Digital Marketing Websites

FTC and COPPA Settlement Takeaways for Digital Health

FTC and COPPA Settlement Takeaways for Digital Health
Written by publishing team

According to her, the FTC has continued to focus on online privacy by targeting digital platforms that collect personal information. Most recently, the FTC focused its executive authority on OpenX Technologies, Inc. It is a platform for real-time bidding for targeted advertisements on websites and applications used in many industries, including the digital health industry. OpenX has settled with the FTC over allegations that OpenX violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children under 13 without parental consent.

Like many digital platform companies, including telemedicine and health technology vendors, OpenX collects personal information from application users and uses this information to target users with advertising. The OpenX Privacy Policy claimed not to engage in activities that would require parental notice or consent under the Children’s Online Privacy Protection Act (COPPA). OpenX also claimed a process to report and block apps targeting children as the public, in order to not allow data collection from children under 13. However, the Federal Trade Commission (FTC) alleged that the OpenX process failed to identify applications that were clearly targeting children before listing them on the OpenX platform, allowing the collection of children’s personal information. OpenX’s inclusion of these applications targeting children under 13 used children’s personal information to target them with ads that violate both COPPA rules and OpenX’s private data.

“Americans should be able to visit websites and use mobile apps with confidence that their privacy — and that of their children — are protected. The Department of Justice and the Federal Trade Commission are committed to ensuring that the digital advertising industry complies with federal privacy law.” Acting Assistant Attorney General Brian M. Boynton, Department of Justice.

This settlement serves as a stern reminder to all companies that operate a website or online service that collects or maintains data on children under the age of thirteen. For digital health companies in particular, the settlement should serve as a reminder that using marketing vendors, such as OpenX, does not always guarantee compliance with federal privacy law. Furthermore, the settlement should stress the importance of digital health companies understanding the audience of their platform as the key to understanding whether the platform is targeting children. Here are four action items that digital health companies must do:

  1. If children under the age of thirteen can use your digital health system(s) or service(s) on the Internet, you need to comply with the Children’s Online Privacy Protection Act (COPPA). Companies that operate “kid-oriented” websites or applications, or companies that have actual knowledge that they collect or retain personal information from a child under the age of 13, must comply with the Children’s Online Privacy Protection Act (COPPA). COPPA compliance is not limited to digital health companies that provide individual or primary childcare. If a digital health company, such as a telemedicine platform, allows consumers under the age of thirteen to access and use an online platform(s) or service(s), it must comply with the Children’s Online Privacy Protection Act (COPPA).

  2. Even digital health companies that do not deal directly with children may still have obligations under the Children’s Online Privacy Protection Act (COPPA). A website or online service is also directed to children when it has “actual knowledge that it is collecting personal information directly from users of another website or online service directed to children.” Digital health platforms that allow third-party mobile application integration or data sharing may be subject to COPPA when the Company learns that such third-party applications are intended for children. These third-party apps are not limited to those that primarily target children, but also include those that “target children” One of their fans.

  3. Review the information you collect from and about consumers, particularly in relation to children under the age of thirteen. Digital health companies should routinely review the data they collect, where and from whom the data is being collected, and who the data is being used for. Companies that do not collect any data directly from children under the age of thirteen should review their third-party integrations and data-sharing practices to ensure that the Company does not obtain children’s information from such third parties.

  4. If applicable, review your online privacy policies to make sure they are accurate and compliant with the Children’s Online Privacy Protection Act (COPPA). A digital health company’s privacy policy must accurately describe its data collection practices, including whether it engages in activities that require parental notice or consent under the Children’s Online Privacy Protection Act (COPPA). Failure to describe whether and how children’s information is being collected could be an act or deceptive practice in violation of Section 5(a) of the FTC And Violation of the Children’s Online Privacy Protection Act (COPPA). If a digital health platform is subject to the Children’s Online Privacy Protection Act (COPPA), its privacy policy must describe what information it collects from children, how it collects, processes and uses that information, and practices for disclosing that information. Most importantly, the Children’s Online Privacy Protection Act imposes obligations in addition to the Privacy Policy, including providing direct parental notice separate from the Privacy Policy and obtaining verifiable parental consent before collecting personal information from a child.

© 2022 Foley & Lardner LLPNational Law Review, Volume XII, No. 10

About the author

publishing team