The Federal Trade Commission’s $800,000 settlement with social network Path last Friday offered more evidence that federal and state regulators will be active participants in defining better ways to protect consumer privacy in an era of interactive finance. In this case, the FTC trained a light on the vexing question of design and how companies should disclose honestly, efficiently, and effectively how they will use a customers’ personal information -- without making customers overly anxious.
The legal case against Path spotlighted the collection of data for 3,000 children under age 13, but the implications of this case extend well beyond a case of preying on kids. It really highlights the challenges for any company that seeks to mine personal data. That obviously starts with app developers like Path, but it also affects personal finance management (PFM) players that include banks and credit unions, card networks, billers, mobile carriers -- and anyone who aims to play in the mobile space.
So, yes, I mean anyone. It is but the latest sign that regulators are pressing the industry to self-police – or else – and that states will turn up the heat if the feds move to slowly:
- California Attorney General Kamala Harris sued Delta Airlines in December over its mobile app, then followed up in January with policy recommendations for the mobile ecosystem.
- Maryland’s Attorney General established an Internet Privacy Unit in January to investigate digital privacy.
- And this month the FTC issued an advisory guide titled, “Mobile App Developers: Start with Security.”
Path is a social networking site that enables users to compile a “smart journal that helps you share life with the ones you love.” Bu the FTC alleged in its complaint that Path didn’t give users a real choice about their sharing in version 2.0. Path gave users three options:
- “Find friends from your contacts,”
- “Find friends from Facebook,” and
- “Invite friends to join Path by email or SMS.”
The FTC noted that Path already was automatically sneeking into their users’ mobile address book to cull first and last names of friends, their Facebook and Twitter user names, and their birthdays. Path also collected more information about its own users.
Path’s privacy policy said it would collect information such as IP address, operating system, browser type, address of the referring site, and site activity. In truth it also collected and stored personal from the user’s mobile device address book every time they signed on.
(Addendum: VentureBeat has reported that Path also appears to have inadvertently collected geotag information on images that users post.) The upshot is that Path owes an $800,000 civil penalty and faces 20 years of privacy assessments. But companies like Path and Delta are just the first to serve as examples of how regulators are pushing for more transparency on privacy.