Four Key Takeaways for Digital Health Companies from the FTC’s Recent COPPA Settlement

09 January 2022 Health Care Law Today Blog
Authors: Jennifer J. Hennessy Aaron T. Maguregui Paige M. Papandrea

True to its word, the Federal Trade Commission (FTC) has continued to focus on online privacy by targeting digital platforms that collect personal information. Most recently, the FTC has focused its enforcement authority on OpenX Technologies, Inc., a real-time bidding platform for targeted advertising on websites and apps used in many industries, including the digital health industry. OpenX settled with the FTC over allegations that OpenX violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children under thirteen without parental consent.

Like many digital platform companies, including telemedicine and health-tech vendors, OpenX collects personal information from app users and uses that information to target users with advertising. OpenX’s privacy policy claimed to not engage in activities requiring notice or parental consent under COPPA. OpenX also claimed a process existed to flag and block apps that target children as the audience, so as not to allow the collection of data from children under the age of thirteen. However, the FTC alleged that OpenX’s process failed to identify apps that obviously targeted children prior to their inclusion in the OpenX platform, which allowed for the collection of children’s personal information. OpenX’s inclusion of these apps that targeted children under the age of thirteen resulted in children’s personal information being used to target them with ads in violation of both the COPPA Rule and OpenX’s own statements.

“Americans should be able to visit websites and use mobile apps with confidence that their privacy- and their children’s privacy- is being protected. The Department of Justice and Federal Trade Commission are committed to ensuring that the digital advertising industry complies with federal privacy law.” – Acting Assistant Attorney General, Brian M. Boynton, Department of Justice.

This settlement serves as a stern reminder to all companies operating a website or online service that collect or maintain data on children under the age of thirteen. For digital health companies in particular, the settlement should be a reminder that utilizing marketing vendors, such as OpenX, does not always ensure compliance with federal privacy law. Further, the settlement should underscore the importance of digital health companies understanding their platform’s audience as the key to understanding whether the platform targets children. Below are four action-items that digital health companies should undertake:

  1. If children under age thirteen can use your online digital health platform(s) or service(s), you need to comply with COPPA. Companies that operate websites or apps “directed to children,” or companies that have actual knowledge that they are collecting or maintaining personal information from a child under age thirteen, must comply with COPPA. COPPA compliance is not limited to digital health companies that solely or primarily provide pediatric care. If a digital health company, such as a telemedicine platform, allows consumers under the age of thirteen to access and use its online platform(s) or service(s), it must comply with COPPA.
  2. Even digital health companies that do not directly interface with children may still have obligations under COPPA. A website or online service is also “directed to children” when it has “actual knowledge that it is collecting personal information directly from users of another Web site or online service directed to children.” Digital health platforms that allow for third-party mobile application integration or data sharing may be subject to COPPA when the company knows such third-party apps are directed to children. Such third-party apps are not limited to those that primarily target children, but also include those that “target children as one of their audiences.”
  3. Review what information you collect from and about consumers, particularly with respect to children under the age of thirteen. Digital health companies should routinely review what data they collect, where and from whom the data is collected, and whom the data is about. Companies that do not directly collect any data from children under the age of thirteen should review their platform’s third-party integrations and data sharing practices to ensure the company is not obtaining children’s information from these third parties.
  4. Review your online privacy policies to ensure they are accurate and, if applicable, compliant with COPPA. A digital health company’s privacy policy must accurately describe its data collection practices, including whether it engages in activities that require parental notice or consent under COPPA. A failure to accurately describe whether and how children’s information is collected can be a deceptive act or practice in violation of Section 5(a) of the FTC Act and a COPPA violation. If a digital health platform is subject to COPPA, its privacy policy must describe what information it collects from children, how it collects, processes, and uses such information, and its disclosure practices for such information. Importantly, COPPA imposes obligations in addition to the privacy policy, including providing direct parental notice separate from the privacy policy and obtaining verifiable parental consent before personal information is collected from the child.

Want to Learn More?

For more information on telemedicine, telehealth, virtual care, remote patient monitoring, digital health, and other health innovations, including the team, publications, and representative experience, visit Foley’s Telemedicine & Digital Health Industry Team.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.