“Algorithmic Justice”: FTC Orders Destruction of Algorithms Following Privacy Violations
By Jeff Johnston and Briana R. Falcon
The Department of Justice, acting on behalf of the Federal Trade Commission, recently took action against WW International, Inc., formerly known as Weight Watchers, and its subsidiary, Kurbo, Inc. (together, “Weight Watchers”). The action related to Weight Watchers’ collection of children’s sensitive health data through a weight loss app designed for use by children as young as eight years old. Data collected through the app was allegedly obtained without verifiable parental consent. In the resulting settlement order, Weight Watchers was required to delete all improperly obtained personal information related to children under the age of 13, pay a relatively small monetary penalty, and, significantly, destroy any algorithms derived from the data. See U.S. v. Kurbo, Inc., et al., FTC Matter No. 1923228 (March 4, 2022).
FTC Commissioner Rebecca Slaughter wrote about ordered destruction of algorithms in a Yale Journal of Law & Technology article. “The premise is simple,” she wrote. “When companies collect data illegally, they should not be able to profit from either the data or any algorithm developed using it.” The Weight Watchers settlement is the third of its kind in as many years. The first came in 2019, with Cambridge Analytica’s high-profile ordered destruction, and the second occurred in 2021 when Everalbum, Inc. allegedly misused facial recognition technology to identify users in photos outside of its app.
World Privacy Forum Executive Director Pam Dixon has said ordered destruction of algorithms is “definitely now to be expected whenever it is applicable or the right decision.” To avoid losing valuable assets, company stakeholders should have a working understanding of privacy principles and know when to seek guidance.
The Fair Information Practice Principles
An important set of privacy principles to be aware of are the Fair Information Practice Principles (“FIPPs”), which originated from a series of reports created by agencies in the U.S., Canada, and Europe. The resulting principles provide widely accepted guidance that speaks to the use and exchange data, and the principles should be considered from the outset by companies receiving, using, or sharing personal information.
- The Collection Limitation Principle. Appropriate limits should be placed on the collection of personal information. All data should be obtained through lawful means, and collection should not exceed the scope of the consent provided by the data subject.
- The Data Quality Principle. To the extent possible, data should be complete and accurate. In addition, data should be useful in that it matches the purpose for which it was collected.
- The Purpose Specification Principle. At the time of collection, a data subject should be made aware of the purpose for which personal information is being collected. The company should then proceed to use the collected data to fulfill only the specified purpose.
- The Use Limitation Principle. As a more granular version of the purpose specification principle, the use limitation principle provides that personal information should not be used for any particular application which exceeds the consent provided by the subject or which is unlawful.
- The Security Safeguards Principle. “Reasonable security measures” should be implemented to protect personal information from loss or unauthorized access, disclosure, destruction, or modification.
- The Openness Principle. This principle relates to transparency. After being advised by privacy or investigations counsel, companies should adopt an approach of openness about privacy practices and changes. Data subjects should have ready access to policies outlining how data is used and shared.
- The Individual Participation Principle. Data subjects are generally permitted to confirm whether a company has data related to the data subject and to obtain a copy of such data. In addition, a data subject is generally authorized to challenge inaccurate data.
- The Accountability Principle. Finally, companies are often held accountable for accurately documenting compliance with FIPPs and applicable laws.
Vinson & Elkins tracks developments related to government and internal investigations, as well as data privacy laws in the United States and abroad, and helps companies navigate this ever-changing space.
Visit our website to learn more about V&E’s Government Investigations and Cybersecurity & Data Privacy practices. For more information, please contact Vinson & Elkins lawyers Jeff Johnston and Briana R. Falcon.
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.