FTC Orders Company to Delete Algorithms Made with Data Alleged to Be Improperly Obtained

According to a complaint filed by the Department of Justice (DOJ) on behalf of the FTC, WW International was alleged to have illegally collected children’s personal information without their parents’ consent through Kurbo for WW, a health and wellness platform marketed to children as young as eight. Children’s personal information is protected at the national level by the Children’s Online Privacy Protection Act and its implementing regulations (together, COPPA).² Companies who direct content at children under the age of 13 must obtain parental consent before collecting users’ personal information. Although Kurbo informed users that children under age 13 must sign up through a parent, Kurbo’s sign-up process allegedly encouraged children to sidestep parental consent by registering as if they were themselves a parent or at least 13 years old. Once registered, hundreds of children then changed their ages to under 13, but Kurbo continued to collect their personal information without obtaining parental consent. The complaint further alleged that WW International violated COPPA’s data retention policies by keeping children’s personal information indefinitely unless a parent affirmatively requested that the child’s data be deleted. WW International admitted no wrongdoing in its settlement with the FTC.

Algorithm Destruction as an Enforcement Mechanism

While the FTC has previously ordered monetary fines and data deletion in settlements for improper data collection practices (such as the recent action against CafePress),³ requiring algorithm destruction is a novel approach that heightens the stakes of compliance by implicating a company’s valuable intellectual property. The FTC first deployed algorithm destruction as a penalty in a January 2021 settlement with EverAlbum. There, the company allegedly used users’ photos to develop facial recognition technology without users’ consent or knowledge.⁴ Since then, the FTC has expressed further interest in utilizing this penalty as an enforcement mechanism. In an August 2021 article for the Yale Journal of Law & Technology, FTC Commissioner Rebecca Slaughter and her co-authors wrote, “[t]he premise is simple: when companies collect data illegally, they should not be able to profit from either the data or any algorithm developed using it. . . . This innovative enforcement approach should send a clear message to companies engaging in illicit data collection in order to train AI models: Not worth it.” The FTC also announced its intent to explore rulemaking that would address algorithmic harm in December 2021.⁵ These indications all suggest that the FTC will seek to employ algorithm destruction as an enforcement tool going forward, making it all the more imperative for companies to assess and ensure their compliance with applicable data collection and data privacy laws.

¹ Press Release, FTC Takes Action Against Company Formerly Known as Weight Watchers for Illegally Collecting Kids’ Sensitive Health Data, Federal Trade Comm’n (March 3, 2022), available at https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-company-formerly-known-weight-watchers-illegally-collecting-kids-sensitive.

² 15 U.S.C. §§ 6501–6506.

³ Press Release, FTC Takes Action Against CafePress for Data Breach Cover Up, Federal Trade Comm’n (March 15, 2022), available at https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-cafepress-data-breach-cover.

⁴ Press Release, FTC Finalizes Settlement with Photo App Developer Related to Misuse of Facial Recognition Technology, Federal Trade Comm’n (March 7, 2021), available at https://www.ftc.gov/news-events/news/press-releases/2021/05/ftc-finalizes-settlement-photo-app-developer-related-misuse-facial-recognition-technology.

⁵ Statement of Regulatory Priorities, Federal Trade Comm’n (December 15, 2021), available at https://www.reginfo.gov/public/jsp/eAgenda/StaticContent/202110/Statement_3084_FTC.pdf.