‘Algorithmic justice’: FTC orders destruction of algorithms over privacy breaches | Vinson & Elkins LLP
The Department of Justice, acting on behalf of the Federal Trade Commission, recently took action against WW International, Inc., formerly known as Weight Watchers, and its subsidiary, Kurbo, Inc. (together, “Weight Watchers “). The action concerned Weight Watchers’ collection of sensitive health data from children through a weight loss app designed for use by children as young as eight years old. Data collected through the app would have been obtained without verifiable parental consent. In the resulting settlement order, Weight Watchers was required to delete all improperly obtained personal information about children under the age of 13, pay a relatively small fine and, significantly, destroy all data-derived algorithms. To see United States v. Kurbo, Inc., et al.FTC Case No. 1923228 (March 4, 2022).
FTC Commissioner Rebecca Slaughter wrote about the orderly destruction of algorithms in a Yale Journal of Law & Technology article. “The premise is simple,” she wrote. “When companies collect data illegally, they should not be able to profit from the data or any algorithm developed from it.” The Weight Watchers settlement is the third of its kind in as many years. The first occurred in 2019, with the highly publicized orderly destruction of Cambridge Analytica, and the second occurred in 2021 when Everalbum, Inc. allegedly misused facial recognition technology to identify users in photos outside of its application.
World Privacy Forum executive director Pam Dixon said the orderly destruction of algorithms is “certainly now to be expected whenever applicable or the right decision”. To avoid losing valuable assets, business stakeholders must have a working understanding of privacy principles and know when to seek advice.
Principles of Fair Information Practices
An important set of privacy principles to be aware of are the Fair Information Practices Principles (“FIPP”), which come from a series of reports created by agencies in the United States, Canada and Europe. The resulting Principles provide widely accepted guidance regarding the use and exchange of data, and the Principles should be considered from the outset by companies that receive, use or share personal information.
- The principle of limitation of collection. Appropriate limits should be placed on the collection of personal information. All data must be obtained by lawful means and collection must not exceed the scope of the consent provided by the data subject.
- The principle of data quality. As far as possible, the data should be complete and accurate. In addition, the data must be useful insofar as they correspond to the purpose for which they were collected.
- The principle of specification of objectives. At the time of collection, a data subject must be informed of the purpose for which the personal information is collected. The company must then proceed to use the data collected to fulfill only the specified purpose.
- The principle of limitation of use. As a more detailed version of the Purpose Specification Principle, the Use Limitation Principle provides that personal information should not be used for any particular application that exceeds the consent provided by the subject or is unlawful.
- The principle of security guarantees. “Reasonable security measures” must be implemented to protect personal information against loss or unauthorized access, disclosure, destruction or modification.
- The principle of openness. This principle is linked to transparency. After being advised by a privacy advisor or investigation, businesses should take an open approach to privacy practices and changes. Data subjects should have easy access to policies outlining how data is used and shared.
- The principle of individual participation. Data subjects are generally entitled to confirm whether a company has data relating to the data subject and to obtain a copy of this data. In addition, a data subject is generally entitled to object to inaccurate data.
- The principle of responsibility. Finally, companies are often held responsible for accurately documenting compliance with FIPPs and applicable laws.