As readers of CPW know, the Federal Trade Commission (“FTC”) has made it clear that privacy and security will be top-of-mind issues for the Commission for the foreseeable future. Recently, the FTC announced its settlement with WW International, Inc.—formerly known as Weight Watchers (“Weight Watchers”)—over claims the company violated the Children’s Online Privacy Protection Act (“COPPA”) by collecting children’s personal information without providing notice or obtaining parental consent.

The settlement requires the company to pay a $1.5 million penalty, delete personal information that was improperly collected from children, and destroy any models or algorithms developed with the use of that data. Importantly, the settlement illustrates the FTC’s increased focus on children’s privacy, as well as the Commission’s increased reliance on the disgorgement remedy in privacy and security enforcement actions—including in the AI context.

I.     Factual Background & FTC Allegations

By way of background, COPPA requires that websites, apps, and online services that are child-oriented or knowingly collect personal information from children notify parents and obtain their consent before collecting, using, or disclosing personal information from children under 13. It was passed in 1998 amid rising concerns regarding children’s privacy online. Unlike other some other federal regulatory regimes, both the FTC and state attorneys general have concurrent jurisdiction to enforce COPPA (meaning as a practical matter private entities are subject to potential regulator scrutiny at both the state and federal level for alleged COPPA violations).

Weight Watchers marketed a health and wellness app and website to both adults and children that allowed users to track their food intake, activity, and weight. The app also collected personal information, including names, email addresses, and birth dates. Up until late 2019, users could sign up for the app by indicating (1) they were a parent registering their child or (2) a child over the age of 13 signing up for themselves.

The non-neutral age gate that was presented by Weight Watchers at registration indicated to younger users that they could sign up without a parent by falsely claiming they were at least 13. Not only that, hundreds of users who signed up for the app did, in fact, circumvent the age gate by creating an account and later revising their profiles to reflect their true age. Despite this, these users were still permitted to access the app without parental involvement. Further, while the company implemented a new age gate in late 2019 that removed any reference to being “at least 13” and indicated that individuals under the age of 13 needed parental permission to use the app, Weight Watchers’ screening mechanism still failed to ensure that users who selected the parent signup option were truly parents—and not children attempting to bypass the age restriction.

According to the FTC, Weight Watchers violated COPPA as a result of its failure to provide a mechanism to prevent children from using the parent registration option to bypass the age restriction, as well as COPPA’s notice and data retention provisions.

II.     The Settlement Terms and Key Takeaways

The Weight Watchers settlement is comprised of three primary components, all of which carry significant implications for potential FTC enforcement actions going forward.

• First, the company must pay a $1.5 million penalty.

• Second, the company must destroy all personal information that was collected in a manner that failed to comply with COPPA.

• Finally, the company must destroy all models or algorithms developed in whole or in part using improperly collected personal information 

     A.     FTC’s Continued Focus on Children’s Privacy 

There are three major takeaways from the Weight Watchers settlement. The first pertains to the FTC’s increased activity in the children’s privacy space. The Weight Watchers settlement comes on the heels of several other FTC enforcement actions against companies who ran afoul of COPPA. In December 2021, advertising platform OpenX Technologies agreed to pay a $2 million penalty to resolve similar FTC allegations that it collected children’s personal information without parental consent. And in July of last year, online coloring book app Kuuhuub agreed to a $3 million penalty to settle COPPA allegations as well.

Relatedly, during his State of the Union address President Joe Biden urged Congress to strengthen children’s privacy protections and clamp down on companies that improperly collect children’s personal information.

Taken together, companies that market their online products or services to children—or otherwise collect children’s personal information—are well-advised to review their compliance with COPPA’s requirements to mitigate the heightened legal risk posed by the FTC’s increased emphasis on children’s privacy.

     B.     Utilization of Disgorgement Remedy

The second major takeaway pertains to the requirement that Weight Watchers destroy any models or algorithms developed through the use of personal information that was improperly collected from minors in violation of COPPA.

Importantly, the Weight Watchers matter marks the first time that the FTC has utilized this enforcement tool—known as disgorgement—in a COPPA case. This is part of a larger shift by the FTC to prioritize “meaningful disgorgement” as a remedy in privacy and security and enforcement actions. Disgorgement was first used by the FTC in its first enforcement action specifically targeting improper facial recognition practices with photo developer Everalbum, Inc. As part of the settlement, Everalbum was forced to delete not only all photos and other user data that had been improperly collected and/or retained, but also all facial recognition algorithms that were developed with Everalbum’s ill-gotten data.

Shortly after the Everalbum settlement—during remarks at the 2021 Future of Privacy Forum—the FTC’s then-Acting Chairwoman, Rebecca Kelly Slaughter, noted that where companies unlawfully collect and/or use consumers’ personal information, the FTC would seek disgorgement of both the improperly collected data, as well as any benefits from that data—pointing to Everalbum as an example of how the FTC could leverage disgorgement in privacy and security matters.

     C.     Algorithmic Disgorgement As New Normal In Near Future?

Third, the Weight Watchers settlement not only represents a continuation of the disgorgement remedy trend in FTC enforcement actions, but also indicates that algorithmic disgorgement may soon become a standard component in future FTC settlements. This may have a particularly outsized impact on developers of artificial intelligence and related technologies which rely heavily on the development of advanced algorithms.

This settlement is yet another example of the FTC’s focus on the impact AI can have in relation to consumer privacy and related issues.  In December the FTC issued a notice (“Notice”) that it was “considering initiating a rulemaking under Section 18 of the FTC Act to curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.”

There are a range of privacy, cybersecurity and AI issues that the FTC may seek to regulate as previewed by its Notice, should internal disagreement at the agency not stall this effort in 2022.  For instance, as seen in an April 2021 release the FTC has increasingly cautioned that AI may be utilized and “inadvertently introduce[e] bias or other unfair outcomes” to medicine, finance, business operations, media, and other sectors.  In addition, the FTC declared algorithmic and biometric bias as a focus of enforcement in resolutions passed in Fall 2021.