOS 6 that forced third-party apps to explicitly request user permission to access personal information.We want to share our experience and learnings in the hope that others in our industry are reminded of the importance of making sure services are in full compliance with rules like COPPA. From a developer’s perspective, we understand the tendency to focus all attention on the process of building amazing new things. It wasn’t until we gave our account verification system a second look that we realized there was a problem. We hope our experience can help others as a reminder to be cautious and diligent.Throughout this experience and now, we stand by our number one commitment to serve our users first.