Many brand owners would like to build brand awareness and loyalty among young people, even if these minors are not yet able to purchase the branded good or service. One way companies seek to engage the younger generation is by offering brand specific applications (“apps”) for smartphones and other mobile devices.

On February 8, 2013, the Federal Trade Commission (FTC) approved a consent decree filed in the U.S. District Court for the Northern District of California to resolve a complaint charging Path, Inc., a mobile application developer, with making deceptive statements and violating the Children’s Online Privacy Protection Act (COPPA).[1] See FTC Feb. 1, 2013 Release; see also 16 CFR Part 312.

The Consent Decree orders Path to pay $800,000 in civil penalties, and subjects the company to a permanent injunction, as well as other equitable remedies. See Feb. 8, 2013 Consent Decree.

According to the Complaint, Path operates, through a mobile app, a social networking service that allow users to share journals, photos and other information with the users’ network of friends.

The federal complaint charged that Path’s privacy policy was deceptive under Section 5 of the FTC Act because, contrary to its privacy policy, the company’s mobile app automatically collected personal information such as first and last names, addresses, phone numbers, birth dates, and email addresses from the user’s mobile device address book each time the user logged in to the app, whether or not the user had authorized the collection. See Complaint.

The Complaint also alleged that the Path app collected birth date information during user registration. As a result, the FTC claimed that the company was aware it was collecting personal information from approximately 3,000 children under the age of 13.

The Complaint asserted that Path violated COPPA by failing to notify parents and obtain verifiable parental consent prior to collecting personal information from children.

The FTC announced the Path Consent Decree a week after the Commission issued a Staff Report relating to mobile apps and consumer privacy. The FTC Staff Report, issued on February 1, 2013, contained privacy recommendations for various participants in the mobile app ecosystem: From platforms to developers to advertising networks to trade associations.

Although the Staff Report contained no binding regulations, it offered insight into the FTC staff’s views on how to improve privacy disclosures in the dynamic world of the very small screen.[2]

Specifically, the FTC Staff recommended that app developers:

  • Have a privacy policy and make it available through the platform’s app store. Id. at 22.
  • Provide just-in-time disclosures to consumers and to obtain “affirmative express consent when collecting sensitive information outside the platform’s API, such as financial, health, or children’s data, or sharing sensitive data with third parties.” Id. at 23 (footnote omitted). The Report stressed that “it is important that these app-level disclosures not repeat the platform-level disclosures.”
  • “Improve coordination with ad networks and other third parties that provide services for apps so that the apps can provide truthful disclosures.” Id. at 24.
  • Consider participating in self-regulatory programs and app trade associations for their guidance on “uniform, short-form privacy disclosures.” Id.

The Staff Report noted that the National Telecommunications and Information Agency (part of the U.S. Department of Commerce) has initiated a multi-stakeholder process to develop a “code of conduct” for mobile apps. “To the extent that strong privacy codes are developed, the FTC will view adherence to such codes favorably in connection with its law enforcement work.” Id. at iii.

Recently, the FTC has emphasized the applicability of the COPPA rule to sites not targeted at children. In a blog statement describing the Path settlement, Senior FTC Attorney Lesley Fair stated: “COPPA isn’t just for kids’ sites. Yes, the rules apply when sites and online services are specifically designed for the under-13 set, but don’t be too quick to assume you’re not covered. The Rule also imposes legal responsibilities on operators who have actual knowledge they’re collecting person info from kids.” See Fair’s Statement.

The FTC is also reportedly moving enforcement of the Children’s Online Privacy Protection Act from its Division of Advertising Practices to its Division of Privacy and Identity Protection (DPIP). See Broadcasting & Cable Report.

Any company that collects information from visitors to its website may consider incorporating COPPA compliance into its planning process and may wish to consider joining the process to develop a code of conduct for mobile apps.

This article was prepared by Erika Brown Lee ( / 202 662 0398) and Sue Ross ( / 212 318 3280) of Fulbright’s Privacy, Competition and Data Protection Practice.

Sources: United States v. Path Inc., No. 3:13-cv-00448-JCS (N.D. Cal.); Federal Trade Commission: Path Social Networking App Settles FTC Charges it Deceived Consumers and Improperly Collected Personal Information from Users’ Mobile Address Books (Feb. 1, 2013); 16 CFR Part 312, Children’s Online Privacy Protection Rule (Final Rule) (Jan. 17, 2013); Federal Trade Commission: Staff Report Recommends Ways to Improve Mobile Privacy Disclosures (Feb. 1, 2013); John Eggerton, FTC Moving COPPA Under Privacy Division, Broadcasting & Cable (Feb. 15, 2013).

[1] Note that this complaint and proposed consent order relate to the current COPPA requirements. New COPPA regulations go into effect on July 1, 2013. The new regulations can be found at 78 FR 3972, Jan. 17, 2013.

[2] “Here, however, staff is not imposing rules on any members of the mobile ecosystem. Rather, it is identifying areas where ecosystem participants, including mobile platforms, should consider improving mobile privacy disclosure practices.” Staff Report at 15 n.70.