In the FTC’s first case focused on the privacy and security of genetic information, the FTC alleges that San Francisco-based Vitagene, Inc. – now known as 1Health.io – failed to live up to its promises and unfairly changed material privacy terms without customers’ consent.
After consumers paid between $29 and $259, sent a saliva sample to Vitagene, and answered an online questionnaire about their health history, family history, and lifestyle, the company provided them with a personalized “Health Report.” The Health Report included the customer’s full name and an assessment of their risks for developing a host of health problems.
The company’s website used images of locks, keys, and secure clouds, and also contained the following privacy and data security-related statements:
- “We use industry standard security practices to store your DNA sample, your test results, and any other personal data you provide.”
- “Rock-solid Security. We use the latest technology and exceed industry-standard security practices to protect your privacy.”
- “Vitagene collects, processes, and stores your personal information in a responsible, transparent and secure environment that fosters our customers’ trust and confidence.”
- “You’re in control of your data. You can delete your data at any time. This will remove your information from all of our servers.”
- “Three of the ways we protect your privacy:
1. Your results and DNA sample are stored without your name or any other common identifying information.
2. Vitagene destroys your physical DNA saliva sample after it has been analyzed.
3. We don’t share your information with any third party without your explicit consent.”
The FTC’s complaint alleged that Vitagene used a well-known cloud service provider for storing confidential information, including consumers’ health reports and DNA data. Vitagene allegedly did not use built-in measures to secure the information and instead stored it in “buckets” that allegedly made it possible for anyone with internet access to see the detailed reports of Vitagene customers. The FTC also alleged that the raw genetic data of at least 227 other customers was not secure. While Vitagene promised to “exceed industry-standard security practices,” the FTC says the company did not encrypt that data, restrict access to it, monitor access, or inventory it to help ensure its security. The complaint also alleged that Vitagene did not take steps to ensure that a lab that analyzed many of the DNA samples had a policy in place to destroy them.
The complaint also alleged that over a two-year period, Vitagene received three separate warnings that it was storing customers’ health and genetic information in a way that made it publicly accessible.
Of particular note is the FTC’s claim that, in 2020, the company changed its privacy policy by retroactively expanding the types of third parties with which it may share consumers’ data to include grocery chains, dietary supplement manufacturers, and the like. And it did that without notifying customers who provided their data under the former, more restrictive privacy policy and getting their consent.
To settle the case, 1health.io has agreed to implement a comprehensive information security program, including every-other-year third-party assessments. In addition, a senior company executive must certify annually that the company is complying with the terms of the settlement. The proposed settlement also includes a $75,000 financial remedy.
* * *
What lessons can other companies take away from this FTC action?
Sensitive health information – including genetic data – requires special care. Take particular care to substantiate the promises you make about your data practices. (If you have not read the FTC’s May 2023 Policy Statement on Biometric Information, you should now.)
Just because data is in your possession does not mean it’s yours to use as you wish. Consumers have a right to know in advance how you intend to use their information and you have the legal obligation to live up to your representations. The FTC’s position is that you need consumers’ affirmative express consent for any new uses of their data.
When it comes to security, keeping your data in the cloud does not absolve you of responsibility for privacy and security. The FTC has long said that storing data in the cloud does not give a company a free pass on security. sAs the FTC’s Request for Information about cloud computing makes clear, sellers of cloud technology and the companies that use their services share the responsibility to secure consumers’ personal information.
Respond to credible warnings about potential security lapses. The complaint against Vitagene alleges multiple instances in which the company failed to heed warnings others – including the provider of its cloud storage – had given about the security of its cloud-based information. Do you have systems in place to make sure those alerts get to the right people and get the immediate attention they deserve?