Insights < BACK TO ALL INSIGHTS
The FTC Weighs In: Online Services Must Be Diligent When Kids’ Privacy At Stake
The FTC Weighs In: Online Services Must Be Diligent When Kids’ Privacy At Stake
By: Nicole Kardell
WW International (f/k/a Weight Watchers) seems to be doing children a service: the company developed an online program tailored to address childhood weight issues. The program, offered by WW subsidiary Kurbo, has an app, youthful professional coaches, and many features that look promising both to attract and to retain program young subscribers. Plus, the program touts peer-reviewed published research demonstrating its success. With some 20 percent of children in the U.S. considered obese (and that statistic pre-dates COVID)[1], programs that help to address this pervasive health problem are needed and welcomed by many parents and medical professionals.
So why is the government going after WW and Kurbo? It comes down to privacy. The Federal Trade Commission recently entered a settlement with WW International, Inc., and its subsidiary Kurbo, Inc., over allegations that the Kurbo program violated federal children’s privacy law because it did not properly vet children under 13, provide notice and obtain consent from these children’s parents, or properly notify parents of Kurbo’s data collection practices.
While there is no omnibus federal privacy law at this point, there are federal laws that address privacy in certain sectors (e.g., healthcare and banking) or for certain types of information. Children’s information is covered by one of those federal laws. Under the Children’s Online Privacy Protection Act of 1998 (“COPPA”) and its implementing regulations, websites and apps must notify parents and get their express consent before collecting, using, or disclosing the personal data of children under 13. If a website or service is directed to children, as the Kurbo program clearly is[2], that site needs to take steps to ensure that children under 13 are not accessing it without parental consent if the site is collecting their personal data.
The Kurbo program purportedly addressed COPPA with a text stating that children under 13 could only sign up through a parent. But details in the FTC’s action against the company allege that hundreds of children signed up claiming to be over 13 (presumably to bypass the age restriction) and then changed their age to under 13 within their personal profiles when starting to use Kurbo. The FTC asserts that this is a practice that Kurbo should have been aware of and addressed. But, the agency says that Kurbo did not take action until FTC notified the company.
The FTC’s complaint alleged that when Kurbo modified its registration process to deal with the issue, problems continued as the company did not institute a process that would ensure parents actually signed up for children under 13. Moreover, according to the FTC, the company did not provide direct notice of its data collection practices: its notice was buried amid other hyperlinks and details.
The FTC contends that the result was that many children under 13 registered and provided their personal information to Kurbo (their names, email addresses, birth dates, weight, food intake, and physical activity) without parental involvement. And even where there was parental involvement, Kurbo’s data collection practices were insufficiently disclosed.
Was the company setting out to prey upon these children or to sell their personal details to the highest dark web bidder? Not likely. But nonetheless, Kurbo was shy on COPPA compliance: its practices for ensuring it had parental consent for children under 13 were not exactly best practices; nor was its notice on data collection and use.
The FTC’s settlement with WW and Kurbo includes a $1.5 million penalty, a requirement to delete personal data illegally collected from children under 13, and a requirement to destroy any algorithms based off that data.
The takeaway from the FTC’s settlement with WW and Kurbo: Do not give short shrift to compliance requirements. Doing something to address those requirements, when that something is demonstrably subpar, will not save you from potential liability. The FTC pays particular attention to children’s privacy, since it is the enforcement agency under COPPA. This is not the first enforcement action by the FTC against a well-known brand for COPPA noncompliance, nor will it be the last. Here is a list of a few FTC COPPA enforcement actions that we have covered in previous posts. If your organization collects information from the pre-teen set, be meticulous in your disclosures, in gaining consent, and in monitoring how children interact with your services.
[1] See https://www.cdc.gov/obesity/data/childhood.html.
[2] See .