The Federal Trade Commission (FTC) recently settled with Weight Watchers (WW) and its subsidiary Kurbo for alleged violations of the Children’s Online Privacy Protection Act (COPPA). COPPA requires websites, apps and other online services to obtain express parental consent prior to collecting, using or disclosing personal information of children under 13. It is a complex rule, but generally, to be subject to this rule, websites must either (1) be directed to children or (2) have actual knowledge of the collection of data from children under 13. This case involved a product directed to children, actual knowledge and multiple violations of COPPA.
Kurbo is a weight management product for children and teens. According to the complaint, children as young as 8 created accounts on the Kurbo app to track their weight, food intake and physical activity. Consumers interested in using the Kurbo app would first encounter an age gate, asking them to pick one of the following options: (1) I am a parent. I’ll sign myself up first so I can support my child on the Kurbo program; or (2) I am at least 13 and using the app for myself without parental supervision. If a child selected the second option, they would be prompted to provide their date of birth, and if they entered an age of 13, they would be able to enter the app. The FTC alleges that in hundreds of instances, children under 13 circumvented the age gate by later revising their birthdate to reflect their true age. A more compliant age gate should be as neutral as possible and ideally be buttressed with some form of tracking technology to prevent multiple attempts.
COPPA also requires covered companies to “make reasonable efforts, taking in account available technology, to ensure that a parent of a child receives direct notice of its information practices.” The FTC alleged that Kurbo made no attempt to provide parents with notice through the app. And on the desktop version, the notice was buried in a pile of other hyperlinks. Proper notice must always be given when data is collected from children to ensure that there is meaningful consent. Kurbo’s data deletion procedure also allegedly ran afoul of the COPPA requirement, which states that companies may keep data “for only as long as is reasonably necessary to fulfill the purpose for which the information was collected.” Until 2021, data was retained indefinitely unless there was a specific deletion request. That does not cut it for COPPA purposes.
WW agreed to pay a $1.5 million civil penalty to settle the matter. There is one additional provision in the order that is worth flagging. Similar to the Everalbum case from 2021, the order requires defendants to delete “any models or algorithms developed in whole or in part using Personal Information Collected from Children through the Kurbo Program,” except for such materials that they are required to retain for delineated reasons such as legal obligations. There is no indication of whether and what algorithms would be subject to this provision, but this is clearly a provision that the FTC will be seeking more frequently going forward. And depending on the models or algorithms at issue, this is a provision that could create real challenges. Complying with COPPA and handling children’s data requires a precise approach.