For the first time, the Federal Trade Commission has brought an enforcement action focused on both the privacy and security of consumers' genetic data. The FTC has alleged that genetic testing company 1Health.io Inc., operating as Vitagene, engaged in unfair or deceptive acts or practices in violation of Section 5 of the FTC Act by failing to protect sensitive genetic and other health data, misleading consumers about its privacy and security practices, and retroactively altering its privacy policy (its online notice), all without obtaining the consent of existing consumers. Now, as part of a proposed settlement, Vitagene will be required to pay $75,000, strengthen its measures for protecting personal data, and cease sharing identifiable health information with third parties without obtaining affirmative express consent from the consumer. With this enforcement action, the FTC is following up on its 2019 warning to sellers of genetic testing kits to ensure their transparency practices align with FTC guidance.
Based in San Francisco, Vitagene uses saliva-based DNA health test kits, online questionnaires, and raw DNA material consumers have obtained from other companies to generate personalized health, wellness, and ancestry reports. These reports contain "numerous facts about [consumers'] genetics and health," including identifying personal details such as an individual's full name.
The FTC alleges that "[s]ince at least 2018," Vitagene made "prominent" representations that misled consumers about the company's privacy and security practices, such as asserting that the company (i) maintained "[r]rock-solid [s]ecurity," (ii) routinely separated DNA from other identifying consumer information, (iii) deleted all consumer-identifiable data upon consumer request, and (iv) destroyed DNA saliva samples following analysis.
In fact, according to the FTC, the company "publicly exposed online the health and genetic information of more than 2,600 consumers" through its cloud service provider. The Complaint alleges that, between 2017 and 2019, Vitagene received three warnings from its cloud service provider regarding the exposure, but only got around to investigating and notifying impacted consumers after getting a third warning.
Citing the public exposure of data and the combination of DNA and identifiable information found in Vitagene's health reports, the Commission concluded that Vitagene's promise to separate DNA data from other identifying information was "false or misleading." The Complaint also alleges that, since from around 2016 to July 2019,Vitagene failed to keep an inventory of consumer information, which meant that "in at least some instances, [the company] could not delete all consumer information for consumers who requested [such] deletion."
Finally, the FTC alleges that, despite Vitagene claiming to destroy DNA samples, the company had no way to ensure that the destruction actually occurred. Specifically, Vitagene, which uses third-party genotyping laboratories to analyze consumers' saliva samples and map portions of their genetic code, did not actually have a contract provision with its testing lab partner requiring the lab to destroy the samples.
Apart from the allegations in its security and privacy misrepresentation counts, the FTC Complaint also alleged that Vitagene deceived consumers by changing its privacy practices without proper notice. From 2017 to 2020, Vitagene's privacy notice reportedly indicated that it would only disclose consumers' sensitive information and personal details "in limited circumstances" and "for narrow purposes" such as when sharing information with medical professionals at the costumer's request. However, in 2020, Vitagene allegedly changed its privacy notice to "significantly expand the types of third parties with whom, and the purposes for which, [it could] share consumers' personal information" and proceeded to engage in such broader sharing without seeking consent from the consumers whose data it already had collected. The FTC alleges that, contrary to Vitagene's previous privacy notice, it now "shares personal information with third parties such as pharmacies, supermarket chains, [and] nutrition and supplement manufacturers . . . so they can promote and offer their [own] products and services."
Under the Consent Order, Vitagene will pay a $75,000 fine intended to be distributed to affected consumers and will be prohibited from disclosing health information to third parties without first obtaining consumers' affirmative express consent. Among other requirements, the Order also directs Vitagene to establish, implement, and maintain a comprehensive information security program and notify the FTC about any future unauthorized disclosures of consumers' personal health data.
To ensure that consumer saliva samples are actually destroyed, Vitagene also will have to (i) instruct its partner labs to destroy any sample the lab has retained for more than 180 days after the company accepted the results of the sample's analysis, and (ii) provide the FTC with a written, sworn, and supported statement indicating that it has given such instructions. Representing a new approach, the Order also includes a provision requiring sworn and detailed compliance reports regarding the destruction of the samples. In the first report, such statements should specifically mention whether the lab had, in fact, destroyed the saliva samples and, if not, why. Then, in the second report, Vitagene will have to similarly "describe in detail whether and how [it] is in compliance with each [of the Order's provisions]" and discuss "all of the material changes [it] made to comply with the Order." As the first example of FTC-required measures intended to protect consumers' DNA information, these provisions are noteworthy not only for their novelty but also for the substantial effort they require.
Coming on the heels of similar actions against GoodRx, BetterHelp, and Premom, the enforcement action against Vitagene marks another FTC action aimed at addressing the privacy and security practices of companies processing consumers' health information. The Vitagene case in particular underscores that when companies broaden their described data-sharing practices or make any other material changes to their privacy notices, they may not share consumers' previously-collected personal information in accordance with the new privacy notice terms without first obtaining these consumers' affirmative express consent. In other words, if a company materially changes its privacy notices and then shares under these new terms previously collected consumer-information without first securing the affirmative express consent of the relevant existing consumers, it risks an FTC Complaint.
This is not a new lesson from the FTC. Instead, it is one that the Commission has effectively taught the industry through previous enforcement actions ranging beyond the health data context. It's therefore clear that the Commission won't hesitate to underscore its objectives by imposing penalties.
The authors of this blog post and their colleagues in the Arnold & Porter Privacy, Cybersecurity & Data Strategy practice groupare available to provide counsel on the FTC's actions in this area, enforcement brought by the FTC and other regulators, and more broadly on privacy and security compliance.
*Tamuz Avivi contributed to this Advisory. Tamuz is a graduate of the Columbia University School of Law and is employed at Arnold & Porter's New York office as an Associate.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
