When it comes to health data, comply with COPPA – no kidding

When it comes to health data, comply with COPPA – no kidding

Consumer health information is already a particularly sensitive category. But information about the health and other personal data of children as young as eight? This can raise privacy issues into the stratosphere. A $1.5 million FTC settlement with WW International, Inc. – you know them as Weight Watchers formerly – and its subsidiary Kurbo, Inc., underscores the principle that the collection and retention of this type of information increases a company’s compliance responsibilities. Where does the FTC say the defendants got it wrong in this case, and what insights can your company glean about the Children’s Online Privacy Protection Act rule? Continue reading.

the COPPA Rule requires websites, applications, and online services to notify parents and obtain their express consent before collecting, using, or disclosing personal information from children under 13. The rule applies in two distinct circumstances: 1) if the site, application or service is directed to children under the age of 13; or 2) whether the site, app or service “actually knows it is collecting personal information” from children in that age group. (Rule 312.2 includes standards to be applied in making those decisions.) The FTC alleges that WW International and Kurbo violated the COPPA Rule in the operation of their Kurbo weight loss app.

In addition to teens and other family members, kids as young as eight years old can use the Kurbo app to track their weight, food intake, and physical activity. The app also collects other personal information, such as names, email addresses, and dates of birth. Until the end of 2019, users could register for the service on the app either by indicating that they were a parent registering for their child, or that they were a child aged 13 or over registering for themselves.

But according to the lawsuit, which the Justice Department filed on behalf of the FTC, the defendants’ sign-up process actually led to many users under the age of 13 signing up without a parent’s permission. . Yes, there was a text saying that children under 13 had to register through a parent. But from 2014 to 2019, hundreds of users who signed up for the app claiming to be over 13 later edited their personal profiles to include birthdates revealing they were actually younger than that. Despite this fact, the FTC claims that WW and Kurbo continued to give these children access to the app. This practice did not stop until FTC staff contacted the companies.

Also, in 2020, the defendants updated the enrollment option for ages 13 and older, but the FTC says issues with the process persisted. According to the complaint, the defendants failed to provide a mechanism to ensure that users who selected the parental sign-up option were really parents — and not just children trying to circumvent the age restriction.

Besides, COPPA Rule 312.4 requires that a COPPA-covered company “make reasonable efforts, taking into account available technology, to ensure that a parent of a child is directly informed” of its information practices. But according to the FTC, until November 2019, WW and Kurbo made no attempt to notify parents through the app, and parents who registered their children on the defendants’ or an affiliate’s website did not received notice about the collection of information only if they clicked on a hyperlink embedded in a chain of other links. The Complaint further alleges that despite changes made in 2019, Defendants still failed to comply with COPPA requirements. on what the direct notice should tell the parents. FTC also claims WW and Kurbo violated COPPA rules data deletion provisions retaining children’s personal information indefinitely and deleting it only at the request of a parent.

In addition to imposing a civil penalty of $1.5 million, the settlement requires the defendants to review their child disclosure practices and COPPA compliance efforts. WW and Kurbo must also delete all data collected unlawfully within 30 days of ordering unless directly notified and obtaining parental consent to use such previously collected data in a COPPA-compliant manner. They must also destroy all algorithms derived from illegally collected data. In the future, they will have to destroy all data collected from children under 13 if it has been more than a year since the child has used the app.

The case suggests three compliance pointers for other companies.

Check your age grid lock. It is not excluded that a child under the age of 13 tries to access services on your site or your application, especially if, as in this case, you provide services to children under the age of 13. Savvy companies think about the practical implications of their screening processes and know that they cannot avoid their COPPA obligations by implementing a non-neutral age limit to exclude the very users their site or application is intended for. to attract. (Think of it this way: how effective would it be to put up a sign in front of a playground that says “Open only to parents and children 13 and over” and expect to prohibit access to any younger ones?) Also, if you intend to offer services on a site or app for older users, keep an eye out for other evidence that suggests unauthorized use – for example, a different birthday on a profile page.

Comply with COPPA notification requirements. When it comes to collecting information about children online, COPPA puts parents in the driver’s seat. The rule is specific in its notification requirements and companies must make it easy for moms and dads to get details about their information practices.

Delete the data diligently. Data retention under COPPA is not an eternal proposition. Under Section 312.10, you may retain children’s personal information “only as long as reasonably necessary to fulfill the purpose for which the information was collected.” After that, you have a legal obligation to delete it in such a way as to ensure that it has been safely destroyed. Read Under COPPA, deleting data isn’t just a good idea. It is the law of practical ideas.

Find more compliance resources on the FTC’s Children’s Privacy page.