Peter A Clarke

The Federal Trade Commission ( the “FTC”) took action against the successor to Weight Watchers, Kurbo Inc and WW International (the “Defendants”), by a complaint filed 16 February 2022.  Settlement was reached last month.  The alleged breaches of the Federal Trade Commission Act and the Children’s Online Privacy Act are quite egregious, including:

•   not providing any form of notice to parents that Defendants were collecting personal information from children, or seek to obtain parents’ consent for that collection until November 2019
• a notice to parents that the defendant’s app was collecting personal information relating to a child was incomplete as it did not specify all of the categories of personal information collected from the child
• until August 2021, Defendants retained personal information collected online from children indefinitely, only deleting the information when specifically requested by a parent—even if the user’s account had been dormant for multiple years

The terms of settlement follows a standard structure used by the FTC and in this context:

• restraining the Defendants to continue with the breaches alleged;
• requiring the Defendants to destroy all Personal Information Collected  within 30 days from accounts that have not, by that date, received direct notice and provided Verifiable Parental Consent;
• destroying any models or algorithms developed in whole or in part using Personal Information Collected from Children
• ordering the Defendants to pay the sum of $1,500,000 as a civil penalty
• requiring the Defendants to enter into a compliance program including providing a compliance notice for 10 years, create specific records for inspection for 10 years. 

What is particularly interesting about this settlement is the requirement for the Defendants to destroy algorithms that were developed or created using personal information unlawfully obtained from children in breach of the legislation.  This is a significant development in regulation.  It underlines how intrinsic the use and collection of personal information is in the development and refinement of algorithms is and how important algorithms are in the development of services.  It would be incongruous to require the deletion of personal information but not make an order destroying the algorithms that were developed using that very information.

The Atlantic’s piece Putting Kids on Diets Won’t Solve Anything in August 2019 was an expose on the problematical premise of marketing diets to children as young as 8 and the poor consent protocols in its app.  It had a direct impact on the Defendants with a change in in November 2019 to the app’s consent requirements and notices.  Even so they remained inadequate.  Given this issue was made quite public and notorious in August 2019 the FTC was surprisingly slow in taking action, not making a complaint until February 2022.  Even with the usual lag associated with collecting evidence, making enquiries, given the nature of the breaches it is quite a lethargic prosecution.  

The FTC press release provides:

In a complaint, filed by the Department of Justice on behalf of the Federal Trade Commission, the agency alleged that WW International, Inc., formerly known as Weight Watchers, and a subsidiary called Kurbo, Inc., marketed a weight loss app for use by children as young as eight and then collected their personal information without parental permission. The settlement order requires WW International and Kurbo to delete personal information illegally collected from children under 13, destroy any algorithms derived from the data, and pay a $1.5 million penalty.

“Weight Watchers and Kurbo marketed weight management services for use by children as young as eight, and then illegally harvested their personal and sensitive health information,” said Federal Trade Commission Chair Lina M. Khan. “Our order against these companies requires them to delete their ill-gotten data, destroy any algorithms derived from it, and pay a penalty for their lawbreaking.”

“Parents have a right to know and consent before companies collect their children’s personal information,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “The department is committed to enforcing the protections against unauthorized collection of information from consumers, particularly children.”

WW International and Kurbo market a health and wellness app and website called Kurbo by WW for use by children as young as eight, in addition to teens and families. The app tracks their food intake, activity, and weight, and also collects personal information such as names, email addresses, and birth dates. Until late 2019, users could sign up for Kurbo by WW’s service either on the app or website by indicating that they were a parent signing up for their child or a child over the age of 13 signing up for themselves.

The FTC’s Children’s Online Privacy Protection Act Rule (COPPA Rule) requires that websites, apps, and online services that are child-directed or knowingly collect personal information from children notify parents and get their consent before collecting, using or disclosing personal information from children under 13.

The complaint alleged that Kurbo by WW’s signup process encouraged younger users to falsely claim they were over the age of 13, despite text indicating that children under 13 must sign up through a parent. In fact, from 2014 to 2019, hundreds of users who signed up for the app claiming to be over the age of 13 later changed their birthdates on their profiles to indicate they were really under 13, according to the complaint. These users nonetheless continued to have access to the app until FTC staff contacted the companies.

In 2020, the signup option for children over 13 was revised but problems with the signup process remained, according to the complaint. Kurbo also failed to provide a mechanism to ensure that those who choose the parent signup option were indeed parents and not a child trying to bypass the age restriction, the complaint alleged.

In addition, the complaint alleged that parents who signed their children up on the company’s website or an affiliate’s website were shown a notice about information collection only if they clicked a hyperlink buried in a string of other links. Despite changes made to its direct privacy notice in 2019, Kurbo by WW still failed to comply with the COPPA Rule’s notice requirements, according to the complaint.

Finally, the complaint alleged WW and Kurbo violated the COPPA Rule’s data retention provisions by retaining children’s personal information indefinitely and only deleting it when requested by a parent. As part of the settlement, the companies are also prohibited from retaining data collected in the future from children under 13 for more than a year after the last time a child uses Kurbo by WW.

The settlement order also requires the companies to destroy all personal information previously collected that did not comply with the COPPA Rule’s parental notice and consent requirements unless the companies’ obtained subsequent parental consent to retain such data. The settlement also requires the companies to destroy any affected work product that used data illegally collected from children in violation of COPPA.

As is normally the case the settlement attracted quite unwelcome media attention from the New York Times, the Guardian, Forbes and CBS News to name but a few