On February 16, 2022, the Federal Trade Commission (FTC) filed a proposed settlement order in federal court in its case against WW International, Inc. (formerly known as Weight Watchers International, Inc.) and its subsidiary Kurbo, Inc. (Kurbo) to resolve allegations that the defendants violated the Children’s Online Privacy Protection Act and Rules (COPPA).1 The FTC alleged that the defendants violated COPPA by failing to provide required notices and obtain verifiable parental consent before collecting, using and disclosing the personal information of children using their weight loss app. Under the proposed settlement, defendants are required to, among other things: 1) update their procedures to ensure they obtain verifiable parental consent before collecting personal information from children, 2) destroy any personal information they obtained in violation of COPPA as well as any models or algorithms based on that information, and 3) pay a civil penalty of $1.5 million.
The FTC Complaint
The COPPA Rule applies to operators of online services whose service, or part of the service, is directed to children under the age of 13 or who know that they collect information from children.2 It imposes rules surrounding the collection, use and disclosure of personal information collected from children.
According to the FTC complaint, since 2014 Kurbo has offered a weight management and tracking service designed and advertised for children as young as eight years old.3 Although it was created specifically for children, Kurbo has not taken steps to comply with COPPA. The app only informed parents about its data collection practices in November 2019, and even then did not seek parental consent as required for services aimed at children.4 The FTC alleged that the notice implemented in 2019 was also flawed, including because it did not clearly and completely specify the categories of information collected from children.5
Additionally, while the app featured an age screen asking users to provide their age, it did not meet FTC guidelines for an “age-neutral screen.”6 because it alerted users that they could register by stating that they were at least 13 years old. And users who bypassed the age screen by misrepresenting their age could later revise their date of birth in their profile to show that they were actually under 13.7
Finally, the complaint alleges that the defendants retained the personal information collected from the children indefinitely, even though the user’s account had been inactive for several years.8 COPPA requires that personal information collected online from children be retained no longer than reasonably necessary to fulfill the purpose for which the information was collected.9
The proposed decree
As is customary in COPPA rules, the proposed order prohibits defendants from violating COPPA in the future, including by failing to provide parents with the privacy notice required by COPPA; not having obtained verifiable parental consent before processing children’s personal information; not delete a child’s personal information at the request of a parent; or retain children’s personal information longer than reasonably necessary to fulfill the purpose for which the information was collected.ten The proposed order specifically requires defendants to delete personal information within one year after “a user’s last instance of following food, weight, or activity consumption.”11
The proposed order also requires defendants to delete all personal information previously collected from the children, unless they obtain verifiable parental consent to retain the information within 30 days of entry of the order.12 Notably, in a first for a COPPA case, it further requires defendants to remove or otherwise destroy all models and algorithms developed in whole or in part through the use of personal information collected from children through the Kurbo service. .13 While past COPPA rules have prohibited defendants from benefiting from personal information they have collected in violation of the COPPA rule,14 it takes this remedy one step further by explicitly requiring the removal of algorithms and models based on this information. This is part of a larger shift by the FTC toward “algorithmic disgorging,” which was also a big feature in the FTC’s 2021 report. settlement with Everalbum, Inc. In particular, the removal requirement applies to algorithms and models that have even been partially created using information collected in violation of COPPA; even if the majority of the data used to create the algorithm or model was collected legally, defendants are still obligated to delete the algorithm or model entirely.
Finally, the defendants must pay a civil penalty of $1,500,000 and submit to a 10-year declaration of compliance period.15
Key points to remember
To mitigate the risks of COPPA enforcement action from the FTC, online services that sell to children or know they have a large user base of children, both U.S.-based States and abroad, should pay close attention to the requirements of the COPPA rule.
A few key points:
First, this case represents the first time the FTC has challenged a non-age-neutral gate under COPPA. A key point to remember: if a company decides to implement an age barrier, they must ensure that they design a neutral age barrier that does not tell the user that they must enter a date of birth that would make him over 13 years old. For example, if you have a site that may appeal to children, you should not suggest that US law requires users to be over 13, or that if you are under 13, you should ask your parents to register for you. It is also recommended to prevent users from returning to an earlier page in the registration process to enter an older date of birth once they have already entered a date of birth that would make them under 13 years old.
Second, this is also the first time the FTC has alleged a violation of the COPPA provision requiring companies to delete children’s information once it is no longer needed to fulfill the purpose for which it was created. requested. In this case, the company apparently retained the children’s information indefinitely, which in general is probably not a good idea for children’s information. Make sure you have a retention policy that includes your reasons for choosing the retention period you choose.
Third, while it is possible to have an over-13 version of an online service and a separate children’s version under COPPA’s mixed audience provision, if you learn that a child is using the 13+ version, it is important to remove this child from the service. In this case, children who had entered an age indicating that they were over 13 then revised their birth dates. Weight Watchers allowed them continued access to its app, thereby triggering COPPA obligations.
Finally, companies that offer online services aimed at children should ensure that they properly inform and obtain verifiable parental consent whenever they collect personal information from children under 13. The FTC has provided guidance to companies on how to verify that the individual giving consent is in fact the user’s parent; businesses can also choose to engage in one of the FTC’s pre-approved verification methods.16 As part of this consent process, companies are also required to provide information to the parent regarding what information they plan to collect from children, how they intend to use the data, and if and how they have the intention to share the data.17
Wilson Sonsini Goodrich & Rosati regularly helps companies solve complex data privacy and security issues and has helped many clients achieve COPPA compliance. For more information please contact Libby Weingarten, Maneesha Mithal, or another cabinet member privacy and cybersecurity practice.
United States of America v. Kurbo, Inc. et al3:22-cv-00946 (ND Cal. Feb. 16, 2022).
16 CFR § 312
Complaint, United States of America v. Kurbo, Inc. et al3:22-cv-00946, 6 (ND Cal. Feb. 16, 2022).
Identifier. at 10.
Identifier. at 13-14.
COPPA Compliance: Frequently Asked Questions, fed. Trade Comm’n (July 2020), https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions-0.
Complaint, United States of America v. Kurbo, Inc. et al3:22-cv-00946, 8 (ND Cal. Feb. 16, 2022).
Identifier. At 11 o’clock.
16 CFR § 312.10.
Entry of the proposed stipulated order Exhibit A, United States of America v. Kurbo, Inc. et al3:22-cv-00946 (ND Cal. 2022 Feb 16).
Identifier. at 8.
Identifier. at 7 O’clock.
Identifier. at 8.
See, for exampleStipulated order for permanent injunction and judgment of civil penalty, FTC vs. Google et. Al1:19-cv-02642, 12 (SDC 2019).
Identifier. at 9, 11.
Children’s Online Privacy Shield Rule: A Six-Step Compliance Plan for Your Business, fed. Trade Comm’n (June 2017), https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule-six-step-compliance.
16 CFR § 312.4.