Social Networking Mobile App Developer Agrees to Pay $800,000 and Implement Comprehensive Privacy Program to Settle Claims for COPPA Violations and Deceptive Privacy Practices

by Wilson Sonsini Goodrich & Rosati

On February 1, 2013, the Federal Trade Commission (FTC) announced a settlement with Path, Inc., a social networking mobile application developer. Path offers and distributes "smart journal" mobile apps, which permit users to upload and share journal entries, photos, location, and other information with their personal networks of up to 150 friends. The settlement resolves claims that Path:

  • made deceptive statements to consumers regarding its collection of information from users' address books in violation of Section 5 of the FTC Act,1 and
  • knowingly collected personal information from children under 13 without satisfying the parental consent and other requirements of the Children's Online Privacy Protection Rule (the COPPA Rule).2

This settlement, along with other recent FTC initiatives,3 demonstrates the FTC's continued vigorous protection of children's privacy online and its current focus on the privacy practices of mobile app developers.4

Alleged Misrepresentations Regarding Collection and Storage of Personal Information

The FTC's complaint alleged that Path's user interface and privacy policy misrepresented Path's collection and storage of users' contact information, and provided consumers with no meaningful choice regarding the collection of their personal information. The FTC claimed that in version 2.0 of Path's iOS app, Path gave users three options for how to search for friends to add to their Path networks: (1) from the users' mobile device contacts, (2) through Facebook, and (3) by sending email or SMS invitations to the users' friends. However, according to the complaint, regardless of which option users selected, Path automatically collected personal information from users' mobile device contacts and stored this personal information on Path's servers. This information included, to the extent available, each contact's first name, last name, address, phone numbers, email addresses, Facebook username, Twitter username, and date of birth. According to the complaint, for approximately three months, Path automatically collected and stored this information upon the initial launch of the app, as well as each time users signed in to the app.

The FTC further alleged that until May 2012, Path did not provide notice to users, whether through Path's privacy policy or otherwise, of Path's automatic collection of this personal information. Instead, on the "About" page of its website, Path represented that "Path should be private by default. Forever. You should always be in control of your information and experience." In its privacy policy Path disclosed only that it automatically collected non-personal information such as IP address, operating system, browser type, address of a referring site, and activity on the Path site, and failed to make any mention of the automatic collection of information from users' address books. For these reasons, the FTC alleged that Path was deceptive regarding its collection and storage of the personal information of users' contacts in violation of Section 5 of the FTC Act.

Alleged Failure to Comply with COPPA Rule Despite Knowing Collection of Personal Information from Children

The FTC also asserted that Path violated the COPPA Rule by failing to:

  • provide sufficient notice of its information practices with respect to children;
  • provide direct notice to parents of its information practices with respect to children; and
  • obtain verifiable parental consent before collecting, using, and disclosing personal information from children,

all of which were required because Path had actual knowledge that it was collecting personal information from children. Specifically, the FTC claimed that until May 4, 2012, Path accepted about 3,000 registrations through its mobile apps and its website from users who entered a birth date indicating that they were under the age of 13. Path consequently collected the personal information submitted by these children through the registration process, such as email address, first name, last name, and date of birth.

According to the complaint, these children also were able to: create a journal; upload, store, and share photos and written thoughts; share their location through the app's geo-location tracking feature; share names of friends; and comment on posts of others in their networks. On this basis, the FTC alleged that Path knowingly collected children's personal information and enabled children to publicly disclose their personal information through Path's networking service. Because Path did not provide proper online notice of its online privacy practices, provide any direct notice of its information practices to parents, or obtain parents' verifiable parental consent, the FTC asserted that Path violated the COPPA Rule, entitling the government to $16,000 per violation.


The settlement requires Path to pay an $800,000 civil penalty for the alleged COPPA violations. The settlement also includes an order requiring Path to:

  • refrain from future COPPA violations;
  • delete the personal information that it collected from children in violation of COPPA;
  • refrain from misrepresenting, either expressly or implicitly, the extent to which it maintains and protects the privacy and confidentiality of "covered information," which is defined to include, among other types of individually identifiable customer information, any kind of persistent identifier, and any communications and content stored on a consumer's mobile device;
  • clearly and prominently disclose to its users, separate from any privacy policy, terms of use, blog, statement of values, or other similar document, the categories of information that Path accesses and collects from users' mobile devices and obtain users' affirmative express consent to access or collect such information; and
  • establish, implement, and maintain a comprehensive privacy program meeting standards similar to those required by the FTC in other recent consumer privacy-related settlements, and undergo biennial assessments of such program by an independent third party for 20 years.


The Path settlement illustrates the serious consequences for app developers and others when it comes to privacy-related statements and practices. Privacy-related consent decrees typically include a requirement to implement a comprehensive privacy program with regular reporting and audits for 20 years. And even developers of apps that are not directed at children must be vigilant in ensuring compliance with the specific requirements of the COPPA Rule, or face the prospect of significant civil penalties. In fact, at a mobile privacy press event on February 1, 2013, accompanying the Path settlement, FTC Chairman Jon Leibowitz indicated that unless app developers improve their privacy and data security practices to meet the standards and principles enunciated by the FTC, the industry is likely to face more proscriptive laws relating to consumer privacy.5 The bottom line is that consumer privacy issues remain at the forefront for regulators, raise the potential for private class action litigation, and appear likely to garner increased legislative attention.

Wilson Sonsini Goodrich & Rosati's attorneys routinely help clients manage risks relating to the collection, use, and disclosure of consumer data by mobile applications, along with compliance with the COPPA Rule and attending to other rapidly changing domestic and international privacy and data security issues. For more information, please contact Lydia Parnes at or (202) 973-8801; Tonia Klausner at or (212) 497-7706; Matthew Staples at or (206) 883-2583; Sharon Lee at or (650) 849-3307; or any of the many members of our privacy and data security practice.

1 15 U.S.C. § 45. Section 5 of the FTC Act prohibits unfair and deceptive acts or practices in or affecting commerce.

2 16 CFR Part 312. The COPPA Rule regulates the online collection of personal information from children under 13 years of age, as well as the use and disclosure of such information.

3 The FTC recently issued extensive amendments to the COPPA Rule, effective July 1, 2013, which have significant implications for mobile app developers, among others. For information on the COPPA Rule amendments, please see our WSGR Alert at Additionally, on the same date as its settlement with Path, the FTC released a Staff Report on mobile privacy disclosures, available at, as well as a guide to data security for mobile app developers, available at

4 Path also is involved in private class action litigation relating to its collection of address book information without notice or user consent. In one such litigation, some claims survived Path's motion to dismiss. Hernandez v. Path, Inc., Order Granting in Part Motion to Dismiss with Leave to Amend, 2012 WL 5194120 (N.D. Cal. Oct. 19, 2012, Case No. 12-CV-01515 YGR); see also Opperman v. Path, Inc., et al., Second Amended Complaint (W.D. Tex. Filed Sept. 11, 2012, Case No. 1:12:00219-SS).

5 Remarks of Federal Trade Commission Jon Leibowitz (as prepared for delivery) at Mobile Privacy Press Event, Washington, D.C. (Feb. 2013), available at

Written by:

Wilson Sonsini Goodrich & Rosati

Wilson Sonsini Goodrich & Rosati on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.