On June 16, the Federal Trade Commission (FTC) announced an enforcement action against 1Health.io Inc. (“1Health,” also known as Vitagene, Inc.), a genetic testing company that analyzes consumer-provided DNA samples and uses the results of that analysis to generate personalized reports and other tailored products. This is the latest in a series of enforcement actions that the FTC has brought in 2023 against companies for processing sensitive data in violation of Section 5 of the FTC Act (though the first that specifically focuses on both privacy and security practices related to genetic data).
This case highlights that the FTC is continuing to expand its enforcement authority by labeling more practices that it views unfavorably as “unfair,” as well as the fact that the agency is focusing on this issue related to the retroactive changing of privacy policies specifically. As companies continue to routinely revise their privacy policies in order to comply with new state privacy law obligations, they should be aware that the FTC is paying attention to what they say.
In this post, we summarize the key allegations made in the FTC’s complaint against 1Health, identify notable elements of the proposed consent order, and highlight key takeaways for companies looking to determine what this enforcement action means for their data privacy and security programs.
1Health.io is a genetic testing company that sells “DNA Health Test Kits” to consumers. 1Health uses these kits to collect saliva samples from consumers, which the company then sends to a third-party testing lab for analysis. 1Health combines this analysis with other consumer-provided information (such as responses to health and lifestyle questionnaires) to generate health and ancestry reports for consumers. The company also offers a range of other tailored products (e.g., nutritional supplements, fitness and beauty plans) tailored to a consumer’s genetic makeup.
The overarching narrative of the FTC’s complaint against 1Health is that the company misled consumers about how it was handling and protecting their sensitive personal information, and that these practices amounted to unfair or deceptive acts or practices under Section 5 of the FTC Act.
The complaint’s specific allegations include the following:
- Deceptive Claims About Handling of Sensitive Personal Information: The complaint asserts that 1Health made numerous deceptive claims about how it handled consumers’ sensitive health and genetic information. These included claims that 1Health would keep customers’ DNA information separate from other identifying information; that 1Health would delete consumer information upon request; and that 1Health would destroy the physical DNA samples that it collected from consumers after they had been analyzed.
- Public Exposure of Health and Genetic Information. The complaint alleges that 1Health publicly exposed the health and genetic information of more than 2,600 consumers by storing that information in publicly accessible containers on a cloud storage service and failing to shield these containers with appropriate protections (such as access controls or encryption).
The Proposed Consent Order
The proposed consent order imposes the following key requirements on 1Health:
- No Misrepresentations About Protection of Customer Personal Information: 1Health is prohibited from making any misrepresentations about its protection of customers’ personal information, such as the extent to which its security practices meet industry or government standards; its data deletion practices; and the degree to which it separates health information from other types of personal information.
- Affirmative Express Consent for Disclosure of Health Information: 1Health is required to obtain a consumer’s affirmative express consent before disclosing that consumer’s health information to any third party.
- Facilitate Destruction of Saliva Samples: 1Health must instruct all laboratories that collected 1Health customers’ DNA saliva samples to destroy any samples that it has retained for more than 180 days after 1Health accepted said laboratory’s analysis of a given sample.
- Information Security Program: 1Health must establish a comprehensive information security program, including such elements as periodic risk assessments, implementation of safeguards (including data access controls and encryption), monitoring and testing of safeguard effectiveness, and screening of service providers. Additionally, 1Health must obtain assessments from an independent, third-party assessor regarding its compliance with the information security program.
- Incident Reporting: 1Health must submit incident reports to the FTC for any incident that requires notification to another government entity or entails the exposure of consumer health information.
- Monetary Judgment: 1Health must pay the FTC $75,000, which the Commission has stated it intends to use for consumer refunds.
- Compliance With Data Deletion Requests: The 1Health complaint is yet another example of the FTC taking a company to task for failing to adhere to consumers’ data deletion requests —something that we have seen in at least one other recent FTC enforcement action. Here, the FTC noted that 1Health was unable to fully comply with consumer data deletion requests because it lacked a full inventory of the consumer information that it collected. Companies that collect consumer personal information should thus ensure that they (1) have a full accounting and inventory of the personal information that they collect; and (2) that they fully comply with consumers’ requests to delete that information (including by flowing down data deletion requests to relevant third parties).
- Using Third-Party Contract Requirements to Fulfill Data Protection Commitments: One of the complaint’s allegations centered on 1Health’s failure to ensure the destruction of consumers’ physical DNA saliva samples after they had been analyzed. 1Health itself did not conduct this analysis; rather, such analysis was outsourced to a third-party laboratory partner. However, that made little difference to the FTC, which indicated that 1Health should have had a contract provision in place to ensure the destruction of these samples consistent with the company’s public-facing representations. This complaint thus emphasizes that companies should use contract requirements, where appropriate, to ensure that they are adhering to data protection promises made to consumers.