United States of America v. Path, Inc.
Filing
8
CONSENT DECREE AND ORDER FOR CIVIL PENALTIES, PERMANENT INJUNCTION AND OTHER RELIEF. Signed by Judge Richard Seeborg on 2/8/13. (cl, COURT STAFF) (Filed on 2/8/2013)
1
11
STUART F. DELERY
Principal Deputy Assistant Attorney General
MAAME EWUSI-MENSAH FRIMPONG (CSBN 222986)
Deputy Assistant Attorney General
MICHAEL S. BLUME
Director
RICHARD GOLDBERG
Assistant Director
TIMOTHY T. FINLEY
Trial Attorney
Consumer Protection Branch
U.S. Department of Justice
P.O Box 386
Washington, DC 20044
Telephone: 202-307-0050
Fax: 202-514-8742
Email: Timothy.T.Finley@usdoj.gov
12
Attorneys for the Plaintiffs
2
3
4
5
6
7
8
9
10
13
UNITED STATES DISTRICT COURT
NORTHERN DISTRICT OF CALIFORNIA
SAN FRANCISCO DIVISION
14
15
16
17
18
19
20
21
22
UNITED STATES OF AMERICA,
:
:
Plaintiff,
:
:
v.
:
:
:
PATH, INC.,
:
:
Defendant.
:
____________________________________:
CONSENT DECREE AND ORDER
FOR CIVIL PENALTIES, PERMANENT
INJUNCTION AND OTHER RELIEF
23
24
WHEREAS Plaintiff, the United States of America, has commenced this action by filing the
25
complaint herein; Defendant has waived service of the Summons and Complaint; the parties have
26
been represented by the attorneys whose names appear hereafter; and the parties have agreed to
27
settlement of this action upon the following terms and conditions, without adjudication of any issue
28
Consent Decree
1
2
of fact or law, and without Defendant admitting any issue of fact or law other than those related to
jurisdiction and venue;
3
THEREFORE, on the joint motion of Plaintiff and Defendant, it is hereby ORDERED,
4
5
ADJUDGED, and DECREED as follows:
6
1.
7
8
This Court has jurisdiction of the subject matter and of the parties pursuant to 28 U.S.C.
§§ 1331, 1337(a), 1345, and 1355, and 15 U.S.C. §§ 45(m)(1)(A), 53(b), 56(a), and 57b.
2.
Venue is proper as to all parties in the Northern District of California under 15 U.S.C.
9
§ 53(b) and 28 U.S.C. §§ 1391(b)-(c) and 1395(a).
10
11
3.
12
13
The activities of Defendant are in or affecting commerce as defined in Section 4 of the FTC
Act, 15 U.S.C. § 44.
4.
Defendant neither admits nor denies any of the allegations in the Complaint, except as
14
specifically stated in this Order. Only for purposes of this action, Defendant admits the facts
15
necessary to establish jurisdiction.
16
17
18
19
5.
The Complaint states a claim upon which relief may be granted against Defendant under
Sections 5(a)(1), 5(m)(1)(A), 13(b), and16(a) of the Federal Trade Commission Act (“FTC
Act”), 15 U.S.C. §§ 45(a)(1), 45(m)(1)(A), 53(b), and 56(a) and under Sections 1303(c) and
20
21
1306(d) of the Children’s Online Privacy Protection Act of 1998 (“COPPA”), 15 U.S.C. §§
22
6501-6506, 6502(c), and 6505(d); the Commission’s Children’s Online Privacy Protection
23
Rule (“Rule” or “COPPA Rule”), 16 C.F.R. Part 312. Among other things, the Complaint
24
alleges that:
25
26
A.
Defendant violated the FTC Act by making deceptive representations through its
27
application’s user interface regarding the automatic collection of information from
28
consumers’ mobile device address books;
Consent Decree
Page 2 of 25
1
B.
2
Defendant violated the FTC Act by making deceptive representations through its
privacy policy regarding the automatic collection of information from consumers’
3
mobile device address books; and
4
C.
5
Defendant violated COPPA and the FTC Act by failing to provide notice to parents
6
of its information practices, and to obtain verifiable parental consent prior to
7
collecting, using, and/or disclosing information from children online.
8
6.
Defendant has entered into this Consent Decree and Order for Civil Penalties, Permanent
9
Injunction, and Other Relief (“Order”) freely and without coercion. Defendant further
10
acknowledges that it has read the provisions of this Order and is prepared to abide by them.
11
12
7.
13
Plaintiff and Defendant hereby waive all rights to appeal or otherwise challenge the validity
of this Order.
14
15
8.
complete, and final settlement of this action.
16
17
Plaintiff and Defendant stipulate and agree that entry of this Order shall constitute a full,
9.
18
Defendant has agreed that this Order does not entitle it to seek or to obtain attorneys’ fees
as a prevailing party under the Equal Access to Justice Act, 28 U.S.C. § 2412, and Defendant
19
further waives any rights to attorneys’ fees that may arise under said provision of law.
20
21
10.
Entry of this Order is in the public interest.
DEFINITIONS
22
23
11.
24
“Rule” means the Federal Trade Commission’s Children’s Online Privacy Protection
Rule, 16 C.F.R. Part 312.
25
26
12.
For purposes of this Agreement:
27
A.
“Child” means an individual under the age of 13;
28
B
“Collects” or “collection” means the gathering of any personal information from a
Consent Decree
Page 3 of 25
1
child by any means, including but not limited to:
2
(1)
Requesting that children submit personal information online;
(2)
Enabling children to make personal information publicly available through
3
4
5
a chat room, message board, or other means, except where the operator
6
deletes all individually identifiable information from postings by children
7
before they are made public, and also deletes such information from the
8
operator’s records; or
9
(3)
10
individual, such as a cookie;
11
12
13
The passive tracking or use of any identifying code linked to an
C.
“Commission” means the Federal Trade Commission;
D.
“Delete” means to remove personal information such that it is not maintained in
14
retrievable form and cannot be retrieved in the normal course of business;
15
16
17
E.
“Disclosure” means, with respect to personal information:
(1)
18
The release of personal information collected from a child in identifiable
form by an operator for any purpose, except where an operator provides
19
such information to a person who provides support for the internal
20
21
operations of the website or online service and who does not disclose or
22
use that information for any other purpose. For purposes of this
23
definition:
24
(a)
Release of personal information means the sharing, selling,
25
renting, or any other means of providing personal information to
26
any third party, and
27
28
(b)
Consent Decree
Support for the internal operations of the website or online service
Page 4 of 25
1
means those activities necessary to maintain the technical
2
functioning of the website or online service, or to fulfill a request
3
of a child as permitted by 16 C.F.R. Part 312.5(c)(2) and (3); or
4
(2)
5
Making personal information collected from a child by an operator
6
publicly available in identifiable form, by any means, including by a
7
public posting through the Internet, or through a personal home page
8
posted on a website or online service; a pen pal service; an electronic mail
9
service; a message board; or a chat room;
10
11
F.
12
“Internet” means collectively the myriad of computer and telecommunications
facilities, including equipment and operating software, which comprise the
13
interconnected world-wide network of networks that employ the Transmission
14
Control Protocol/Internet Protocol, or any predecessor or successor protocols to
15
16
such protocol, to communicate information of all kinds by wire, radio, or other
17
methods of transmission;
18
G.
19
“Online contact information” means an e-mail address or any other substantially
similar identifier that permits direct contact with a person online;
20
21
H.
“Operator” means any person who operates a website located on the Internet or an
22
online service and who collects or maintains personal information from or about
23
the users of or visitors to such website or online service, or on whose behalf such
24
information is collected or maintained, where such website or online service is
25
26
operated for commercial purposes, including any person offering products or
27
services for sale through that website or online service, involving commerce:
28
(1)
Consent Decree
Among the several States or with one or more foreign nations;
Page 5 of 25
1
(2)
2
In any territory of the United States or in the District of Columbia, or
between any such territory and (a) Another such territory, or
3
(b) Any State or foreign nation; or
4
(3)
5
6
Between the District of Columbia and any State, territory, or foreign
nation.
7
This definition does not include any nonprofit entity that would otherwise be
8
exempt from coverage under Section 5 of the Federal Trade Commission Act (15
9
U.S.C. § 45);
10
11
I.
“Parent” includes a legal guardian;
12
J.
“Person” means any individual, partnership, corporation, trust, estate,
13
cooperative, association, or other entity;
14
15
K.
“Personal information” means individually identifiable information about an
16
individual collected online, including:
17
(1)
A first and last name;
18
(2)
A home or other physical address including street name and name of a city
19
or town;
20
21
(3)
An e-mail address or other online contact information, including but not
22
limited to, an instant messaging user identifier, or a screen name that
23
reveals an individual’s e-mail address;
24
(4)
A telephone number;
(5)
A Social Security number;
(6)
A persistent identifier, such as a customer number held in a cookie or a
25
26
27
28
processor serial number, where such identifier is associated with
Consent Decree
Page 6 of 25
1
individually identifiable information; or a combination of a last name or
2
photograph of the individual with other information such that the
3
combination permits physical or online contacting; or
4
(7)
5
Information concerning the child or the parents of that child that the
6
operator collects online from the child and combines with an identifier
7
described in this definition;
8
L.
“Third party” means any person who is not:
9
(1)
10
An operator with respect to the collection or maintenance of personal
information on the website or online service; or
11
12
(2)
13
A person who provides support for the internal operations of the website
or online service and who does not use or disclose information protected
14
under this part for any other purpose;
15
16
M.
“Verifiable parental consent” means making any reasonable effort (taking into
17
consideration available technology) to ensure that before personal information is
18
collected from a child, a parent of the child:
19
(1)
Receives notice of the operator’s personal information collection, use, and
20
disclosure practices; and
21
(2)
22
23
24
Authorizes any collection, use, and/or disclosure of the personal
information; and
N.
“Website or online service directed to children” means a commercial website or
25
26
online service, or portion thereof, that is targeted to children. Provided, however,
27
that a commercial website or online service, or a portion thereof, shall not be
28
deemed directed to children solely because it refers or links to a commercial
Consent Decree
Page 7 of 25
1
website or online service directed to children by using information location tools,
2
including a directory, index, reference, pointer, or hypertext link. In determining
3
whether a commercial website or online service, or a portion thereof, is targeted
4
5
to children, the Commission will consider its subject matter, visual or audio
6
content, age of models, language or other characteristics of the website or online
7
service, as well as whether advertising promoting or appearing on the website or
8
online service is directed to children. The Commission will also consider
9
competent and reliable empirical evidence regarding audience composition;
10
11
evidence regarding the intended audience; and whether a site uses animated
12
characters and/or child-oriented activities and incentives.
13
13.
“Covered information” means information from or about an individual consumer
14
including, but not limited to: (a) a first and last name; (b) a home or other physical
15
16
address, including street name and name of city or town; (c) an email address or other
17
online contact information, such as an instant messaging user identifier or a screen name;
18
(d) a telephone number; (e) a persistent identifier, such as a customer number held in a
19
“cookie,” a static Internet Protocol (“IP”) address, or processor serial number; (f)
20
21
nonpublic communications and content posted on Defendant’s website or within
22
Defendant’s applications; or (g) communications and content stored on a consumer’s
23
mobile device.
24
14.
“Clear(ly) and prominent(ly)” shall mean:
25
26
A.
In textual communications (e.g., printed publications or words displayed on the
27
screen of a computer or mobile device), the required disclosures are of a type,
28
size, and location sufficiently noticeable for an ordinary consumer to read and
Consent Decree
Page 8 of 25
1
comprehend them, in print that contrasts highly with the background on which
2
they appear;
3
B.
4
In communications disseminated orally or through audible means (e.g., radio or
5
streaming audio), the required disclosures are delivered in a volume and cadence
6
sufficient for an ordinary consumer to hear and comprehend them;
7
C.
8
In communications disseminated through video means (e.g., television or
streaming video), the required disclosures are in writing in a form consistent with
9
subpart A of this definition and shall appear on the screen for a duration sufficient
10
11
for an ordinary consumer to read and comprehend them, and in the same language
12
as the predominant language that is used in the communication; and
13
D.
In all instances, the required disclosures: (1) are presented in an understandable
14
language and syntax, and (2) include nothing contrary to, inconsistent with, or in
15
16
mitigation of any statement contained within the disclosure or within any
17
document linked to or referenced therein.
18
15.
19
Unless otherwise specified, “Defendant” means Path, Inc., a corporation, and its
successors and assigns.
20
21
I. INJUNCTION REGARDING COLLECTION OF INFORMATION
22
FROM CHILDREN ONLINE
23
24
16.
IT IS ORDERED that Defendant and all other persons in active concert or participation
with Defendant who receive actual notice of this Order by personal service or otherwise,
25
26
whether acting directly or indirectly, in connection with any website or online service
27
directed to children, or on any website or online service through which they, with actual
28
knowledge, collect, use, and/or disclose personal information from children, is
Consent Decree
Page 9 of 25
1
permanently restrained and enjoined from:
2
A.
Failing to provide sufficient notice of the information Defendant collects online
3
from children, how it uses such information, its disclosure practices, and all other
4
content, as required by Section 312.4(b) of the Rule, 16 C.F.R. § 312.4(b);
5
6
B.
7
Failing to provide direct notice to parents of what information Defendant collects
online from children, how it uses such information, its disclosure practices, and
8
all other required content, as required by Section 312.4(c) of the Rule, 16 C.F.R.
9
§ 312.4(c);
10
C.
11
12
Failing to obtain verifiable parental consent before any collection, use, and/or
disclosure of personal information from children, as required by Section 312.5 of
13
the Rule, 16 C.F.R. § 312.5(a)(1); or
14
D.
15
Violating any other provision of the Rule, 16 C.F.R. Part 312, and as the Rule
16
may hereafter be amended. A copy of the Rule is attached hereto as “Appendix
17
A” and incorporated herein as if fully set forth verbatim.
18
19
II. DELETION OF CHILDREN’S PERSONAL INFORMATION
17.
IT IS FURTHER ORDERED that Defendant, and its officers, agents, servants,
20
21
employees, and attorneys, and all other persons in active concert or participation with any
22
of them who receive actual notice of this Order by personal service or otherwise, are
23
permanently restrained and enjoined from:
24
A.
Disclosing, using, or benefitting from Personal information collected from
25
Children which Defendant obtained prior to entry of this Order; and
26
27
28
B.
Failing to destroy such Personal information in all forms in its possession,
custody, or control within ten (10) days after entry of this Order.
Consent Decree
Page 10 of 25
1
Provided, however, that Personal information need not be destroyed, and may be
2
disclosed, to the extent requested by a government agency or required by a law,
3
regulation, or court order.
4
III. CIVIL PENALTY
5
6
18.
7
IT IS FURTHER ORDERED that Defendant shall pay to Plaintiff a civil penalty,
pursuant to Section 5(m)(1)(A) of the FTC Act, 15 U.S.C. § 45(m)(1)(A), in the amount
8
of eight hundred thousand dollars ($800,000), due and payable within five (5) days of
9
receipt of notice of the entry of this Order. Unless otherwise directed, payment shall be
10
11
made by electronic fund transfer in accordance with procedures specified by the
12
Consumer Protection Branch, Civil Division, U.S. Department of Justice, Washington,
13
DC 20530.
14
15
19.
Defendant relinquishes all dominion, control, and title to the funds paid to the fullest
16
extent permitted by law. Defendant shall make no claim to or demand return of the
17
funds, directly or indirectly, through counsel or otherwise.
18
20.
19
Defendant agrees that the facts as alleged in the Complaint filed in this action shall be
taken as true, without further proof, in any subsequent civil litigation filed by or on
20
21
behalf of the Commission to enforce its rights to any payment or money judgment
22
pursuant to this Order.
23
24
21.
In the event of any default in payment, which default continues for ten (10) days beyond
the due date of payment, the entire unpaid penalty, together with interest, as computed
25
26
27
pursuant to 28 U.S.C. § 1961 (accrued from the date of default to the date of payment)
shall immediately become due and payable.
28
Consent Decree
Page 11 of 25
1
2
IV. INJUNCTION REGARDING PRIVACY OF CONSUMER INFORMATION
22.
IT IS FURTHER ORDERED that Defendant acting directly or through any
3
corporation, subsidiary, limited liability company, division, or other device, in
4
5
connection with the advertising, marketing, promotion, offering for sale, or sale of any
6
product or service, in or affecting commerce, is permanently restrained and enjoined
7
from misrepresenting in any manner, expressly or by implication, the extent to which it
8
maintains and protects the privacy and confidentiality of covered information.
9
10
23.
IT IS FURTHER ORDERED that Defendant, acting directly or through any
11
corporation, subsidiary, limited liability company, division, or other device, in
12
connection with the advertising, marketing, promotion, offering for sale, or sale of any
13
product or service, in or affecting commerce, prior to any access or collection of
14
information in the user’s mobile device contacts or address book, shall:
15
A.
16
Clearly and prominently disclose to the user, separate and apart from any
17
“privacy policy,” “terms of use,” “blog,” “statement of values” page, or other
18
similar document, the categories of information from the user’s mobile device
19
that will be accessed and/or collected; and
20
B.
21
information.
22
23
24
Obtain the user’s affirmative express consent to access or collect such
24.
IT IS FURTHER ORDERED that Defendant, acting directly or through any
corporation, subsidiary, limited liability company, division, or other device, in
25
26
connection with the advertising, marketing, promotion, offering for sale, or sale of any
27
product or service, in or affecting commerce, shall, no later than the date of service of
28
this order, establish and implement, and thereafter maintain, a comprehensive privacy
Consent Decree
Page 12 of 25
1
2
program that is reasonably designed to: (1) address privacy risks related to the
development and management of new and existing products and services for consumers;
3
4
and (2) protect the privacy and confidentiality of covered information. Such program,
5
the content and implementation of which must be documented in writing, shall contain
6
privacy controls and procedures appropriate to respondent’s size and complexity, the
7
nature and scope of respondent’s activities, and the sensitivity of the covered
8
information, including:
9
10
A.
for the privacy program;
11
12
The designation of an employee or employees to coordinate and be responsible
B.
13
The identification of reasonably foreseeable, material risks, both internal and
external, that could result in the respondent’s unauthorized collection, use, or
14
disclosure of covered information, and an assessment of the sufficiency of any
15
16
safeguards in place to control these risks. At a minimum, this privacy risk
17
assessment should include consideration of risks in each area of relevant
18
operation, including, but not limited to: (1) employee training and management,
19
including training on the requirements of this order; and (2) product design,
20
development, and research;
21
22
C.
23
The design and implementation of reasonable privacy controls and procedures to
address the risks identified through the privacy risk assessment, and regular
24
testing or monitoring of the effectiveness of those privacy controls and
25
procedures;
26
27
28
D.
The development and use of reasonable steps to select and retain service
providers capable of appropriately protecting the privacy of covered information
Consent Decree
Page 13 of 25
1
they receive from respondent, and requiring service providers by contract to
2
implement and maintain appropriate privacy protections;
3
E.
4
The evaluation and adjustment of respondent’s privacy program in
5
light of the results of the testing and monitoring required by subpart C, any
6
material changes to respondent’s operations or business arrangements, or any
7
other circumstances that respondent knows or has reason to know may have a
8
material impact on the effectiveness of its privacy program.
9
10
25.
IT IS FURTHER ORDERED that, in connection with its compliance with Paragraph 24
11
of this order, Defendant shall obtain initial and biennial assessments and reports
12
(“Assessments”) from a qualified, objective, independent third-party professional, who
13
uses procedures and standards generally accepted in the profession. The reporting period
14
15
for the Assessments shall cover: (1) the first year after service of the Order for the initial
16
Assessment; and (2) each two (2) year period thereafter for twenty (20) years after
17
service of the Order for the biennial Assessments.
18
A.
19
Each Assessment shall:
1.
Set forth the specific privacy controls that Defendant has implemented and
20
maintained during the reporting period;
21
22
2.
23
Explain how such privacy controls are appropriate to Defendant’s size and
complexity, the nature and scope of Defendant’s activities, and the
24
sensitivity of the covered information collected from or about consumers;
25
26
3.
exceed the protections required by Paragraph 24 of this Order; and
27
28
Explain how the privacy controls that have been implemented meet or
4.
Consent Decree
Certify that Defendant’s privacy program is operating with sufficient
Page 14 of 25
1
effectiveness to provide reasonable assurance to protect the privacy of
2
covered information and that the program has so operated throughout the
3
reporting period.
4
B.
5
Each Assessment shall be prepared and completed within sixty (60) days after the
6
end of the reporting period to which the Assessment applies by a person that has a
7
minimum of three (3) years of experience in the field of privacy and data
8
protection. All persons conducting such Assessments and preparing such reports
9
shall be approved by the Associate Director for Enforcement, Bureau of
10
11
Consumer Protection, Federal Trade Commission, 600 Pennsylvania Ave. NW,
12
Washington, D.C. 20580, in his or her sole discretion.
13
C.
Defendant shall provide the initial Assessment by overnight courier (not the U.S.
14
Postal Service) to the Associate Director for Enforcement, Bureau of Consumer
15
16
Protection, Federal Trade Commission, 600 Pennsylvania Ave. NW, Washington,
17
D.C. 20580, or by email to Debrief@ftc.gov, within ten (10) days after the
18
Assessment has been prepared. All subsequent biennial Assessments shall be
19
retained by Defendant until the order is terminated and provided to the Associate
20
Director for Enforcement within ten (10) days of request.
21
V. ORDER ACKNOWLEDGMENTS
22
23
24
26.
IT IS FURTHER ORDERED that Defendant obtain acknowledgments of receipt of this
Order:
25
26
A.
Defendant, within seven (7) days of entry of this Order, must submit to the
27
Commission an acknowledgment of receipt of this Order sworn under penalty of
28
perjury.
Consent Decree
Page 15 of 25
1
B.
2
For five (5) years after entry of this Order, Defendant must deliver a copy of this
Order to: (1) all principals, officers, directors, and managers; (2) all employees,
3
agents, and representatives having supervisory responsibilities relating to the
4
5
collection, retention, storage, or security of covered information and all
6
employees, agents, and representatives having supervisory responsibilities related
7
to the operation of any website or online service subject to this Order; and (3) any
8
business entity resulting from any change in structure as set forth in the Section
9
titled “Compliance Reporting.” Delivery must occur within seven (7) days of
10
11
entry of this Order for current personnel. To all others, delivery must occur
12
before they assume their responsibilities.
13
C.
From each individual or entity to which a Defendant delivered a copy of this
14
Order, that Defendant must obtain, within thirty (30) days, a signed and dated
15
acknowledgment of receipt of this Order.
16
17
18
19
VI. COMPLIANCE REPORTING
27.
IT IS FURTHER ORDERED that Defendant make timely submissions to the
Commission:
20
21
A.
One hundred eighty (180) days after the date of entry of this Order, Defendant
22
must submit a compliance report, sworn under penalty of perjury. This report
23
must:
24
1.
Designate at least one telephone number and an email, physical, and
25
postal address as points of contact, which representatives of the
26
Commission may use to communicate with Defendant;
27
28
2.
Consent Decree
Identify all of Defendant’s businesses by all of their names, telephone
Page 16 of 25
1
2
numbers, and physical, postal, email, and Internet addresses;
3.
Describe the activities of each business, including the products and
3
services offered and the means of advertising, marketing, and sales;
4
5
4.
6
7
Describe in detail whether and how Defendant is in compliance with each
Section of this Order;
5.
8
Provide a statement setting forth in detail the criteria and process through
which Defendant’s websites or online services register visitors online for
9
any activity requiring the submission of covered information, and a copy
10
11
of each different version of screen or page providing or collecting
12
registration information;
13
6.
Provide a copy of each different version of any privacy notice posted on
14
each website or online service operated by Defendant;
15
16
7.
Provide a statement setting forth in detail each place where the privacy
17
notice on any such website or online service is located and a copy of each
18
different version of screen or page on which such website or online
19
service collects covered information;
20
21
8.
parents of children that register on each website or online service;
22
23
Provide a copy of each different version of any privacy notice sent to
9.
24
Provide a statement setting forth in detail when and how each such notice
to parents is provided;
25
26
10.
Provide a statement setting forth in detail the methods used to obtain
27
verifiable parental consent prior to any collection, use, and/or disclosure
28
of personal information from children, as defined by Definition K (Section
Consent Decree
Page 17 of 25
1
1302(8) of COPPA, 15 U.S.C. § 6501(8));
2
11.
Provide a statement setting forth in detail the means provided for parents
3
to review the personal information, as defined by Definition K (Section
4
5
1302(8) of COPPA, 15 U.S.C. § 6501(8)), collected from their children
6
and to refuse to permit its further use or maintenance;
7
12.
8
Provide a statement setting forth in detail why each type of information
collected from a child is reasonably necessary for the provision of the
9
particular related activity;
10
13.
11
12
Provide a statement setting forth in detail the procedures used to protect
the confidentiality, security, and integrity of personal information, as
13
defined by Definition K (Section 1302(8) of COPPA, 15 U.S.C. §
14
6501(8)), collected from children; and
15
14.
16
17
18
Provide a copy of each Order Acknowledgement obtained pursuant to this
Order, unless previously submitted to the Commission.
B.
19
For twenty (20) years following entry of this Order, Defendant must submit a
compliance notice, sworn under penalty of perjury, within fourteen (14) days of
20
21
any change in the following: (1) any designated point of contact; or (2) the
22
structure of Defendant or any entity that Defendant has any ownership interest in
23
or directly or indirectly controls that may affect compliance obligations arising
24
under this Order, including: creation, merger, sale, or dissolution of the entity or
25
any subsidiary, parent, or affiliate that engages in any acts or practices subject to
26
this Order.
27
28
C.
Defendant must submit to the Commission notice of the filing of any bankruptcy
Consent Decree
Page 18 of 25
1
petition, insolvency proceeding, or any similar proceeding by or against
2
Defendant within fourteen (14) days of its filing.
3
D.
4
Any submission to the Commission required by this Order to be sworn under
5
penalty of perjury must be true and accurate and comply with 18 U.S.C. § 1746,
6
such as by concluding: “I declare under penalty of perjury under the laws of the
7
United States of America that the foregoing is true and correct. Executed
8
on:_____” and supplying the date, signatory’s full name, title (if applicable), and
9
signature.
10
E.
11
12
Unless otherwise directed by a Commission representative in writing, all
submissions to the Commission pursuant to this Order must be emailed to
13
DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to:
14
Associate Director for Enforcement, Bureau of Consumer Protection, Federal
15
16
Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580.
17
The subject line must begin: FTC v. Path, Inc.
18
VII. RECORDKEEPING
19
28.
IT IS FURTHER ORDERED that Defendant must create certain records for twenty
20
21
(20) years after entry of the Order, and retain each such record for five (5) years unless
22
otherwise specified below. Specifically, Defendant, in connection with covered
23
information, must maintain the following records:
24
A.
Accounting records showing the revenues from all goods or services sold, all
25
costs incurred in generating those revenues, and the resulting net profit or loss;
26
27
28
B.
Personnel records showing, for each person providing services, whether as an
employee or otherwise, that person’s: name, addresses, and telephone numbers;
Consent Decree
Page 19 of 25
1
job title or position; dates of service; and, if applicable, the reason for
2
termination;
3
4
C.
Order, including all submissions to the Commission;
5
6
All records necessary to demonstrate full compliance with each provision of this
D.
7
A copy of all complaints submitted by consumers to Defendant regarding its
information security practices or its practices relating to the collection or retention
8
of covered information. Provided, however, that Defendant shall not be required
9
to retain any complaint for longer than three (3) years after it was submitted; and
10
11
12
13
E.
A sample copy of every materially different form, page, or screen created,
maintained, or otherwise provided by Defendant through which Defendant
collects covered information, and a sample copy of each materially different
14
15
document containing any representation regarding Defendant’s collection, use,
16
and disclosure practices pertaining to personal information of a child, as defined
17
by Definition A (Section 1302(1) of COPPA, 15 U.S.C. § 6501(1)). Each web
18
page copy shall be accompanied by the URL of the web page where the material
19
was posted online. Electronic copies shall include all text and graphics files,
20
21
audio scripts, and other computer files used in presenting information on the
22
Internet. Provided, however, that Defendant shall not be required to retain any
23
document for longer than two (2) years after the document was created, or to
24
retain a print or electronic copy of any amended web page or screen to the extent
25
26
27
that the amendment does not affect Defendant’s compliance obligations under
this Order.
28
Consent Decree
Page 20 of 25
1
2
VIII. COMPLIANCE MONITORING
29.
IT IS FURTHER ORDERED that for the purpose of monitoring compliance with this
3
4
5
Order:
A.
Within fourteen (14) days of receipt of a written request from a representative of
6
the Commission, Defendant must: submit additional compliance reports or other
7
requested information, which must be sworn under penalty of perjury; appear for
8
depositions; and produce documents, for inspection and copying. The
9
Commission is also authorized to obtain discovery, without further leave of
10
11
Court, using any of the procedures prescribed by Federal Rules of Civil Procedure
12
29, 30 (including telephonic depositions), 31, 33, 34, 36, 45, and 69.
13
B.
For matters concerning this Order, the Commission is authorized to communicate
14
directly with Defendant. Defendant must permit representatives of the
15
16
Commission to interview any employee or other person affiliated with any
17
Defendant who has agreed to such an interview. The person interviewed may
18
have counsel present.
19
C.
The Commission may use all other lawful means, including posing, through its
20
21
representatives, as consumers, suppliers, or other individuals or entities, to
22
Defendant or any individual or entity affiliated with Defendant, without the
23
necessity of identification or prior notice. Nothing in this Order limits the
24
Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of
25
26
the FTC Act, 15 U.S.C. §§ 49, 57b-1.
27
28
Consent Decree
Page 21 of 25
1
2
IX. RETENTION OF JURISDICTION
30.
IT IS FURTHER ORDERED that this Court retains jurisdiction of this matter for the
3
4
purposes of construction, modification, and enforcement of this Order.
5
6
7
8
JUDGMENT IS THEREFORE ENTERED in favor of Plaintiff and against Defendant,
9
10
pursuant to all the terms and conditions recited above.
11
12
13
8th
February
Dated this __________ day of _______________, 2013.
14
15
16
17
18
19
UNITED STATES DISTRICT JUDGE
20
21
22
23
24
25
26
27
28
Consent Decree
Page 22 of 25
1
2
The parties, by their counsel, hereby consent to the terms and conditions of the Order as
set forth above and consent to the entry thereof.
3
FOR THE UNITED STATES OF AMERICA:
4
5
STUART F. DELERY
Principal Deputy Assistant Attorney General
Civil Division
U.S. Department of Justice
6
7
8
MAAME EWUSI-MENSAH FRIMPONG
Deputy Assistant Attorney General
CSBN 222986
Civil Division
9
10
11
MICHAEL S. BLUME
Director
Consumer Protection Branch
12
13
14
RICHARD GOLDBERG
Assistant Director
Consumer Protection Branch
15
16
17
/s/ signature on file1
TIMOTHY T. FINLEY
Trial Attorney
Consumer Protection Branch
U.S. Department of Justice
P.O. Box 386
Washington, DC 20044
Telephone: 202-307-0050
Fax: 202-514-8742
Email: timothy.t.finley@usdoj.gov
18
19
20
21
22
23
24
25
26
27
28
1
I hereby attest that all of the actual signatures are on file with the United States.
Consent Decree
Page 23 of 25
1
FOR THE FEDERAL TRADE COMMISSION:
2
3
/s/ signature on file
JAMIE E. HINE
Attorney
Division of Privacy and Identity Protection
4
5
6
/s/ signature on file
NITHAN SANNAPPA
Attorney
Division of Privacy and Identity Protection
7
8
9
10
/s/ signature on file
MAMIE KRESSES
Attorney
Division of Advertising Practices
11
12
13
14
/s/ signature on file
CHRISTOPHER OLSEN
Assistant Director
Division of Privacy and Identity Protection
15
16
17
/s/ signature on file
MANEESHA MITHAL
Associate Director
Division of Privacy and Identity Protection
Federal Trade Commission
600 Pennsylvania Avenue, NW
Mail Drop NJ-8100
Washington, D.C. 20580
202-326-2771 (voice)
202-326-3768 (fax)
18
19
20
21
22
23
24
25
26
27
28
Consent Decree
Page 24 of 25
FOR THE DEFENDANT, PATH, INC.:
1
2
3
/s/ signature on file
DAVID MORIN
Chief Executive Officer
Path, Inc.
4
5
6
7
/s/ signature on file
TYLER NEWBY
FENWICK AND WEST LLP
555 California Street, 12th Floor
San Francisco, CA 94104
415-875-2495
Attorney for Defendant Path, Inc.
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Consent Decree
Page 25 of 25
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?