Recent enforcement actions and policy statements by the Federal Trade Commission (FTC) indicate that the Children’s Online Privacy Protection Act (COPPA) is a priority and will remain one throughout 2022. Let’s take a look at some recent decisions and other trends in COPPA enforcement:
Recent Cases Highlighting Trends in COPPA Enforcement
COPPA Enforcement Against Weight Watchers International (March 4, 2022)
Weight Watchers International (WWI) and its subsidiary Kurbo, Inc. (Kurbo) settled with the FTC for $1.5 million for illegally collecting personal information about children.
The FTC alleged that Kurbo by Weight Watchers, a weight-loss app for kids and teens, failed to provide adequate notice and obtain Verifiable Parental Consent before collecting personal information about children under 13, in violation of COPPA.
The information collected included:
- Weight,
- Height,
- Food intake,
- Physical activity,
- Name,
- Email address, and
- Date of birth.
This information was collected from children as young as 8 years old. It was retained indefinitely and only deleted if a parent requested it.
Kurbo did use an age gate, but the FTC concluded that this was insufficient and even incentivized children to lie. Hundreds of users said they were over 13, but later changed their personal profiles to include birth dates indicating they were younger.
In addition to the monetary penalty, the settlement requires deletion of all “affected work product”. This includes algorithms derived from the data, marking the first time the FTC has imposed algorithmic disgorgement as a penalty in a COPPA case.
Key Takeaways from the FTC Settlement with Weight Watchers
Firstly, it appears likely that the FTC will impose algorithmic disgorgement in future COPPA cases.
Secondly, businesses should learn from Weight Watchers’ mistakes and be sure to:
- Provide direct notice to parents. It is not sufficient to rely on your Privacy Policy or to expect parents to click a hyperlink.
- Implement a neutral age-gate. A neutral age gate does not say what age a user needs to be to access a service, platform or app.
- Cut off accounts if you later learn a user is too young and seek parental consent before re-allowing access. It is a good practice to also delete the data you collected about the user once you learn they are too young.
- Destroy data collected from children if it has been more than 1 year since the child used the app, service, or platform.
A Quick Note About the FTC and Algorithm Destruction
While not limited to COPPA enforcement, another trend worth noting is the FTC’s increasing focus on algorithmic fairness. The FTC imposed this penalty for the first time in 2019 in an order against Cambridge Analytica. The Commission included this remedy again in the 2021 Everalbum settlement, in which the developers of a photo app were required to delete facial recognition algorithms developed through training on data that was improperly collected. It seems the FTC is using this penalty as a deterrent and to prevent companies from benefiting from the improperly collected data in the future. This is similar to other remedies the FTC imposes to prevent companies from benefitting from ill-gotten gains.
COPPA Enforcement Against OpenX Technologies, Inc. (December 21, 2021)
California-based advertising platform OpenX Technologies, Inc settled with the Federal Trade Commission (FTC) for $2 million relating to allegations that it collected personal information from children under 13 without parental consent.
Specifically, the FTC alleged that OpenX, which operates a real-time bidding platform that monetizes websites and mobile apps by selling ad space, reviewed hundreds of clearly child-directed apps but did not flag these apps or their data and allowed them to participate in the OpenX ad exchange. OpenX passed this personal data to third parties that used the data to target ads to users of the child-directed apps. OpenX also falsely claimed that it did not collect geolocation data from users who opted out of such collection. In fact, OpenX did continue to collect this data from some Android mobile phone users.
In addition to the monetary penalty, OpenX was required to delete all ad request data and to ensure it complies with COPPA. OpenX must also routinely review the apps to identify child-directed apps and ban them from the ad exchange. It must keep records of these banned apps.
Key Takeaway From the COPPA Enforcement Against OpenX
For businesses, the key takeaway is that you are considered on notice if apps/websites you collect from are clearly child-directed.
Other Trends in COPPA & Enforcement
EdTech Surveillance an FTC Priority
In May 2022, the Federal Trade Commission (FTC) announced that it will be cracking down on education technology companies that illegally surveil children online. The announcement highlighted the requirement that EdTech companies not deny children access to educational technologies where their parents or school have refused to permit commercial surveillance.
“Students must be able to do their schoolwork without surveillance by companies looking to harvest their data to pad their bottom line,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Parents should not have to choose between their children’s privacy and their participation in the digital classroom. The FTC will be closely monitoring this market to ensure that parents are not being forced to surrender to surveillance for their kids’ technology to turn on.”
The FTC’s policy statement also highlighted the following COPPA provisions:
- Use Prohibitions, which outline that EdTech providers may not collect personal information from children for commercial purposes, including marketing and advertising;
- Retention Limitations, which prohibit EdTech providers from retaining children’s personal information “for longer than necessary”; and
- Security Requirements, that demand EdTech providers have procedures in place to maintain the confidentiality and security of children’s personal information.
Risk for Schools Rapidly Increasing
The COVID-19 pandemic pushed US children (and children around the world) to be more active online than ever before. Virtual learning, virtual socialization, and virtual recreation increased significantly during the pandemic. Meanwhile, kids are getting online at even younger ages.
This clearly results in increased risk for children. But it has also resulted in dramatic increases in the volume of data being collected by schools, as well as the associated risk.
In fact, many schools lack the resources and guidance they need to manage all the new data they are collecting, such as COVID testing data or how to evaluate ed-tech solutions.
If you’re uncertain about your obligations under COPPA, reach out. Our privacy attorneys are here to help.
Disclaimer
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.
