The Federal Trade Commission (“FTC”) settled charges with WW International, Inc. (formerly known as Weight Watchers) and its subsidiary Kurbo, Inc. that the companies collected personal information – including sensitive health information – from children without parental notice or consent. Additionally, Kurbo allegedly encouraged users to misrepresent their age in order to access the site and retained information indefinitely, all in violation of the Children’s Online Privacy Protection Act and related regulations (“COPPA”). This settlement highlights the FTC’s continued COPPA-related enforcement efforts.
For background, COPPA applies to companies that operate child-directed websites or online services, or that have actual knowledge that they collect personal information from children (defined as individuals under the age of 13). Before such a company collects personal information from children, COPPA requires it to notify parents of how it collects, uses, and discloses such information and to obtain verifiable parental consent to these practices. COPPA also imposes restrictions on how age-gating can occur and how information from children may be handled.
The FTC’s complaint enumerated a number of factors supporting its claim that Kurbo’s app was child-directed, including marketing and press releases targeting children as young as 8, the app’s simple user interface, use of games and child-oriented lessons, and featured app store reviews from users under 13 years old. The FTC also alleged that Kurbo actually knew that it collected information from children because thousands of users indicated that they were under 13 years old. When parents created an account for their child, according to the FTC, Kurbo did not notify the parents that it collected children’s personal information or obtain verifiable parental consent.
In the settlement, the FTC fined WW and Kurbo $1.5 million and ordered them to delete all children’s personal information obtained in violation of COPPA and any models or algorithms developed using children’s personal information. While the data deletion requirement has often appeared in COPPA settlements, its application to the derived models is appearing more frequently in a range of FTC enforcement actions – for example, last year the FTC required a photo app to delete not only data obtained in alleged violation of the FTC Act, but also algorithms developed with that data. WW and Kurbo must also improve their COPPA compliance and report on these efforts to the FTC.
The FTC complaint suggests several steps companies can take to avoid becoming the target of a COPPA enforcement action. If a company is subject to COPPA, it should post a clear, conspicuous notice to parents about its collection, use, and disclosure of children’s personal information and obtain verifiable parental consent to these practices. If a company uses an age gate to exclude children from using the service, the age gate must be neutral, i.e. the company must not signal to children how they can register without involving a parent. The FTC complaint noted that children could bypass Kurbo’s age gate simply by clicking a button stating they were over 13 years old and entering a birthdate placing them above this age. According to the FTC, this “signaled to children that they could register without involving a parent by indicating they were at least 13 years old.” Further, if users indicate that they are younger than 13 after representing that they are older than 13, companies should seek to bring the collection of personal information from these users into compliance with COPPA or deactivate the users’ accounts. The FTC noted that when some Kurbo users revised their birthdate to reflect an age younger than 13, Kurbo did not seek parental consent or prevent the user from accessing the app, and only deactivated children’s accounts on notice from the FTC.
The settlement cautions companies to take COPPA compliance seriously and offers guidance on how to avoid violations. If your company collects children’s personal information or maintains an age-gate, you may want to check in on the state of your compliance efforts.