Privacy Blog Post- Kenneth Villa

Path Settles With FTC Over Privacy Row-Will Pay $800K And Establish New Privacy Program Including Outside Audits

Tech Crunch

http://techcrunch.com/2013/02/01/path-settles-with-ftc-over-privacy-row-will-pay-800k-and-establish-new-privacy-program-including-outside-audits/

Business Week

http://www.businessweek.com/printer/articles/420272?type=bloomberg

Path, a social networking mobile app that allows users to share various types of social media content between one another, agreed to pay an $800,000 fee for violating the Children’s Online Privacy Protection Act and for misleading users with its “Add Friends” feature.

Bearing some similarities to the Google Buzz settlement, the FTC alleged that Path misled consumers, and failed to provide users with a meaningful choice regarding the collection of their personal feature.  Path had an “Add Friends” feature that allowed users to add new connections to their networks through three options: “Find friends from your contacts,” “Find friends from Facebook,” or “Invite friends to join Path by email or SMS.” However, even if users chose not to select the first option, Path automatically collected and stored personal information from the iOS address book whenever the user first launched the app and each time the user signed back into the account. Path automatically recorded the names, addresses, phone numbers, email addresses, birth dates, and Facebook and Twitter usernames of each contact. Therefore, the FTC alleged that Path’s privacy policy deceived consumers by claiming that it only automatically collected the following information about their users: IP address, operating system, browser type, address of referring site, and site activity information.

Additionally, the FTC alleged that Path had violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information of around 3,000 children who were under the age of 13, without requiring parental sign-off. Children comprised a portion of Path’s users, since it enabled children to create personal journals and upload, store and share photos, written “thoughts,” their location, and songs they were listening to.

As part of its settlement, Path agreed to pay an $800,000 fee for its violation. In addition to the fine, Path will be creating a “comprehensive privacy program,” which requires a privacy assessment from external disinterested third-party sources every other year. The assumptions made in class, that startups enjoy more flexibility with its data privacy and receive less scrutiny from the FTC, are debunked by this settlement. Despite raising $40 million in venture capital, Path is a still a small startup without a firm revenue model in place. This settlement sends a clear and strong message to young companies that data privacy must be an important consideration at the early stages of its product development cycle. Although this might initially cause companies to delay product launches, the trade-off seems to be well worth it since it will presumably lead to better protections for user data.

Another reason to justify the stiff fine is because Path violated COPPA by acquiring children’s personal information without parental consent.  Based on my previous experiences in the industry, children are typically a vulnerable age group—susceptible to stalkers, pedophiles, and child pornographists. Therefore, it is likely that this was an important consideration in establishing a settlement figure.

In conjunction with this settlement, the FTC also took the time to release a new set of guidelines for mobile developers, since mobile apps are proliferating at a fast rate and developers are increasingly obtaining large amounts of private data from its users. Some of the guidelines urge developers not to store passwords in plaintext on their servers and to designate at least one member on the team to be responsible for considering security at every state of the app’s development.

Lastly, this article signals the FTC’s increasing scrutiny and regulation of the mobile technology industry. Previously, the Federal Communications Commission (FCC) and the U.S. Food and Drug Administration (FDA) were the two primary governmental agencies that regulated the cell phone industry, the latter in charge of regulating health-related concerns with cell phone use and the former certifying wireless devices and ensuring that they comply with FCC regulations. All that is beginning to change with the increasing capabilities of mobile phones. It is likely that mobile app makers and the mobile phone industry will get increasing scrutiny from other governmental agencies in the future, most notably from the FTC.