According to the complaint Path represented that personal information from the user's mobile device contacts would be collected only if the user clicked on "Add Friends" and then chose the "Find friends from your contacts" option. But despite that promise, Path automatically collected and stored personal data the first time the user launched the app and, if they signed out, each time they signed back in again. That, says the FTC, made Path's statement false.
The FTC offers the following take-aways for businesses:
- The main message comes as no surprise: Honor your privacy promises and be especially careful when it comes to kids' information. What's a little different is that the message is going out with ATTN: MOBILE APP DEVELOPERS across the top. Well-established consumer protection principles apply across the board, including to companies in the mobile market.
- The default mindset about data collection used to be to gather as much as possible whenever possible. We've said it before, but that approach is <Valley Girl voice> like soooo 20th Century </Valley Girl voice>. As savvy companies know, the wiser approach - and a central tenet of "Privacy by Design" - is to think through your needs and ask only for information you have a legitimate reason to collect. Gathering data "just 'cuz" doesn't cut ice with consumers anymore.
- Just because a platform gives you the technological capability to do something, doesn't mean it's the right thing for your business or your users. It's a mistake to assume that somebody else - for instance, a mobile operating system provider or a device manufacturer - has thought through the privacy implications. When it comes to your app and your users, the buck stops with you.
- COPPA isn't just for kids' sites. Yes, the rules apply when sites and online services are specifically designed for the under-13 set, but don't be too quick to assume you're not covered. The Rule also imposes legal responsibilities on operators who have actual knowledge they're collecting personal info from kids.
Companies are well advised to have experienced legal counsel review your privacy policies and applications.
See the full FTC Blog post here