On February 1, 2013, the Federal Trade Commission (FTC) announced a settlement with Path, Inc., a social networking mobile application developer. Path offers and distributes "smart journal" mobile apps, which permit users to upload and share journal entries, photos, location, and other information with their personal networks of up to 150 friends. The settlement resolves claims that Path:
made deceptive statements to consumers regarding its collection of information from users' address books in violation of Section 5 of the FTC Act,1 and
knowingly collected personal information from children under 13 without satisfying the parental consent and other requirements of the Children's Online Privacy Protection Rule (the COPPA Rule).2
This settlement, along with other recent FTC initiatives,3 demonstrates the FTC's continued vigorous protection of children's privacy online and its current focus on the privacy practices of mobile app developers.4
Alleged Misrepresentations Regarding Collection and Storage of Personal Information
Alleged Failure to Comply with COPPA Rule Despite Knowing Collection of Personal Information from Children
The FTC also asserted that Path violated the COPPA Rule by failing to:
provide sufficient notice of its information practices with respect to children;
provide direct notice to parents of its information practices with respect to children; and
obtain verifiable parental consent before collecting, using, and disclosing personal information from children,
all of which were required because Path had actual knowledge that it was collecting personal information from children. Specifically, the FTC claimed that until May 4, 2012, Path accepted about 3,000 registrations through its mobile apps and its website from users who entered a birth date indicating that they were under the age of 13. Path consequently collected the personal information submitted by these children through the registration process, such as email address, first name, last name, and date of birth.
According to the complaint, these children also were able to: create a journal; upload, store, and share photos and written thoughts; share their location through the app's geo-location tracking feature; share names of friends; and comment on posts of others in their networks. On this basis, the FTC alleged that Path knowingly collected children's personal information and enabled children to publicly disclose their personal information through Path's networking service. Because Path did not provide proper online notice of its online privacy practices, provide any direct notice of its information practices to parents, or obtain parents' verifiable parental consent, the FTC asserted that Path violated the COPPA Rule, entitling the government to $16,000 per violation.
The settlement requires Path to pay an $800,000 civil penalty for the alleged COPPA violations. The settlement also includes an order requiring Path to:
refrain from future COPPA violations;
delete the personal information that it collected from children in violation of COPPA;
refrain from misrepresenting, either expressly or implicitly, the extent to which it maintains and protects the privacy and confidentiality of "covered information," which is defined to include, among other types of individually identifiable customer information, any kind of persistent identifier, and any communications and content stored on a consumer's mobile device;
establish, implement, and maintain a comprehensive privacy program meeting standards similar to those required by the FTC in other recent consumer privacy-related settlements, and undergo biennial assessments of such program by an independent third party for 20 years.
The Path settlement illustrates the serious consequences for app developers and others when it comes to privacy-related statements and practices. Privacy-related consent decrees typically include a requirement to implement a comprehensive privacy program with regular reporting and audits for 20 years. And even developers of apps that are not directed at children must be vigilant in ensuring compliance with the specific requirements of the COPPA Rule, or face the prospect of significant civil penalties. In fact, at a mobile privacy press event on February 1, 2013, accompanying the Path settlement, FTC Chairman Jon Leibowitz indicated that unless app developers improve their privacy and data security practices to meet the standards and principles enunciated by the FTC, the industry is likely to face more proscriptive laws relating to consumer privacy.5 The bottom line is that consumer privacy issues remain at the forefront for regulators, raise the potential for private class action litigation, and appear likely to garner increased legislative attention.
Wilson Sonsini Goodrich & Rosati's attorneys routinely help clients manage risks relating to the collection, use, and disclosure of consumer data by mobile applications, along with compliance with the COPPA Rule and attending to other rapidly changing domestic and international privacy and data security issues. For more information, please contact Lydia Parnes at firstname.lastname@example.org or (202) 973-8801; Tonia Klausner at email@example.com or (212) 497-7706; Matthew Staples at firstname.lastname@example.org or (206) 883-2583; Sharon Lee at email@example.com or (650) 849-3307; or any of the many members of our privacy and data security practice.