The company formerly called Weight Watchers — now known as WW International — was caught violating federal online data privacy protections for children. See NYT media report here. The federal act in question is the Children’s Online Privacy Protection Act (“COPPA”) which, among other requirements, prohibits collecting data concerning children without explicit consent from parents. COPPA applies to websites and also to phone and device apps.
COPPA was passed by Congress in 1998 to protect the online privacy for children — particularly under the age of 13. Like many data privacy statutes, various disclosures are required, opt-outs are allowed and consent for the collection of data must be obtained from at least one parent. Among the notice requirements are:
- Prominent posting of the website’s or app’s privacy policies
- Posting of notice to parents of what data will be collected, how it will be used and with whom it will be shared
COPPA also requires the following:
- The obtaining of verifiable consent from at least one parent before collection of personal data from or about children
- Offering an “opt-out” for parents allowing them to prohibit disclosure
- Allowing parental access to their child’s personal data to review
- Allowing parents the ability to have data deleted
- Requiring that all data be securely maintained
- Retaining personal data on children for only so long as is necessary and deleting said data thereafter
- Ensuring complete destruction and deletion of data
The Federal Trade Commission (“FTC”) is tasked with enforcing COPPA. COPPA applies to any websites or services that are specifically marketed to children and to websites or apps where the owners have knowledge that they are collecting, using, or disclosing personal information from children under 13.
Weight Watchers (“WW”) created a phone app called Kurbo which was geared and marketed to children. As described, the Kurbo app was marketed as a way to help kids lose weight. To use Kurbo, children were asked to input various data like their height, weight, age and weight-loss goals. Children were then asked to input what they ate and how/when they exercised. As described here in the Federal Trade Commission’s press release, Kurbo also collected personal information such as names, email addresses and birth dates.
Based on complaints filed by pediatricians, nutritionists and children advocates, the US Department of Justice and the Federal Trade Commission (“FTC”) opened an investigation against WW and its Kurbo app. The investigation uncovered facts showing that data was being collected on children as young as 8 years old.
As noted, COPPA imposes an affirmative duty on websites and apps geared towards children to obtain parental consent. That affirmative duty means that the registration process CANNOT be lax and designed to allow children to avoid obtaining parental consent. This is particularly what the Department of Justice and the FTC found. As described in the media report and the press release, until late 2019, children could register for Kurbo by clicking that they were a parent or a child over the age of 13 signing up for themselves. There was no sort of verification required. In addition, there was no verification required for the birth date of the child being registered. The DOJ and FTC investigation found hundreds of examples where children registered “as” a parent or “as” an over-13 year old. When users later corrected their birth dates showing them to be under the age of 13, they were allowed to continue using Kurbo.
According to the FTC, the method of registration was a clear violation of COPPA. This was deemed a clear effort to bypass the parental notice and consent requirements by letting children register without involving a parent. The FTC also found that WW violated COPPA by not providing the notice and disclosure documentation required by COPPA even when a parent was legitimately registering a child. Finally, the FTC found that WW violated COPPA’s data retention provisions. As noted, COPPA requires deletion of information when the information is no longer needed. However, WW retained children’s personal information indefinitely and only deleted the data when requested.
As a result of these COPPA violations, WW International and Kurbo agreed to settle the enforcement action by agreeing to delete personal information illegally collected from children under 13, destroy any algorithms derived from the data and pay a $1.5 million penalty. If you have legal questions about consumer privacy, data security or other legal issues related to internet law, contact the trusted internet lawyers at Revision Legal at 231-714-0100.