App Developer Reaches a Deal on Data Mining

     SAN FRANCISCO (CN) – A social networking application developer agreed to stop collecting data from children under the age of 13, signaling a quick surrender in the face of federal action.
     The U.S. government asked for an injunction in late January, claiming that Path Inc. violated Federal Trade Commission rules by collecting and storing data from the address books of its minor users.
     Path describes its app in the iTunes App Store as “the smart journal that helps you share life with the ones you love – your thoughts, the music you’re listening to, where you are, who you’re with, when you wake and when you sleep.” The app allows users to interact on public networks such Twitter, Foursquare and Facebook.
     Failing to notify the parents of minor users about data-mining practices constitutes a violation of Children’s Online Privacy Protection Rule, or COPPA.
     In a settlement filed Friday, Path agreed to provide “sufficient notice” about the data it collects online from children and direct notices to parents about how it uses the data collected from their children.
     Path must also obtain “verifiable parent consent before any collection, use and/or disclosure of personal information from children,” according to the consent decree.
     The developer must also destroy all information it has collected so far, and it has five days to pay an $800,000 fine.
     Another provision of the deal forbids Path from collecting data from any user’s address book or mobile device without the user’s “affirmative express consent.”
     Path must furthermore set up a comprehensive privacy program to “address privacy risks related to the development and management of new and existing products and services for consumers and protect the privacy and confidentiality of covered information,” according to the order.
     Users sued Path last year, accusing the company of snooping through the contacts on their mobile devices and storing sensitive information so insecurely that it is accessible to “even an unsophisticated hacker.”
     Though a federal judge ultimately gutted large portions of that action in October, she found that it was too early to dismiss computer privacy claims under California law.
     Under its agreement with the federal government, Path must hire third-party auditors to conduct initial and biennial assessments of its privacy controls. The FTC demands Path’s first compliance report within 180 days.
     The agreement and consent decree applies to Path and any successors for the next 20 years, according to the order.

%d bloggers like this: