Earlier this month, the US Federal Trade Commission (FTC), a civil law enforcement agency, published a settlement order requiring WW International, Inc. (formerly known as Weight Watchers) and its subsidiary Kurbo to delete the personal data illegally collected from children under 13 and to destroy any algorithm or AI model built using such data. The company offered a health and wellness online service designed and marketed for children, which tracked their food intake, activity, and weight. In order to achieve this purpose, the company also collected names, heights, email addresses, and persistent identifiers. Children over 13 could sign up to the service themselves, whereas children over 8 could only use the service if their parents gave their consent.
The Department of Justice had previously filed a complaint, on behalf of the FTC, that WW International was collecting the personal data of minors over the age of 8 without parental authorisation. The agency claimed that the company’s sign-up procedure encouraged minors to pretend that they were over 13. The FTC considered that WW International, via Kurbo, failed to provide a mechanism to ensure that consent was given by adults (parents) and not minors bypassing the restriction. The agency also considered that the company had failed to obtain the required parental consent before collecting, using and disclosing the personal data of minors that were using the service. The agency also claimed that the company had also failed to comply with the Children’s Online Privacy Protection Act of 1998 (COPPA) and with the Commission’s Children’s Online Privacy Protection Rule (the COPPA Rule) which requires websites, apps, and online services that collect data from minors under the age of 13 to obtain the parents’ consent prior to processing the data. As well as providing parents with insufficient information, the company also violated the data retention provisions required by law.
The settlement order demands that the companies “destroy all personal information previously collected that did not comply with the COPPA Rule’s parental notice and consent requirements unless the companies obtained subsequent parental consent to retain such data.” The agency also requires that WWI and Kurbo “destroy any affected work product that used data illegally collected from children in violation of COPPA.” In addition, an economic sanction was imposed on the company.
It is not the first time that the FTC has ordered that an algorithm constructed using unlawfully collected data be destroyed. The first time that the agency acted similarly was as a result of the Cambridge Analytica case, where the company was ordered to destroy the data collected from Facebook users, including algorithms built using this data. On another occasion, the agency penalised the photo-sharing application “Everalbum” for using facial recognition technology to identify individuals without offering the subjects the possibility to opt out. The company was also sanctioned for using its users’ data to help build its FRT. The agency ordered the company to destroy photos, videos, and facial and biometric data collected from its users, as well as to delete the products built using this data.
This decision has been seen as a measure that can ‘modernize’ FTC enforcement of how companies companies do business in current data-centric business models. Pam Dixon of the World Privacy Forum has stated that the agency could use ‘algorithmic disgorgement’ as a “standard enforcement mechanism”. According to members of the Electronic Privacy Information Center, this highlights the need for laws that protect online privacy “to safeguard consumers from AI harm”, not only for the sake of children under 13.