Path provides a social network service that allows users to keep journals of special life moments, including written thoughts, photos, the user’s geolocation and music, and to share those journals with up to 150 friends in their network. In version 2.0 of its iOS app, Path offered an “Add Friends” feature that would allow users to locate friends on the service through Facebook, through e-mail or SMS, or through the user’s mobile device address book (or contacts) list.

The FTC alleged that Path automatically collected and stored personal information from the user’s address book even if the user did not select the “find friends from your contacts” option. For each contact in the user’s address book, the Path app collected first and last names, addresses, phone numbers, e-mail addresses, Facebook and Twitter usernames, and dates of birth. This data collection occurred when a user first launched version 2.0 of the app and each time a user signed back into his/her account. The FTC focused on two aspects of consumer deception. First, the FTC believed that the Path app’s user interface was misleading because it implied that address book data would be accessed only if the user selected the “find friends from your contacts” option. Second, the FTC found that Path’s posted privacy policy misled consumers by disclosing that the app automatically collected only user information such as IP address, browser type, etc., but failed to disclose that the app also automatically collected address book information.

The settlement included a commitment to increase privacy safeguards and payment of an $800,000 fine. The regulators focused on the fact that the design of the application was deceptive in that users were made to believe that unless they elected to share address book contacts, the contacts would not be shared. However, legal authority for the fine was based in Path’s violation of the Children's Online Privacy Protection Act (COPPA). Early in the history of Path, the company collected personal information from about 3,000 users who were not yet 13, without their parents' consent, and permitted children to post personal information publicly on the Path social network service.

The FTC has indicated in past statements that it hoped Congress would pass legislation that would actually convey authority to the FTC to issue civil penalties for online privacy violations, but Congress has yet to act. Until then, the FTC will look to violations of other laws, such as COPPA, for authority to issue such fines.

Like the Facebook, Google, and MySpace settlements before, the Path settlement also requires the company to establish a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years.

As mobile apps continue to grow their user bases through invitation and other viral-marketing features, it is imperative that care is taken to conspicuously disclose data collection and use practices and to consider where or when more affirmative forms of user consent might be warranted (for example, where users may include children under the age of 13). The FTC's press release on the Path settlement can be found here.