January 31, 2023

Volume XIII, Number 31


January 30, 2023

Subscribe to Latest Legal News and Analysis

Four Key Takeaways for Digital Health Companies from the FTC’s Recent COPPA Settlement

True to its word, the Federal Trade Commission (FTC) has continued to focus on online privacy by targeting digital platforms that collect personal information. Most recently, the FTC has focused its enforcement authority on OpenX Technologies, Inc., a real-time bidding platform for targeted advertising on websites and apps used in many industries, including the digital health industry. OpenX settled with the FTC over allegations that OpenX violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children under thirteen without parental consent.

Like many digital platform companies, including telemedicine and health-tech vendors, OpenX collects personal information from app users and uses that information to target users with advertising. OpenX’s privacy policy claimed to not engage in activities requiring notice or parental consent under COPPA. OpenX also claimed a process existed to flag and block apps that target children as the audience, so as not to allow the collection of data from children under the age of thirteen. However, the FTC alleged that OpenX’s process failed to identify apps that obviously targeted children prior to their inclusion in the OpenX platform, which allowed for the collection of children’s personal information. OpenX’s inclusion of these apps that targeted children under the age of thirteen resulted in children’s personal information being used to target them with ads in violation of both the COPPA Rule and OpenX’s own statements.

“Americans should be able to visit websites and use mobile apps with confidence that their privacy- and their children’s privacy- is being protected. The Department of Justice and Federal Trade Commission are committed to ensuring that the digital advertising industry complies with federal privacy law.” – Acting Assistant Attorney General, Brian M. Boynton, Department of Justice.

This settlement serves as a stern reminder to all companies operating a website or online service that collect or maintain data on children under the age of thirteen. For digital health companies in particular, the settlement should be a reminder that utilizing marketing vendors, such as OpenX, does not always ensure compliance with federal privacy law. Further, the settlement should underscore the importance of digital health companies understanding their platform’s audience as the key to understanding whether the platform targets children. Below are four action-items that digital health companies should undertake:

  1. If children under age thirteen can use your online digital health platform(s) or service(s), you need to comply with COPPA. Companies that operate websites or apps “directed to children,” or companies that have actual knowledge that they are collecting or maintaining personal information from a child under age thirteen, must comply with COPPA. COPPA compliance is not limited to digital health companies that solely or primarily provide pediatric care. If a digital health company, such as a telemedicine platform, allows consumers under the age of thirteen to access and use its online platform(s) or service(s), it must comply with COPPA.

  2. Even digital health companies that do not directly interface with children may still have obligations under COPPA. A website or online service is also “directed to children” when it has “actual knowledge that it is collecting personal information directly from users of another Web site or online service directed to children.” Digital health platforms that allow for third-party mobile application integration or data sharing may be subject to COPPA when the company knows such third-party apps are directed to children. Such third-party apps are not limited to those that primarily target children, but also include those that “target children as one of their audiences.”

  3. Review what information you collect from and about consumers, particularly with respect to children under the age of thirteen. Digital health companies should routinely review what data they collect, where and from whom the data is collected, and whom the data is about. Companies that do not directly collect any data from children under the age of thirteen should review their platform’s third-party integrations and data sharing practices to ensure the company is not obtaining children’s information from these third parties.

  4. Review your online privacy policies to ensure they are accurate and, if applicable, compliant with COPPA. A digital health company’s privacy policy must accurately describe its data collection practices, including whether it engages in activities that require parental notice or consent under COPPA. A failure to accurately describe whether and how children’s information is collected can be a deceptive act or practice in violation of Section 5(a) of the FTC Act and a COPPA violation. If a digital health platform is subject to COPPA, its privacy policy must describe what information it collects from children, how it collects, processes, and uses such information, and its disclosure practices for such information. Importantly, COPPA imposes obligations in addition to the privacy policy, including providing direct parental notice separate from the privacy policy and obtaining verifiable parental consent before personal information is collected from the child.


© 2023 Foley & Lardner LLPNational Law Review, Volume XII, Number 10

About this Author

Jennifer Hennessy, Foley Lardner Law Firm, Privacy Security and Healthcare Attorney

Jennifer J. Hennessy is a privacy and security and health care regulatory attorney with Foley & Lardner LLP. Her practice includes advising businesses on compliance with state and federal data privacy and security laws. She assists covered entities and business associates in complying with the HIPAA Privacy and Security Rules, and also advises businesses and individuals on compliance with state data privacy laws and federal law 42 C.F.R. Part 2, Confidentiality of Alcohol and Drug Abuse Treatment Records. She frequently guides clients through data incident management...

Aaron T. Maguregui Health Care Attorney Foley & Lardner Tampa, FL
Special Counsel

Aaron Maguregui is a health care lawyer and member of the firm’s Privacy, Security & Information Management Practice, and national Telemedicine & Digital Health Industry Team. He advises innovative health care and technology companies to solve complex compliance, cybersecurity, data governance, data privacy, and risk management matters. Working with leading health care insurers, government-sponsored managed care organizations, health care providers, and technology companies, he delivers pragmatic legal advice and action-oriented solutions guidance to help clients reach their goals...

Paige Papandrea Tech Attorney with Foley & Lardner Law

Paige Papandrea is an associate in Foley & Lardner LLP’s Technology Transactions & Outsourcing and Cybersecurity Practices. She also is accredited by the International Association of Privacy Professionals (IAPP) as a Certified Information Privacy Professional in United States privacy law (CIPP/US).

Paige began her career with Foley as a summer associate in 2018 and returned as a summer associate in 2019. While in law school, Paige was a research assistant to Professor William McGeveran and aided in his work for the Uniform Law Commission...