Consumers’ health information is already a particularly sensitive category. But health information and other personal data from kids as young as eight? That can raise privacy concerns to the stratosphere. A $1.5 million FTC settlement with WW International, Inc. – you know them by the previous name Weight Watchers – and its subsidiary Kurbo, Inc., underscores the principle that collecting and maintaining that kind of information raises a company’s compliance responsibilities. Where does the FTC say the defendants went wrong in this case and what guidance can your business glean about the Children’s Online Privacy Protection Act Rule? Read on.
The COPPA Rule requires that websites, apps, and online services notify parents and get their express consent before collecting, using, or disclosing personal information from kids under 13. The Rule applies in two distinct circumstances: 1) if the site, app, or service is directed to children under 13; or 2) if the site, app, or service has “actual knowledge that it is collecting personal information” from kids in that age group. (Section 312.2 of the Rule includes standards to apply in making those determinations.) The FTC alleges that WW International and Kurbo violated the COPPA Rule in the operation of their Kurbo weight loss app.
In addition to teens and other family members, kids as young as eight can use the Kurbo app to track their weight, food intake, and physical activity. The app collects other personal information, too – for example, names, email addresses, and birth dates. Until late 2019, users could sign up for the service on the app either by indicating they were a parent signing up for their child or that they were a child 13 or over signing up for themselves.
But according to the complaint, which the Department of Justice filed on behalf of the FTC, the defendants’ enrollment process actually resulted in many users under 13 signing up without a parent’s permission. Yes, there was text saying that children under 13 needed to sign up through a parent. But from 2014 to 2019, hundreds of users who signed up for the app claiming to be over 13 later changed their personal profiles to include birthdates that revealed they were actually younger than that. Despite that fact, the FTC says WW and Kurbo continued to give those kids access to the app. That practice didn’t stop until FTC staff contacted the companies.
What’s more, in 2020, the defendants updated the sign-up option for those 13 and over, but the FTC says problems with the process continued. According to the complaint, the defendants failed to provide a mechanism to ensure that users who selected the parental sign-up option were really parents – and not just kids trying to bypass the age restriction.
In addition, Section 312.4 of the COPPA Rule requires that a COPPA-covered company “make reasonable efforts, taking in account available technology, to ensure that a parent of a child receives direct notice” of its information practices. But according to the FTC, until November 2019, WW and Kurbo made no attempt to provide notice to parents through the app, and parents who signed their children up on the defendants’ or an affiliate’s website were shown a notice about information collection only if they clicked a hyperlink buried in a string of other links. The complaint further alleges that despite changes made in 2019, the defendants still failed to comply with COPPA’s requirements about what the direct notice must tell parents. The FTC also says that WW and Kurbo violated the COPPA Rule’s data deletion provisions by retaining children’s personal information indefinitely and deleting it only when requested by a parent.
In addition to imposing a $1.5 million civil penalty, the settlement requires the defendants to overhaul their information practices relating to kids and their COPPA compliance efforts. WW and Kurbo also must delete all illegally collected data within 30 days of the order unless it provides direct notice and obtains parental consent to use this previously collected data in a manner compliant with COPPA. They also must destroy any algorithms derived from the illegally collected data. In the future, they’ll have to destroy any data collected from kids under 13 if it’s been more than a year since the child used the app.
The case suggests three compliance pointers for other companies.
Check the lock on your age gate. It’s not out of the question that a kid under 13 may try to access services on your site or app, especially if – as in this case – you provide services for children under 13. Wise companies think through the practical implications of their screening processes and know that they can’t avoid their COPPA obligations by setting up a non-neutral age gate to exclude the very users that their site or app is intended to attract. (Think of it this way: How effective would it be to put up a sign in front of a playground that says “Open only to parents and children 13 and over” and expect to keep out everyone younger?) Also, if you intend to offer services on a site or app that are reserved for older users, keep an eye out for other evidence that suggests unauthorized use – for example, a different birthday on a profile page.
Honor COPPA’s notice requirements. When it comes to the collection of kids’ information online, COPPA puts parents in the driver’s seat. The Rule is specific in its notice requirements and companies must make it easy for Dads and Moms to get details about their information practices.
Delete data diligently. Data retention under COPPA isn’t a forever proposition. Under Section 312.10, you may retain kids’ personal information “for only as long as is reasonably necessary to fulfill the purpose for which the information was collected.” After that, you have a legal obligation to delete it in a way that ensures it’s been securely destroyed. Read Under COPPA, data deletion isn’t just a good idea. It’s the law for practical insights.
Find more compliance resources on the FTC’s Children’s Privacy page.