True to its word, the Federal Trade Commission (FTC) has continued to focus on online privacy by targeting digital platforms that collect personal information. Most recently, the FTC has focused its enforcement authority on OpenX Technologies, Inc., a real-time bidding platform for targeted advertising on websites and apps used in many industries, including the digital health industry. OpenX settled with the FTC over allegations that OpenX violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children under thirteen without parental consent.

Like many digital platform companies, including telemedicine and health-tech vendors, OpenX collects personal information from app users and uses that information to target users with advertising. OpenX’s privacy policy claimed to not engage in activities requiring notice or parental consent under COPPA. OpenX also claimed a process existed to flag and block apps that target children as the audience, so as not to allow the collection of data from children under the age of thirteen. However, the FTC alleged that OpenX’s process failed to identify apps that obviously targeted children prior to their inclusion in the OpenX platform, which allowed for the collection of children’s personal information. OpenX’s inclusion of these apps that targeted children under the age of thirteen resulted in children’s personal information being used to target them with ads in violation of both the COPPA Rule and OpenX’s own statements.

“Americans should be able to visit websites and use mobile apps with confidence that their privacy- and their children’s privacy- is being protected. The Department of Justice and Federal Trade Commission are committed to ensuring that the digital advertising industry complies with federal privacy law.” – Acting Assistant Attorney General, Brian M. Boynton, Department of Justice.

This settlement serves as a stern reminder to all companies operating a website or online service that collect or maintain data on children under the age of thirteen. For digital health companies in particular, the settlement should be a reminder that utilizing marketing vendors, such as OpenX, does not always ensure compliance with federal privacy law. Further, the settlement should underscore the importance of digital health companies understanding their platform’s audience as the key to understanding whether the platform targets children. Below are four action-items that digital health companies should undertake:

1. If children under age thirteen can use your online digital health platform(s) or service(s), you need to comply with COPPA. Companies that operate websites or apps “directed to children,” or companies that have actual knowledge that they are collecting or maintaining personal information from a child under age thirteen, must comply with COPPA. COPPA compliance is not limited to digital health companies that solely or primarily provide pediatric care. If a digital health company, such as a telemedicine platform, allows consumers under the age of thirteen to access and use its online platform(s) or service(s), it must comply with COPPA.

2. Even digital health companies that do not directly interface with children may still have obligations under COPPA. A website or online service is also “directed to children” when it has “actual knowledge that it is collecting personal information directly from users of another Web site or online service directed to children.” Digital health platforms that allow for third-party mobile application integration or data sharing may be subject to COPPA when the company knows such third-party apps are directed to children. Such third-party apps are not limited to those that primarily target children, but also include those that “target children as one of their audiences.”

3. Review what information you collect from and about consumers, particularly with respect to children under the age of thirteen. Digital health companies should routinely review what data they collect, where and from whom the data is collected, and whom the data is about. Companies that do not directly collect any data from children under the age of thirteen should review their platform’s third-party integrations and data sharing practices to ensure the company is not obtaining children’s information from these third parties.

4. Review your online privacy policies to ensure they are accurate and, if applicable, compliant with COPPA. A digital health company’s privacy policy must accurately describe its data collection practices, including whether it engages in activities that require parental notice or consent under COPPA. A failure to accurately describe whether and how children’s information is collected can be a deceptive act or practice in violation of Section 5(a) of the FTC Act and a COPPA violation. If a digital health platform is subject to COPPA, its privacy policy must describe what information it collects from children, how it collects, processes, and uses such information, and its disclosure practices for such information. Importantly, COPPA imposes obligations in addition to the privacy policy, including providing direct parental notice separate from the privacy policy and obtaining verifiable parental consent before personal information is collected from the child.