The Federal Trade Commission (FTC) on Friday announced Path has agreed to settle charges that it deceived users in its iOS app by collecting personal information from their mobile device address books without their knowledge and consent.

The settlement requires the mobile company to establish a “comprehensive” privacy program, to obtain independent privacy assessments every other year for the next 20 years, and to pay an $800,000 fee. The fine is for illegally collecting personal information from children without their parents’ consent.

In its complaint, the FTC charged that the user interface in version 2.0 of Path’s iOS app was misleading and provided consumers no meaningful choice regarding the collection of their personal information. Path had an “Add Friends” feature to help users add new connections to their networks with three options: “Find friends from your contacts,” “Find friends from Facebook,” or “Invite friends to join Path by email or SMS.”

Yet Path automatically collected and stored personal information from the iOS address book even if the user had not selected the first option, when the user first launched the app and each time he or she signed back into the account. For each contact in the address book, Path automatically grabbed any available first and last names, addresses, phone numbers, email addresses, Facebook and Twitter usernames, as well as dates of birth. The FTC also alleged that Path’s privacy policy deceived consumers by claiming that it automatically collected only certain user information such as IP address, operating system, browser type, address of referring site, and site activity information.

Path first admitted the practice on February 7, saying it was grabbing users’ address books to “match friends” and would be changing the feature to opt-in. The backlash was massive, and Path released an update the next day, including an apology from Path CEO Dave Morin. Exactly a week later, Congress got involved.

Again, the settlement comes from the FTC charging that Path violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from approximately 3,000 children under the age of 13 without first getting parents’ consent. On both iOS and Android, as well as its website, the FTC says Path enabled children to create personal journals and upload, store and share photos, written “thoughts,” their precise location, and the names of songs they were listening to.

Path issued a statement today to alert its users of the settlement. Here it is in full:

Today the United States Federal Trade Commission (FTC) announced that it reached a settlement pending court approval with Path regarding alleged violations of the Children’s Online Privacy Protections Act (COPPA). The gist of the FTC’s complaint is this: early in Path’s history, children under the age of 13 were able to sign up for accounts. A very small number of affected accounts have since been closed by Path.

As you may know, we ask users’ their birthdays during the process of creating an account. However, there was a period of time where our system was not automatically rejecting people who indicated that they were under 13. Before the FTC reached out to us, we discovered and fixed this sign-up process qualification, and took further action by suspending any under age accounts that had mistakenly been allowed to be created.

We want to share our experience and learnings in the hope that others in our industry are reminded of the importance of making sure services are in full compliance with rules like COPPA. From a developer’s perspective, we understand the tendency to focus all attention on the process of building amazing new things. It wasn’t until we gave our account verification system a second look that we realized there was a problem. We hope our experience can help others as a reminder to be cautious and diligent.

Throughout this experience and now, we stand by our number one commitment to serve our users first.

Image credit: qiaomeng