Path CEO Dave Morin. Photo by Om Malik

Path, the San Francisco-based startup that offers private social networking services, has reached a settlement with the Federal Trade Commission (pending judicial approval) on alleged violations of the Children’s Online Privacy Protections Act (COPPA). As part of the settlement, the company will pay a fine of $800,000 and has purged about 3,000 accounts from the network. The settlement requires Path to establish a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years, the FTC said in a statement.

The discovery of the underage members came as a byproduct of the FTC investigation into the privacy fiasco over the uploading of iPhone address books to Path’s servers without the permission of the individuals. That privacy breach became a major headache for the company, including stoking  the ire of a very irate Apple. The company later changed its policies.

In a statement, the FTC said:

“Over the years the FTC has been vigilant in responding to a long list of threats to consumer privacy, whether it’s mortgage applications thrown into open trash dumpsters, kids information culled by music fan websites, or unencrypted credit card information left vulnerable to hackers,” said FTC Chairman Jon Leibowitz.  “This settlement with Path shows that no matter what new technologies emerge, the agency will continue to safeguard the privacy of Americans.”

In addition to the $800,000 civil penalty, Path is prohibited from making any misrepresentations about the extent to which it maintains the privacy and confidentiality of consumers’ personal information.  The proposed settlement also requires Path to delete information collected from children under age 13 and bars future violations of COPPA.  Path has already deleted the address book information that it collected during the time period its deceptive practices were in place.

Dave Morin, Path’s founder and chief executive officer, said that the company had identified the accounts in February 2012 and by May 2012 had implemented changes to its sign-up process that automatically caught the underage sign-ups. Path discovered the issue on its own and addressed it (that is, they removed and blocked minors under the age of 13 from the service) before the FTC approached the company, Morin said. Path is currently compliant with COPPA rules. Morin said that the typical Path user is about 25 years old. The company, which has about 6 million registered users, is targeting families for using Path to share personal moments, so this particular settlement offers up a new and unique set of challenges to the company.

Morin said that the big reason the underage children were able to get into the network is because the company didn’t have requisite checks and balances in the system. In a blog post that the company shared with us, Morin explained:

Today the United States Federal Trade Commission (FTC) announced that it reached a settlement pending court approval with Path regarding alleged violations of the Children’s Online Privacy Protections Act (COPPA). The gist of the FTC’s complaint is this: early in Path’s history, children under the age of 13 were able to sign up for accounts. A very small number of affected accounts have since been closed by Path.

As you may know, we ask users’ their birthdays during the process of creating an account. However, there was a period of time where our system was not automatically rejecting people who indicated that they were under 13. Before the FTC reached out to us, we discovered and fixed this sign-up process qualification, and took further action by suspending any under age accounts that had mistakenly been allowed to be created.

We want to share our experience and learnings in the hope that others in our industry are reminded of the importance of making sure services are in full compliance with rules like COPPA. From a developer’s perspective, we understand the tendency to focus all attention on the process of building amazing new things. It wasn’t until we gave our account verification system a second look that we realized there was a problem. We hope our experience can help others as a reminder to be cautious and diligent.

Throughout this experience and now, we stand by our number one commitment to serve our users first.

Path has raised a total of $41.2 million from investors such as Index Ventures, Kleiner Perkins Caufield & Byers and Redpoint Ventures. It was rumored that Google offered a couple hundred million dollars for the company.

Updated at 2.22 Pm: Jeffrey Paul, a researcher discovered another privacy bug in Path’s software. The company says it has fixed the problem and the update has been sent to Apple.

Path’s iOS app (yes, that same Path that was caught stealing users’ entire address books last February) will use the embedded EXIF tag location information from photos in the iOS Camera Roll to geotag your posts, even when you’ve explicitly disabledLocation Services for the Path application. (The app knows, of course, that it’s not getting location data via normal means from Location Services, yet behaves this wayeven in that case.)

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• GigaOM Euro 20: the European startups to watch
• Report: How Mobile Cloud Computing Will Change Tech
• The fourth quarter of 2012 in mobile

From the FTC’s update of the rules:

The definition of an operator has been updated to make clear that the Rule covers a child-directed site or service that integrates outside services, such as plug-ins or advertising networks, that collect personal information from its visitors.  This definition does not extend liability to platforms, such as Google Play or the App Store, when such platforms merely offer the public access to child-directed apps.

The Wall Street Journal reports that Apple and Google lobbied heavily to get that exemption written into the rules, and that the iOS App Store owner “made that point in five meetings with FTC officials in the fall.”

The FTC first proposed updates to the act this summer. Then last week, it released a report in which it looked at 400 apps across both Apple and Google’s mobile ecosystems. Among other things, it found that 59 percent of apps made for kids transmitted information to third parties, 58 percent contained advertising without any notice, while 80 percent didn’t even have privacy policies posted.

The new rules announced Wednesday are intended to strengthen kids’ privacy and give parents more control over the services their kids or using. Among other tweaks to the rules, the FTC also announced that “persistent identifiers” like Apple’s UDID or IFA, along with location and photos, videos or audio files that contain a kid’s picture or voice are now classified as personal information.

Image courtesy of Flickr user robynejay

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

• Connected world: the consumer technology revolution
• Controversy, courtrooms and the cloud in Q1
• Tablets wars: Apple is from Venus, Amazon is from Mars