According to the FTC, a 2011 Path update for Apple devices collected and stored information from the users' address books, including names, phone numbers, email addresses, Facebook and Twitter usernames and dates of birth.
The settlement requires Path to establish a comprehensive privacy program and to submit to independent privacy audits every year for the next 20 years.
Path also agreed to pay an $800,000 fine for violating the Children's Online Privacy Protection Act (COPPA), which bans websites and apps from knowingly collecting information from children younger than 13 without their parents' permission.
Path asks new users for their birth date; the company admitted that for a period of time, it allowed users to create an account even if they said they were 12 years old or younger.
In a conference call with reporters, Leibowitz said about 3,000 children were able to create accounts on Path before the company changed its policy. Path said it has disabled the accounts of the children.
"Before the FTC reached out to us, we discovered and fixed this sign-up process qualification, and took further action by suspending any under age accounts that had mistakenly been allowed to be created," the company said in a blog post.
Also on Friday, the FTC released a report recommending steps companies can take to improve the privacy protections of their mobile device users.
The commission recommended that companies provide easy-to-understand privacy policies, obtain a user's consent before accessing location information and allow users to opt out of tracking by third-party advertisers, among other recommendations.