WW International (previously known as Weight Watchers) and Kurbo, a WW-run app that allows children and teens to track their weight and calorie intake, were ordered on March 4 to pay $1.5 million in fines for privacy violations.
The FTC has levelled multiple complaints against Kurbo. The app’s sign-up process provides two options: a minor 13 years or older can sign up on their own, or a parent can sign up on behalf of a child under 13. This complies with COPPA regulations that companies not collect personal data on children under 13 without parental consent. However, the FTC found that Kurbo failed to verify that users who claimed to be 13 or older actually were. Aside from the obvious problem of marketing drastic weight loss programs to children as young as 8, this also meant that Kurbo collected data on a large number of users under the age of 13—sometimes knowingly, after birth dates were edited.
The FTC also stated that Kurbo failed to properly inform users, especially parents, of the information collected. The app’s privacy notice was accessible through a single hyperlink in a long list of other links, and was not made more accessible following revisions in 2019. These hindrances made it difficult to prove “informed consent” of data collection.
The investigation also found that Kurbo kept children’s data indefinitely. The app only deleted information when a parent explicitly requested it. While COPPA technically allows this for children over 13, the large number of underage users means that Kurbo held onto the personal private data of users as young as 8 years old.
In addition to the $1.5 million penalty, the FTC has also ordered WW International and Kurbo to:
- Destroy all personal data collected in violation of COPPA (unless parents explicitly allow the data to be retained)
- Destroy any algorithms derived from this illegally collected data
- Destroy legitimately collected data on users under 13 after the user has not logged into Kurbo for a year
More than likely, Kurbo’s poor privacy management came from simple neglect rather than malicious intent. But this makes their violation no less serious. Their actions demonstrate that they did not care enough about their customers’ private data, or about the laws protecting said data, enough to take substantial action. Had they used a privacy compliance software like 4Comply to track their activity, they may have avoided these penalties.
Contact us today to learn more about 4Comply and avoid the same mistakes WW International made.