Advisories March 9, 2022

Privacy, Cyber & Data Strategy / Consumer Protection/FTC Advisory: FTC Brings Enforcement Action for App’s Collection of Children’s Personal Data in Violation of COPPA

Executive Summary
Minute Read

Our Privacy, Cyber & Data Strategy and Consumer Protection/FTC teams offer key takeaways from the Federal Trade Commission’s enforcement action in the midst of renewed emphasis on children’s privacy by both the Biden Administration and Congress.

  • The app’s age gate encouraged children to lie about their age to access the app
  • The app retained data indefinitely unless requested by a parent, who didn’t receive proper notice of collection practices
  • An age gate alone is not sufficient to ensure compliance with COPPA
 

On March 4, 2022, the Federal Trade Commission (FTC) announced a settlement of an enforcement action against WW International, formerly known as Weight Watchers, and Kurbo alleging that the companies’ app did not comply with the Children’s Online Privacy Protection Act (COPPA) and the regulations promulgated by the FTC pursuant to COPPA. The complaint, filed in the Northern District of California, alleges that WW violated COPPA by failing to provide notice and obtain verifiable parental consent before collecting personal information from children under age 13 and violated the COPPA Rule by failing to implement proper data retention and deletion practices.

The settlement order requires the companies to pay a $1.5 million civil penalty, delete personal information illegally collected from children under 13, and destroy any algorithms derived from the data. This comes as the Biden Administration and Congress express a continued interest in protecting the personal information and privacy of children.

COPPA and the FTC’s COPPA Rule, which apply to businesses that collect online personal information from users, require covered entities that market their products or services to children under 13, or who have actual knowledge that a user is a child under 13, obtain verifiable parental consent before collecting information from the user. Personal information under the COPPA Rule includes, among other things, names and addresses, phone numbers, email addresses and screen names, persistent identifiers, hobbies and interests, photos or video or audio files, IM details, or geolocation information.

The rule further requires that covered entities provide parents with direct notice of the entity’s practices for the collection, use, or disclosure of personal information from children and that covered entities only retain the personal information collected online from children for as long as is reasonably necessary to fulfill the purpose for which the information was collected.

WW and Kurbo market a weight management app, Kurbo by WW, that tracks food intake, weight, and activity and collects information such as name, date of birth, and email address. The app is marketed to families, teens, and children as young as eight, and therefore is “directed to children” within the meaning of COPPA. The original age gate mechanism implemented by WW and Kurbo in 2014 for Kurbo by WW offered users an option to have a parent register or to indicate the user is 13 or older. In addition, users who registered as 13 or older could update their profile after registration to reflect that they were under 13 without being barred from the app.

FTC staff contacted WW about these features in 2019. WW and Kurbo updated the age gate mechanism in response, but according to the FTC, the new interface still encouraged children under 13 to falsely declare that they are 13 or older in order to use the app. An age gate alone is not sufficient to ensure compliance with COPPA. Covered entities need additional mechanisms or additional actions to ensure the age gate is effective.

The FTC alleged that this insufficient age gate mechanism resulted in WW and Kurbo collecting personal information of children under 13 without securing verifiable parental consent. The FTC also alleged that parents were not provided proper notice of the app’s information collection practices. In the complaint, the FTC notes that parents were only shown a notice containing information about the website’s information collection practices if they clicked a hyperlink buried in a string of other links. According to the FTC, this did not satisfy COPPA’s requirement that the notice be prominent and clearly labeled.

Finally, the FTC alleged that WW and Kurbo retained data indefinitely, only deleting information upon request by a parent. The settlement order from the FTC requires WW and Kurbo to delete information relating to children under 13 if they have not used the app in more than a year.

This enforcement action comes in the midst of renewed emphasis on children’s privacy by both the Biden Administration and Congress. President Biden noted in the State of the Union address on March 1 that it’s “time to strengthen privacy protections,” including banning targeted advertising to children and demanding that tech companies stop collecting personal data on children. Before President Biden’s call for increased protections for children’s sensitive information, Congress showed interest in increasing the safety of children online. Proposed bills include increased protections for children on social media, as well as bans on targeted advertising to children and tighter restrictions on the use of children’s data in marketing.

Key Takeaways

Any entity that markets online products or services to children under 13, or that has actual knowledge that children under 13 use its online services, and collects personal information should consider the following to ensure compliance with COPPA.

  • Maintain a neutral age gate that does not suggest to users to identify their age as 13 or older. Avoid encouraging children to falsify age information by, for example, stating that certain features will not be available to users under age 13, and consider using technical means to prevent children from back-buttoning to enter a different age. Monitor the use of any online services for evidence of unauthorized use, including for birth dates that would indicate a user is under 13.
  • Ensure that both the direct notice required to be provided to a child’s parent when the child signs up for services, and the public notice of the company’s information collection practices for children, are technically accurate and complete. Ensure that the link to the public notice is prominent, clearly labeled, and placed on the home page or landing screen and on every page or screen where information is collected. It should be easy to find and lead directly to a description of the relevant data collection practices.
  • Retain personal information about children under 13 only as long as necessary for the authorized purposes set out in the children’s privacy notice for the online service in question. Ensure mechanisms are in place to delete personal information in a secure manner at the end of this retention period.
Media Contact
Alex Wolfe
Communications Director

This website uses cookies to improve functionality and performance. For more information, see our Privacy Statement. Additional details for California consumers can be found here.