The FTC recently took two well-publicized steps in the children’s privacy space. First, it penalized WW International (formerly, Weight Watchers) and its subsidiary, Kurbo, for alleged COPPA violations. Second, it unanimously voted to adopt a new policy statement on education technology and COPPA. These actions follow its March COPPA settlement with TickTalk Tech.
Kurbo is a wellness app marketed to children as young as eight. According to the FTC, the registration process contained a non-neutral age gate: children who self-identified as under 13 were prompted to register through a parent portal. Those over 13 could register on their own. The FTC found that while the age gate was theoretically intended to screen users under 13, it lead children towards the 13+ option: an option that allowed them to successfully register and give Kurbo personal information without parental consent. Moreover, children who initially entered false birth dates to access the app were later able to correct their birth dates.
Hundreds of users revised their ages after signing up, putting Kurbo on notice that they were under 13. Kurbo deactivated those accounts only after receiving notice from the FTC in late 2021. At that time, Kurbo provided notice to parents about its information collection practices. It did not attempt to get parental consent or confirmation, however. The notice also did not tell parents that persistent identifiers were collected through the website and app. Also of concern for the FTC, until late 2021 Kurbo kept user information indefinitely, in violation of the COPPA (which allows information retention only for as long as needed for the collected purpose).
Kurbo has agreed to pay $1.5 million and delete personal information that was improperly collected from children. As part of the settlement, Kurbo also agreed to destroy any models or algorithms developed in whole or in part using personal information collected through the app. This is a unique penalty that the FTC had not imposed before.
This action against Kurbo is likely not the last COPPA case we will see in 2022. The FTC recently indicated that it will “crack down on” EdTech companies that improperly surveil students while they use EdTech tools for learning. This warning accompanied the FTC’s EdTech policy statement. In that statement, the FTC reminded companies of several important elements of COPPA.
These elements include not conditioning a child’s participation in an activity on providing more information than necessary. (This restriction is similar to the EDPB’s recent “dark patterns” warning.) It also includes securing information and not retaining information longer than necessary. Finally, the FTC also reminded companies who provide EdTech tools under school authorizations that they can collect and use information only for the requested online education service. They cannot use the information for unrelated commercial purposes like marketing and advertising.
Putting it Into Practice: In light of the recent EdTech warning, and the settlements with Kurbo and TickTalk, we anticipate more COPPA decisions from the FTC in the coming months. Companies should keep in mind cautions about data limitation, and keep in mind settlement terms that include destroying information – and the analytics derived therefrom.