June 7, 2023

Volume XIII, Number 158


June 07, 2023

Subscribe to Latest Legal News and Analysis

June 06, 2023

Subscribe to Latest Legal News and Analysis

FTC Continues Focus on Children’s Privacy

The FTC recently took two well-publicized steps in the children’s privacy space. First, it penalized WW International (formerly, Weight Watchers) and its subsidiary, Kurbo, for alleged COPPA violations. Second, it unanimously voted to adopt a new policy statement on education technology and COPPA. These actions follow its March COPPA settlement with TickTalk Tech.


Kurbo is a wellness app marketed to children as young as eight. According to the FTC, the registration process contained a non-neutral age gate: children who self-identified as under 13 were prompted to register through a parent portal. Those over 13 could register on their own. The FTC found that while the age gate was theoretically intended to screen users under 13, it lead children towards the 13+ option: an option that allowed them to successfully register and give Kurbo personal information without parental consent. Moreover, children who initially entered false birth dates to access the app were later able to correct their birth dates.

Hundreds of users revised their ages after signing up, putting Kurbo on notice that they were under 13. Kurbo deactivated those accounts only after receiving notice from the FTC in late 2021. At that time, Kurbo provided notice to parents about its information collection practices. It did not attempt to get parental consent or confirmation, however. The notice also did not tell parents that persistent identifiers were collected through the website and app. Also of concern for the FTC, until late 2021 Kurbo kept user information indefinitely, in violation of the COPPA (which allows information retention only for as long as needed for the collected purpose).

Kurbo has agreed to pay $1.5 million and delete personal information that was improperly collected from children. As part of the settlement, Kurbo also agreed to destroy any models or algorithms developed in whole or in part using personal information collected through the app. This is a unique penalty that the FTC had not imposed before.


This action against Kurbo is likely not the last COPPA case we will see in 2022. The FTC recently indicated that it will “crack down on” EdTech companies that improperly surveil students while they use EdTech tools for learning. This warning accompanied the FTC’s EdTech policy statement. In that statement, the FTC reminded companies of several important elements of COPPA.

These elements include not conditioning a child’s participation in an activity on providing more information than necessary. (This restriction is similar to the EDPB’s recent “dark patterns” warning.) It also includes securing information and not retaining information longer than necessary. Finally, the FTC also reminded companies who provide EdTech tools under school authorizations that they can collect and use information only for the requested online education service. They cannot use the information for unrelated commercial purposes like marketing and advertising.

Putting it Into Practice: In light of the recent EdTech warning, and the settlements with Kurbo and TickTalk, we anticipate more COPPA decisions from the FTC in the coming months. Companies should keep in mind cautions about data limitation, and keep in mind settlement terms that include destroying information – and the analytics derived therefrom. 

Copyright © 2023, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XII, Number 147

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

Snehal Desai, attorney, Sheppard Mullin

Snehal Desai is an associate in the Intellectual Property Practice Group in the firm's San Francisco office. She is a member of the Privacy and Cybersecurity Team, the Advertising Team and the Technology Transactions Team.

Areas of Practice

Advertising: Snehal advises clients in conducting advertising campaigns, contests and sweepstakes, and brand marketing campaigns. 

Technology and Commercial Transactions: Snehal drafts and negotiates...