The FTC alleged that Vitagene failed to protect the privacy and security of genetic information in accordance with promises made and unfairly changed material privacy terms without consumers’ consent. This order could have implications for all health and life sciences organizations, including genetic testing companies, and how they address privacy and security representations made to consumers and modify privacy policy statements in connection with new and expanding business practices.

FTC Allegations

The FTC alleged that Vitagene engaged in both deceptive and unfair trade practices in violation of the FTC Act. 

Deception

Vitagene allegedly made false and misleading statements regarding its privacy and security practices for the health and genetic information it collects and maintains. Specifically, the FTC alleges, among other things, Vitagene falsely represented that:

• It has “rock solid security” and uses the latest technology and exceeds industry-standard security practices to protect user privacy. The FTC asserts that, despite these claims, Vitagene did not use built-in measures to secure consumers’ information and instead stored it in a way that made it possible for anyone with Internet access to see detailed information of nearly 2,400 Vitagene consumers. Vitagene even received three separate warnings over a two-year period that it was storing consumers’ health and genetic information in a publicly accessible way. Despite these warnings, Vitagene did not take any action to investigate or restrict access to its systems until a researcher notified the news media. The FTC also alleges that the company did not encrypt genetic data, restrict access to it, monitor access, or inventory the data to help ensure its security. 
• It stores DNA samples without names or any other common identifying information. Despite this claim, Vitagene allegedly stored DNA results with names and other common identifying information.
• Users are in control of their data; they can delete their data at any time; and that deletion will remove user information from all of Vitagene’s servers. The complaint alleges that because Vitagene did not have an inventory of consumers' information, including what was exposed publicly, in at least some instances, Vitagene could not delete all information for consumers who requested deletion of their data. 
• It destroys users’ physical DNA saliva samples after they are analyzed. The FTC alleges that Vitagene did not have measures in place to ensure that consumers’ saliva samples were destroyed after they had been analyzed. In particular, Vitagene failed to have an agreement with its genotyping laboratory partner requiring the destruction of samples.

Unfairness

The FTC alleges that Vitagene engaged in unfair trade practices by failing to give notice to consumers and obtaining their consent prior to making material retroactive changes to its privacy practices. Specifically, Vitagene’s privacy policy prior to April 2020 stated that it would share consumers’ information with third parties only in limited circumstances, such as with health care providers, as necessary to help Vitagene provide services to the consumer or with the consumer’s consent. In April and December 2020, Vitagene posted revised privacy policies that significantly expanded the third parties with whom Vitagene may share consumers’ information including pharmacies, supermarket chains, and nutrition and supplement manufacturers for those third parties’ marketing purposes. Vitagene did not notify consumers who had provided information under the prior privacy policy of the change and did not seek consumers’ consent of the broader sharing of their information. The FTC concluded this was an unfair practice as retroactive application of Vitagene’s revised privacy policies caused or is likely to cause substantial injury to consumers (such as discrimination, economic or reputational injury) that is not outweighed by benefits to consumers or competition.  

Next Steps

As with the other recent FTC enforcement actions, the FTC’s focus on health companies and sensitive data continues. These actions emphasize the need for health and wellness companies, including genetic testing companies, to carefully evaluate their website privacy policies, representations, and promises to ensure they are accurate and are being followed. Just as important is security. Health information requires security controls commensurate with the sensitivity of the data.