Privacy & Information Security Law Blog

On February 1, 2013, the Federal Trade Commission issued a new report entitled Mobile Privacy Disclosures: Building Trust Through Transparency. The report makes recommendations “for the major participants in the mobile ecosystem as they work to improve mobile privacy disclosures,” offering specific recommendations for mobile platforms, app developers, advertising networks and other third parties operating in this space. The FTC’s report also makes mention of the Department of Commerce’s National Telecommunications and Information Administration’s efforts to engage in a multistakeholder process to develop an industry code of conduct for mobile apps.

During a February 1 press conference announcing the new staff report, FTC Chairman Jon Leibowitz also mentioned the security guide for mobile app developers developed by the FTC’s Bureau of Consumer Protection, and discussed the FTC’s settlement with a social networking service relating to alleged privacy violations associated with the service’s mobile app. Path, Inc. (“Path”) agreed to settle FTC charges that it collected personal information from users’ mobile devices without their knowledge and consent, and the company will pay $800,000 to settle charges that it violated the Children’s Online Privacy Protection Act Rule (“COPPA Rule”) by collecting personal information from children without obtaining parental consent.

According to the FTC’s complaint, Path provided social networking service through a mobile application that provided users three options: (1) find friends from contacts; (2) find friends from Facebook; and (3) invite friends to join Path by email or SMS. The Path app, however, automatically collected personal information from users’ mobile device address books regardless of whether the user chose to use the “find friends” option. The personal information Path collected from users’ address books included names, addresses, phone numbers, email addresses, Facebook usernames, Twitter usernames and dates of birth. The FTC also alleged that Path violated the COPPA Rule by failing to provide notice and get parental consent with respect to its collection, use and disclosure of this type of personal information when it was obtained through the app from children.

In addition to the $800,000 civil penalty, the consent order bars Path from collecting children’s personal information without notice and parental consent and requires Path to delete information collected from children under the age of 13. The consent order also requires Path to establish a comprehensive privacy program and to obtain independent privacy assessments. Acknowledging the settlement in a blog post, Path expressed its “hope that others in our industry are reminded of the importance of making sure services are in full compliance with rules like COPPA.”

Responding to questions regarding the Path settlement during the February 1 press conference, Leibowitz alluded to longstanding efforts to persuade Congress to pass legislation giving the Commission authority to levy civil penalties for FTC Act violations. Currently the FTC cannot impose monetary penalties for such violations unless the violating party is already subject to a consent order, or if another law that includes civil penalties applies to the case. Because federal laws such as the Fair Credit Reporting Act and COPPA have such penalty provisions, the FTC has been able to obtain monetary relief for alleged unfair or deceptive trade practices that also represent violations of those laws.

Speaking of enforcement issues generally, Leibowitz said, “if some companies don’t wake up, there could be more enforcement actions.” He also said that “the history of legislation is that generally – if companies do not take meaningful self-regulatory action, Congress often tells them that they have to do so.”

The new report and enforcement action are further examples of the FTC’s emphasis on transparency and truthfulness when it comes to the collection and use of consumer personal information, particularly with respect to children’s data and in the mobile app context. In December 2012, the FTC released Mobile Apps for Kids: Disclosures Still Not Making the Grade, which followed up on its February 2012 report, Mobile Apps for Kids: Current Privacy Disclosures are Disappointing.

Leibowitz described the new report and the Path settlement as among his last initiatives as FTC Chairman, announcing that he will step down from his role on February 15, 2013.