Path to pay FTC $800K for collecting childrens' info without consent

Path is now required to establish a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years. The company has also agreed to pay a $800,000 fine to settle charges that it illegally collected personal information from children without their parents' consent.

"Over the years the FTC has been vigilant in responding to a long list of threats to consumer privacy, whether it’s mortgage applications thrown into open trash dumpsters, kids information culled by music fan websites, or unencrypted credit card information left vulnerable to hackers," said FTC Chairman Jon Leibowitz. "This settlement with Path shows that no matter what new technologies emerge, the agency will continue to safeguard the privacy of Americans."

In its own statement, Path said that in the company's early history, children under the age of 13 were able to sign up for accounts. Since then, "a very small number" of accounts were closed.

"As you may know, we ask users’ their birthdays during the process of creating an account," the service said. "However, there was a period of time where our system was not automatically rejecting people who indicated that they were under 13. Before the FTC reached out to us, we discovered and fixed this sign-up process qualification, and took further action by suspending any under age accounts that had mistakenly been allowed to be created."

The settlement and fine bring to an end the dispute over Path, which gained negative media attention a year ago when it was discovered that the popular social networking application was harvesting and uploading contact data. Apple CEO Tim Cook reportedly "grilled" Path co-founder Dave Morin over the alleged privacy breach, and the issue was rectified in a later update to the app.

The controversy prompted members of the U.S. Congress to send a letter to Apple seeking answers on the security of user address books and contacts stored on iOS devices. Path also publicly apologized for its "Add Friends" feature, which it said collected data to improve the quality of friend suggestions and to notify users when a contact joins Path.

The FTC filed a complaint that charged Path's iOS app with misleading consumers. It asserted that Path "provided consumers with no meaningful choice regarding the collection of their personal information."

In addition, the FTC alleged that Path's privacy policy had deceived consumers. Path had claimed it automatically collected only certain user information, such as an IP address, operating system, or browser type, but in reality the Path application automatically collected and stored address book information when the application was launched, and continued to do so each time a user signed back into their account.

The FTC also asserted that Path had violated the Children's Online Privacy Protection Act Rule by collecting personal information from about 3,000 children under the age of 13 without first getting parents' consent.

In addition to the $800,000 penalty that Path will pay, the social networking service is prohibited from making any misrepresentations about the extent to which it maintains the privacy and confidentiality of consumers' personal information. Path must also delete information collected from children under age 13. The service has already reportedly deleted the address book information it collected during the time when its deceptive practices were in place.