Veering Off the Beaten Path Into Murky Legal Waters
Path, a high-profile San Francisco social media startup, ignited a firestorm this week with the revelation that its mobile application uploads users’ entire iPhone address books to the company’s servers without their knowledge or permission. The practice, discovered by Singapore developer Arun Thampi, provoked outrage within the user community and was broadly condemned by the tech business press. Jon Mitchell at ReadWriteWeb wrote that the upshot of Path CEO Dave Morin’s initial response was “We did it first, and we’ll ask you for permission in a little while.” The company quickly apologized on its corporate blog and, as I write this, plans to push out an updated version of the iPhone app to quell users’ privacy concerns.As most readers know, I’m a lawyer and advisor to social Web and mobile startups. As one of the original in-house counsel at MySpace, I helped fight every kind of abuse imaginable as the site exploded into one of the most popular in history from 2004-06. After that, I served as head of Legal at eHarmony, where we were entrusted with 20+ million users’ sensitive personal information. I recognize that a business lawyer’s role is to advance the interests of the company and its shareholders — which, in a social media business, entails obtaining and preserving maximum latitude to use members’ content and contact information in whatever way turns out to be best for the business — within the legal and ethical boundaries that apply.
Privacy law in general, and particularly in the United States, is disclosure and consent-based. A principle established by the FTC long ago is that Internet companies can generally gather, store and share information as they wish, provided they disclose these practices up front to users in written privacy policies. (State laws such as California’s now require privacy policies.) The rationale is that a consumer who objects is free to leave the site or decline to supply it with any personal information. It’s understandable that businesses, particularly aggressive social startups seeking rapid growth, want to streamline the user experience and minimize barriers from things like pagefuls of legalese and boxes that must be checked to proceed. Nevertheless, the prophylactic effect of those measures can be enormous in a scenario like the one Path found itself in.
If a hypothetical company similar to Path were my client, I’d recommend that there be:
- At a minimum, conspicuous disclosure that this data transfer is necessary for the app to function (i.e., if you don’t agree, don’t use it);
- Better, a setting both in the mobile app and on the member Settings page on the website enabling users to opt out of the address book sharing; and
Path is not a uniquely irresponsible company. Countless startups have made similar mistakes in their early days, particularly when urgency and innovation have a tendency to trump circumspection (e.g., “Move fast and break things“). I myself am a fan of the Path service. Nevertheless, there are simple preventive measures that could have been put into place that might have avoided such an eruption of animosity — not to mention potential legal and financial consequences. (Some commentators are suggesting Path violated privacy laws outside the U.S., particularly in the European Union member countries.) In building trust with the user community and business media, there is power in being able to respond truthfully and immediately to critics that the company informed consumers, sought and received their consent before doing the act in question.
In the bigger picture, as smartphones and mobile apps become ubiquitous, we as a society will have to come to terms with the nature and degree of privacy expected when enjoying their cutting-edge features. Judging by the reaction, Path clearly crossed a line here, but with adequate disclosure, one could argue the company did nothing wrong. Jon Mitchell posits that “Whenever Facebook or Google messes with our privacy, this is the cost of doing business for free. Path is no different. It’s already using our personal data in ways we didn’t expect. ” Nevertheless, from the startup’s point of view, it’s worth bending over backwards to disclose and/or seek permission from users for any unusually aggressive practices in the handling of their personal information.
This article is for general informational purposes only, not a substitute for professional legal advice. It does not result in the creation of an attorney-client relationship. All opinions expressed are those of the author, and do not necessarily represent those of Gust.
Written by Antone Johnson
You might also be interested in
A year ago, in mid September 2014, I walked out of a Starbucks in San Francisco with the very first check from an angel investor for Glassbreakers. Though it was only $5,000, it was enough to prove to myself and my co-founder, Lauren Mosenthal, that we could actually fundraise for our startup. We already had 1,000 women signed
The median investor looking at your proposal is in her 40s. Her eyes are going, not to mention her brain. I look at a lot of spreadsheets and analytic reports, and way too many are difficult to read and therefore hard to understand.
In an effort to make my life easier, I’ve summarized here the steps that will make it
By Paula Taas, Founder Institute
You’ve created an amazing founding team, you’ve built a brilliant product that has been gaining a lot of traction, and now you’re looking to expand your company. How do you continue to build your business? By searching for a lead investor in your next funding round.
The lead investor is the
With all the news about hundred million dollar rounds and billion dollar valuations, it can be hard not to look at the world of entrepreneurship and angel investing as a thrilling ride that only has one stop: success. But to be a successful entrepreneur or serious angel investor, you must have a realistic understanding of the startup failure rate and
Three outcomes dominate exits of angel-funded companies:
Dead bugs – Startups that go out of business, returning less-than-invested capital to angels (usually zero). Positive exits – Companies that liquidate with capital gains to investors, usually via a cash sale to a larger company. While IPOs are possible, they are very rare for angel-funded companies. The exits can range from simply