Two regulatory authorities recently took enforcement actions against two very different companies in the area of children’s privacy rights. The outcomes reached—one of which includes a $1.5 million penalty and the deletion of “tainted” data—signal that the regulatory and self-regulating entities intend to continue prioritizing enforcement of the Children’s Online Privacy Protection Act (COPPA).
WW International Settlement and Penalty
According to the Federal Trade Commission (FTC), WW International (formerly known as Weight Watchers) and Kurbo, a subsidiary that operates a program on healthy eating for children and teenagers, marketed a wellness app to children as young as age 8 and collected their personal information without obtaining verifiable parental consent.
WW International and Kurbo agreed to pay a $1.5 million penalty and delete personal information collected from children under 13. The FTC also required WW International to destroy any algorithms derived from the data—a first-of-its-kind penalty in a children’s privacy case that could have far-reaching ramifications not only for WW International but also for any other company that potentially violates COPPA. Finally, the FTC required WW International to delete information related to children under 13 if they have not used the app in more than a year.
The Children’s Advertising Review Unit (CARU), the first COPPA Safe Harbor Program approved by the FTC, concluded that a smartphone and related app for children failed to comply with COPPA and CARU’s Self-Regulatory Guidelines for Children’s Online Privacy Protection.
The TickTalk 4 Smartwatch phone and app manufactured and marketed by TickTalk Tech for children ages 5 to 12 failed to provide clear notice of its information collection practices and a way for parents to give verifiable consent to those practices. TickTalk’s website informed users about some, but not all, smartwatch features that collect and share children’s personal information, according to CARU.
TickTalk agreed to correct the violations cited.
Both WW International and TickTalk ran afoul of COPPA in a number of ways. Their missteps can be a learning opportunity for other businesses that offer online products and services to children under age 13. Key takeaways from the WW International and TickTalk enforcement actions indicate that businesses should:
- Ensure sign-up processes do not encourage children to claim that they are 13 (or older) to gain access to an online app or service. The WW International app’s nonneutral age gate allowed children to easily bypass the age gate and register without involving a parent by indicating they were at least 13.
- Do not assume that because a product is purchased and set up by a parent that the parent has provided verifiable parental consent under COPPA. CARU rejected the argument that a parent had consented to the collection of a child’s personal information from the TickTalk smartwatch because it was purchased and provided to a child by the parent.
- Provide a way for parents to give their informed, verifiable consent to information collection practices prior to actually collecting information from their children. TickTalk’s means of obtaining verifiable consent from parents was easy to miss and not located near its notice about the information collected.
- Delete or deactivate accounts created by children under 13. In WW International’s case, the FTC took issue with the fact that users who falsified their age were allowed to have continued access to the app.
- Make sure privacy notices are prominent, clearly labeled and accurate. WW International provided parents with notice of its data collection practices only if they clicked a hyperlink buried in a string of other links. Parents must be given notice in a direct, clear and conspicuous manner of what information the company can collect from children using its services, both passively and actively.
- Retain personal information about children under 13 only as long as necessary for purposes set out in the privacy notice. WW International retained data indefinitely and only deleted data upon request by a parent.
- Take note that the requirement to delete algorithms, in addition to the data that trained the algorithms, could become a standard FTC enforcement mechanism. The FTC appears to be sending a message to companies that they will not be able to benefit from “ill-gotten data.”