On February 16, 2022, the Federal Trade Commission (FTC) filed a proposed settlement order in federal court in its case against WW International, Inc (formerly known as Weight Watchers International, Inc.) and its subsidiary Kurbo, Inc. (Kurbo) to resolve allegations that the defendants violated the Children’s Online Privacy Protection Act and its implementing rules (COPPA).1 The FTC alleged that the defendants violated COPPA by failing to provide required notices and obtain verifiable parental consent prior to collecting, using, and disclosing personal information from children using their weight loss app. As part of the proposed settlement, the defendants are required to, among other things: 1) update their procedures to ensure that they obtain verifiable parental consent before collecting personal information from children, 2) destroy all of the personal information they obtained in violation of COPPA as well as any models or algorithms based on that information, and 3) pay a civil penalty of $1.5 million.
The FTC’s Complaint
The COPPA Rule applies to online service operators whose service, or a portion of the service, is directed to children under the age of 13 or who have actual knowledge that they collect information from children.2 It imposes rules surrounding the collection, use, and disclosure of personal information collected from children.
According to the FTC’s complaint, Kurbo has offered a weight-management and tracking service designed for and advertised to children as young as eight years old since 2014.3 Despite being specifically created for children, Kurbo did not take the necessary steps for COPPA compliance. The app did not provide notice to parents of its data collection practices until November 2019, and even then, did not solicit parental consent as required for child-directed services.4 The FTC alleged that notice implemented in 2019 was also deficient, including because it did not clearly and completely specify the categories of information collected from children.5
Further, while the app did present an age screen asking users to provide their age, it did not comply with the FTC’s guidance for a “neutral age screen,”6 because it signaled to users that they could sign up by stating they were at least 13. And users who circumvented the age screen by misrepresenting their age were able to later revise their birth date in their profile to indicate they were in fact under 13.7
Finally, the complaint alleges that the defendants retained the personal information collected from children indefinitely, even if the user’s account had been dormant for multiple years.8 COPPA requires that personal information collected online from children is maintained no longer than reasonably necessary to fulfill the purpose for which the information was collected.9
The Proposed Order
Compliance with COPPA
As is customary in COPPA settlements, the proposed order enjoins the defendants from violating COPPA in the future, including by failing to provide COPPA-required privacy notice to parents; failing to obtain verifiable parental consent prior to processing personal information from children; failing to delete a child’s personal information at the request of a parent; or retaining children’s personal information for longer than is reasonably necessary to fulfill the purpose for which the information was collected.10 The proposed order specifically requires the defendants to delete personal information within one year after “the last instance of a user tracking food, weight, or activity intake.”11
The proposed order also requires the defendants to delete all personal information previously collected from children unless it obtains verifiable parental consent to keep the information within 30 days of the entry of the order.12 Notably, in a first for a COPPA case, it further requires the defendants to delete or otherwise destroy all models and algorithms developed in whole or in part through the use of personal information collected from children through the Kurbo service.13 While past COPPA settlements have prohibited defendants from benefiting from personal information they collected in violation of the COPPA Rule,14 this takes that remedy one step further by explicitly requiring the deletion of algorithms and models based on such information. This is part of a larger shift at the FTC towards “algorithmic disgorgement,” which was also a prominent element in the FTC’s 2021 settlement with Everalbum, Inc. Notably, the deletion requirement applies to algorithms and models that were even partially created using information collected in violation of COPPA; even if the majority of the data used to create the algorithm or model was legally collected, the defendants are still obligated to delete the algorithm or model entirely.
Finally, the defendants must pay a $1,500,000 civil penalty and undergo a 10-year period of compliance reporting.15
To mitigate risks of an FTC COPPA enforcement action, online services that market to children or know they have a significant child userbase, both based in the United States and abroad, should pay careful attention to the requirements of the COPPA Rule.
Some key points:
First, this case represents the first time the FTC has challenged a non-neutral age gate under COPPA. A key takeaway: if a company decides to implement an age gate, it should be careful to design a neutral age-gate that does not indicate to the user that they should enter a date of birth that would make them over the age of 13. For example, if you have a site that is likely to attract children, you should not suggest that U.S. law requires users to be over 13, or that, if you’re under 13, you should ask your parent to register for you. It is also best practice to prevent users from returning to an earlier page in the registration flow to enter an older birth date once they have already entered a birth date that would make them under the age of 13.
Second, this is also the first time the FTC has alleged a violation of the COPPA provision requiring companies to delete children’s information after it is no longer necessary to fulfill the purpose for which it was requested. In this case, the company apparently kept children’s information indefinitely, which, in general, is probably unwise for children’s information. Make sure you have a retention policy that includes the reasons why you’re choosing the retention period you are.
Third, although it is possible to have an over-13 version of an online service and a separate kids’ version under COPPA’s mixed audience provision, if you become aware of a child who is using the over-13 version, it’s important to remove that child from the service. In this case, kids who had entered an age indicating they were over 13 later revised their birth dates. Weight Watchers allowed them continued access to its app, thus triggering COPPA obligations.
Finally, companies that offer child-directed online services should ensure that they are properly providing notice and collecting verifiable parental consent whenever they collect personal information from children under the age of 13. The FTC has provided guidance to companies on how to verify that the individual providing consent is in fact the user’s parent; companies can also elect to engage in one of the FTC’s pre-approved verification methods.16 As part of this consent process, companies are also obligated to provide information to the parent regarding what information they plan to collect from children, how they intend to use the data, and whether and how they intend to share the data.17
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues and has assisted numerous clients regarding compliance with COPPA. For more information, please contact Libby Weingarten, Maneesha Mithal, or another member of the firm’s privacy and cybersecurity practice.
Complying with COPPA: Frequently Asked Questions, Fed. Trade Comm’n (July 2020), https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions-0.
Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business, Fed. Trade Comm’n (June 2017), https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule-six-step-compliance.