Social Networking Mobile App Developer Agrees to Pay $800,000 and Implement Comprehensive Privacy Program to Settle Claims for COPPA Violations and Deceptive Privacy Practices

Wilson Sonsini Goodrich & Rosati
Contact

On February 1, 2013, the Federal Trade Commission (FTC) announced a settlement with Path, Inc., a social networking mobile application developer. Path offers and distributes "smart journal" mobile apps, which permit users to upload and share journal entries, photos, location, and other information with their personal networks of up to 150 friends. The settlement resolves claims that Path:

  • made deceptive statements to consumers regarding its collection of information from users' address books in violation of Section 5 of the FTC Act,1 and
  • knowingly collected personal information from children under 13 without satisfying the parental consent and other requirements of the Children's Online Privacy Protection Rule (the COPPA Rule).2

This settlement, along with other recent FTC initiatives,3 demonstrates the FTC's continued vigorous protection of children's privacy online and its current focus on the privacy practices of mobile app developers.4

Alleged Misrepresentations Regarding Collection and Storage of Personal Information

The FTC's complaint alleged that Path's user interface and privacy policy misrepresented Path's collection and storage of users' contact information, and provided consumers with no meaningful choice regarding the collection of their personal information. The FTC claimed that in version 2.0 of Path's iOS app, Path gave users three options for how to search for friends to add to their Path networks: (1) from the users' mobile device contacts, (2) through Facebook, and (3) by sending email or SMS invitations to the users' friends. However, according to the complaint, regardless of which option users selected, Path automatically collected personal information from users' mobile device contacts and stored this personal information on Path's servers. This information included, to the extent available, each contact's first name, last name, address, phone numbers, email addresses, Facebook username, Twitter username, and date of birth. According to the complaint, for approximately three months, Path automatically collected and stored this information upon the initial launch of the app, as well as each time users signed in to the app.

The FTC further alleged that until May 2012, Path did not provide notice to users, whether through Path's privacy policy or otherwise, of Path's automatic collection of this personal information. Instead, on the "About" page of its website, Path represented that "Path should be private by default. Forever. You should always be in control of your information and experience." In its privacy policy Path disclosed only that it automatically collected non-personal information such as IP address, operating system, browser type, address of a referring site, and activity on the Path site, and failed to make any mention of the automatic collection of information from users' address books. For these reasons, the FTC alleged that Path was deceptive regarding its collection and storage of the personal information of users' contacts in violation of Section 5 of the FTC Act.

Alleged Failure to Comply with COPPA Rule Despite Knowing Collection of Personal Information from Children

The FTC also asserted that Path violated the COPPA Rule by failing to:

  • provide sufficient notice of its information practices with respect to children;
  • provide direct notice to parents of its information practices with respect to children; and
  • obtain verifiable parental consent before collecting, using, and disclosing personal information from children,

all of which were required because Path had actual knowledge that it was collecting personal information from children. Specifically, the FTC claimed that until May 4, 2012, Path accepted about 3,000 registrations through its mobile apps and its website from users who entered a birth date indicating that they were under the age of 13. Path consequently collected the personal information submitted by these children through the registration process, such as email address, first name, last name, and date of birth.

According to the complaint, these children also were able to: create a journal; upload, store, and share photos and written thoughts; share their location through the app's geo-location tracking feature; share names of friends; and comment on posts of others in their networks. On this basis, the FTC alleged that Path knowingly collected children's personal information and enabled children to publicly disclose their personal information through Path's networking service. Because Path did not provide proper online notice of its online privacy practices, provide any direct notice of its information practices to parents, or obtain parents' verifiable parental consent, the FTC asserted that Path violated the COPPA Rule, entitling the government to $16,000 per violation.

Settlement

The settlement requires Path to pay an $800,000 civil penalty for the alleged COPPA violations. The settlement also includes an order requiring Path to:

  • refrain from future COPPA violations;
  • delete the personal information that it collected from children in violation of COPPA;
  • refrain from misrepresenting, either expressly or implicitly, the extent to which it maintains and protects the privacy and confidentiality of "covered information," which is defined to include, among other types of individually identifiable customer information, any kind of persistent identifier, and any communications and content stored on a consumer's mobile device;
  • clearly and prominently disclose to its users, separate from any privacy policy, terms of use, blog, statement of values, or other similar document, the categories of information that Path accesses and collects from users' mobile devices and obtain users' affirmative express consent to access or collect such information; and
  • establish, implement, and maintain a comprehensive privacy program meeting standards similar to those required by the FTC in other recent consumer privacy-related settlements, and undergo biennial assessments of such program by an independent third party for 20 years.

Implications

The Path settlement illustrates the serious consequences for app developers and others when it comes to privacy-related statements and practices. Privacy-related consent decrees typically include a requirement to implement a comprehensive privacy program with regular reporting and audits for 20 years. And even developers of apps that are not directed at children must be vigilant in ensuring compliance with the specific requirements of the COPPA Rule, or face the prospect of significant civil penalties. In fact, at a mobile privacy press event on February 1, 2013, accompanying the Path settlement, FTC Chairman Jon Leibowitz indicated that unless app developers improve their privacy and data security practices to meet the standards and principles enunciated by the FTC, the industry is likely to face more proscriptive laws relating to consumer privacy.5 The bottom line is that consumer privacy issues remain at the forefront for regulators, raise the potential for private class action litigation, and appear likely to garner increased legislative attention.

Wilson Sonsini Goodrich & Rosati's attorneys routinely help clients manage risks relating to the collection, use, and disclosure of consumer data by mobile applications, along with compliance with the COPPA Rule and attending to other rapidly changing domestic and international privacy and data security issues. For more information, please contact Lydia Parnes at lparnes@wsgr.com or (202) 973-8801; Tonia Klausner at tklausner@wsgr.com or (212) 497-7706; Matthew Staples at mstaples@wsgr.com or (206) 883-2583; Sharon Lee at shlee@wsgr.com or (650) 849-3307; or any of the many members of our privacy and data security practice.


1 15 U.S.C. § 45. Section 5 of the FTC Act prohibits unfair and deceptive acts or practices in or affecting commerce.

2 16 CFR Part 312. The COPPA Rule regulates the online collection of personal information from children under 13 years of age, as well as the use and disclosure of such information.

3 The FTC recently issued extensive amendments to the COPPA Rule, effective July 1, 2013, which have significant implications for mobile app developers, among others. For information on the COPPA Rule amendments, please see our WSGR Alert at http://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/PDFSearch/wsgralert-COPPA-final-amendments.htm. Additionally, on the same date as its settlement with Path, the FTC released a Staff Report on mobile privacy disclosures, available at http://www.ftc.gov/os/2013/02/130201mobileprivacyreport.pdf, as well as a guide to data security for mobile app developers, available at http://business.ftc.gov/documents/bus83-mobile-app-developers-start-security.

4 Path also is involved in private class action litigation relating to its collection of address book information without notice or user consent. In one such litigation, some claims survived Path's motion to dismiss. Hernandez v. Path, Inc., Order Granting in Part Motion to Dismiss with Leave to Amend, 2012 WL 5194120 (N.D. Cal. Oct. 19, 2012, Case No. 12-CV-01515 YGR); see also Opperman v. Path, Inc., et al., Second Amended Complaint (W.D. Tex. Filed Sept. 11, 2012, Case No. 1:12:00219-SS).

5 Remarks of Federal Trade Commission Jon Leibowitz (as prepared for delivery) at Mobile Privacy Press Event, Washington, D.C. (Feb. 2013), available at http://www.ftc.gov/speeches/leibowitz/130201leibowitzmobileprivacy.pdf.

Written by:

Wilson Sonsini Goodrich & Rosati
Contact
more
less

Wilson Sonsini Goodrich & Rosati on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide