A Cautionary Tale For Mobile App Start-Ups

Last week, small-scale social networking app provider Path settled Federal Trade Commission charges that that the company improperly collected personal information in violation of the FTC Act and the Children’s Online Privacy Protection Act (“COPPA”).

Path allows users to upload, store and share their photos, journal entries, notes, location, and other personal information with up to 150 friends.

The FTC objected to the method Path used to collect and store personal data. The FTC especially didn’t like the “Add Friends” feature which offered users the “option” to find friends from contacts or Facebook or add friends by email or text invitation. But no matter which contacts the user selected, Path automatically collected and stored contact information for every name stored in the user’s mobile address book. The problem with this all-in approach is that it completely conflicts with Path’s Privacy Policy. And according to the FTC, that’s a deceptive practice under the FTC Act.

The FTC also charged that Path violated COPPA by knowingly accepting registrations from over 3,000 children under 13, without first getting their parents’ consent. Not only did the app store those kids’ information, it then collected personal information for each contact in the child’s mobile address book. A double no-no.

The settlement requires Path to establish a comprehensive privacy program and obtain independent privacy assessments every other year for the next 20 years. It also includes a hefty $800,000 fine – a significant penalty for a relatively new startup. Yikes!

Along with the FTC’s announcement of the settlement, the FTC also issued guidelines on data security standards and a pamphlet on how to improve mobile privacy disclosures.

And now, speaking of disclosures, here comes a shameless plug. I will be hosting a Webinar on Data Privacy on March 20th. Stay tuned for the details.