On June 16, 2023, the Federal Trade Commission (FTC) announced a proposed settlement agreement (in the form of a stipulated order) with genetic testing company Vitagene, Inc., now known as 1Health.io (1Health.io), for allegedly misrepresenting its security and privacy practices regarding its data storage, deletion, and usage. The FTC also alleged that the company unfairly changed material privacy policy disclosures without obtaining affirmative consumer consent.

This is the FTC’s first case involving genetic data privacy since its May 2023 biometric policy statement. The case follows the FTC’s recent enforcement actions against digital health companies, including the prescription drug price tracking company GoodRx, mental health platform BetterHelp, and fertility tracking app Premom. Collectively, these actions signal the FTC’s continued attention to the privacy and security of health information managed by businesses.

Background and Complaint

1Health.io is a genetic testing company that combines genetic information from consumer saliva samples with health information supplied by consumer questionnaires to provide the consumers with health, wellness, and ancestry reports as part of various product packages.

The FTC complaint against 1Health.io (Complaint) charged 1Health.io with four misrepresentation counts. Specifically, the Complaint alleges that 1Health.io represented that:

• its security practices “exceed industry standard” but stored consumers’ unencrypted health reports and raw genetic information in a publicly accessible cloud repository without implementing access controls or monitoring access;
• it stored consumers’ DNA results without any common identifying information, but did store DNA results with consumers’ names and other common identifying information;
• it would remove all consumer data following consumer data deletion requests, but lacked the capability to do so, as it did not maintain an inventory of consumers’ information in at least some instances; and
• it would destroy consumers’ physical DNA saliva samples shortly after analysis, but allegedly failed to contractually require its genotyping laboratory partner to destroy samples.

The Complaint also charged 1Health.io with one unfairness count. 1Health.io collected consumer’s personal information under a prior privacy policy that said it would share consumer information with third parties only under limited circumstances for narrow purposes. However, the Complaint alleged that 1Health.io unfairly expanded the privacy policy’s scope of third parties with whom they could share the data they collected previously under the old privacy policy. For example, while the prior privacy policy stated that 1Health.io only shared sensitive personal information in limited circumstances, such as under a patient’s direction, the new privacy policy expanded the scope of sharing and the purposes for doing so, including sharing with supermarket chains, nutrition and supplement manufacturers, and other retailers so that they can promote and offer their own products and services. The FTC alleged that 1Health.io failed to take steps to notify or obtain consumer consent prior to adopting these material changes to the privacy policy, which the amounted to an unfair practice because “unauthorized access to a consumer's sensitive health and genetic information can lead to a variety of harms, including discrimination or economic or reputational injury.”

Notably, the FTC alleged 1Health.io’s privacy policy change was unfair notwithstanding the fact that 1Health.io had not actually shared consumers’ previously-collected information with the new categories of third parties set forth in the privacy policy—the mere fact that 1Health.io could engage in that sharing at any time without further notice to consumers was allegedly unfair. Also of note: the FTC’s complaint did not articulate the manner in which 1Health.io’s privacy policy change actually “caused or was likely to cause” substantial injury to consumers; rather, it just posited some types of injuries that could theoretically occur when sensitive personal information is disclosed to a third party. This demonstrates that the FTC is willing to continue to push the bounds of its unfairness authority, notwithstanding the fact that courts have expressed skepticism about whether the FTC has adequately articulated theories of consumer harm in past privacy- and security-related complaints.^1,2

The Proposed Order

Under the proposed order, 1Health.io would, among other things, be required to:

• pay $75,000 in monetary relief;
• obtain affirmative express consent from consumers before disclosing any health information to third parties (with limited exceptions set forth in the proposed order);
• require contract laboratories to destroy all consumer DNA samples stored for more than six months;
• implement a comprehensive information security program to protect the security, confidentiality, and integrity of consumers’ personal information; and
• obtain initial and biennial information security assessments by a third party.

The proposed order also includes a novel requirement that 1Health.io immediately notify the FTC about any unauthorized access or acquisition of consumers’ personal health information. Notably, this provision mirrors requirements from the FTC's Health Breach Notification Rule, notwithstanding the fact that the complaint did not allege a Health Breach Notification Rule violation.

Key Takeaways

Businesses that collect consumer health information, including genetic information, should consider taking the following actions:

• review data inventory, access control, encryption, and monitoring practices to protect sensitive consumer health information. Notably, this is at least the third time in the past year that the FTC has cited in its complaint a company’s failure to implement proper access controls to its Amazon Web Services (AWS) storage bucket;
• incorporate data minimization practices by collecting only strictly necessary information and automatically destroying physical biological samples after requisite analysis; and
• notify consumers and obtain affirmative consent prior to implementing material changes to privacy policies. Material changes include sharing consumers’ health information with a third party for marketing or advertising purposes.

[1] FTC v. Kochava, Inc., No. 2:22-cv-00377 (D. Idaho. May 4, 2023) (dismissing the FTC's complaint because the FTC failed to demonstrate “significant risk” of concrete harm to prove unfairness under Section 5 of the FTC Act). 

[2] In the Matter of LabMD, Inc., FTC Docket No. 9357 (Nov. 13, 2015), aff'd, LabMD v. FTC, 891 F.3d 1286 (11th Cir. 2018) (clarifying that the mere possibility of consumer harm is insufficient to prove unfairness under Section 5 of the FTC Act).