The FTC has again emphasized the importance of protecting genetic data and consumer privacy in the context of genetic testing and biometric surveillance technology with new guidance posted on January 5, 2024. Highlighting a set of enforcement actions (CRI Genetics, 1Health/Vitagene, and Genelink), and referencing additional orders involving sensitive data (Ring and Amazon/Alexa), the FTC outlines practices it views as being part of “the DNA of privacy.” The guidance serves as a clear caution to companies that the FTC expects them to prioritize consumer privacy, data security, and ethical business practices with respect to sensitive data.

Core Areas of FTC Attention

The FTC guidance includes the following key takeaways:

• Protecting biometric information is a top FTC priority. The FTC calls on companies to protect genetic data, in particular, highlighting concerns that this information reveals sensitive information not only about the individual’s health, characteristics, and ancestry but also their family members’. The agency also notes that unlike other types of data, genetic information cannot necessarily be stripped of identifying characteristics. High sensitivity of the data increases the risk of harm, especially in the era of increasing biometric surveillance.

• Secure data and customer accounts. The FTC expects companies that collect or store genetic data to have security that is commensurate with the sensitivity of that data. The 1Health/Vitagene and Genelink enforcement actions highlight the need for companies offering genetic-based products to have robust data security practices in place. For example, this should include awareness of where its data is maintained, adequate encryption of the data, access controls, asset management systems, oversight, remediation programs, risk assessments, and contractual terms imposing these safeguards on all vendors and third parties who may have access to sensitive data. The FTC also notes the importance of ensuring the security of customer accounts since they can act as targets for hackers seeking access to sensitive data.

• Avoid overselling. The FTC warns companies to be careful not to exaggerate claims, especially about accuracy. As the FTC notes, exaggerated claims can turn from puffery to deception quickly. Claims of accuracy, prediction, and health benefits should be measured, reasonable, and backed by scientific evidence.

• Caution when using AI. Companies may recall recent examples of FTC enforcement against misuse and consumer harm from AI. The FTC has been outspoken about its concern that AI may result in substantial consumer harms like bias, privacy invasions, or questionable accuracy. Companies need to be careful to not make unsupported or hyperbolic claims that could lead to deceit and consumer harm. 

• Avoid dark patterns. The FTC emphasizes its efforts to combat deceptive or unfair dark patterns, particularly regarding obtaining consent for the use and disclosure of genetic data. Companies are advised to obtain affirmative express consent without using manipulative designs such as confusing pop-ups and directions, bogus “rewards,” and claimed urgency.

• Consent for changes and truthful promises. The FTC reminds companies that changes to privacy terms should receive genuine consent from consumers. A bait-and-switch approach to collecting personal information (especially genetic data) runs afoul of FTC requirements. Companies should make truthful privacy promises, deliver on its commitments, and get affirmative express consent from consumers for any material retroactive changes to these types of terms in their privacy policies or data practices. Consumers should not be surprised to learn of a company’s data practices around its sensitive genetic data. Failure to do so could lead to consumer trust issues and legal action.

Consequences of Noncompliance

The FTC is urging companies to prioritize the privacy and security of genetic data, avoid deceptive practices, and fulfill commitments to consumers to avoid legal consequences. Failure to heed these warnings can result in:

• Substantial financial settlements—either as civil penalties or consumer redress;
• Deletion or destruction of data or products; and
• Corrective action plans that include provision such as:
  • Prohibitions on misrepresentation,
  • Required notice to consumers about the action,
  • Mandates to obtain affirmative express consent for future uses or disclosures of data, or
  • Mandated security programs with independent assessments.

Broader Trends

This guidance follows trends not only in the FTC’s focus on sensitive data and AI, but also on broader attention being paid specifically to genetic data. For example, the National Institute of Standards and Technology (“NIST”) published its final guidance on securing genomic data last month. NIST’s report summarized the current practices, challenges, and proposed solutions for securing genomic data as identified by genomic data stakeholders from industry, government, and academia. This effort was informed by direction from Congress and the White House.

As the collection, use, and disclosure of sensitive data continues to proliferate, so too will the number of stakeholders involved and attention paid to companies involved in these activities. Companies will need to stay abreast of these developments and continuously confirm their operations are in line with the latest policies, guidance, and technical controls.