Four Key Takeaways for Digital Health Companies from the FTC’s Recent COPPA Settlement
True to its word, the Federal Trade Commission (FTC) has continued to focus on online privacy by targeting digital platforms that collect personal information. Most recently, the FTC has focused its enforcement authority on OpenX Technologies, Inc., a real-time bidding platform for targeted advertising on websites and apps used in many industries, including the digital health industry. OpenX settled with the FTC over allegations that OpenX violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children under thirteen without parental consent.
“Americans should be able to visit websites and use mobile apps with confidence that their privacy- and their children’s privacy- is being protected. The Department of Justice and Federal Trade Commission are committed to ensuring that the digital advertising industry complies with federal privacy law.” – Acting Assistant Attorney General, Brian M. Boynton, Department of Justice.
This settlement serves as a stern reminder to all companies operating a website or online service that collect or maintain data on children under the age of thirteen. For digital health companies in particular, the settlement should be a reminder that utilizing marketing vendors, such as OpenX, does not always ensure compliance with federal privacy law. Further, the settlement should underscore the importance of digital health companies understanding their platform’s audience as the key to understanding whether the platform targets children. Below are four action-items that digital health companies should undertake:
If children under age thirteen can use your online digital health platform(s) or service(s), you need to comply with COPPA. Companies that operate websites or apps “directed to children,” or companies that have actual knowledge that they are collecting or maintaining personal information from a child under age thirteen, must comply with COPPA. COPPA compliance is not limited to digital health companies that solely or primarily provide pediatric care. If a digital health company, such as a telemedicine platform, allows consumers under the age of thirteen to access and use its online platform(s) or service(s), it must comply with COPPA.
Even digital health companies that do not directly interface with children may still have obligations under COPPA. A website or online service is also “directed to children” when it has “actual knowledge that it is collecting personal information directly from users of another Web site or online service directed to children.” Digital health platforms that allow for third-party mobile application integration or data sharing may be subject to COPPA when the company knows such third-party apps are directed to children. Such third-party apps are not limited to those that primarily target children, but also include those that “target children as one of their audiences.”
Review what information you collect from and about consumers, particularly with respect to children under the age of thirteen. Digital health companies should routinely review what data they collect, where and from whom the data is collected, and whom the data is about. Companies that do not directly collect any data from children under the age of thirteen should review their platform’s third-party integrations and data sharing practices to ensure the company is not obtaining children’s information from these third parties.