The Guidance emphasizes that companies selling products or data in this space should be familiar with, and heed, the lessons and principles set out by the agency through these enforcement actions. The Agency reiterated that protecting highly sensitive personal data, such as genetic and biometric information, is a top priority. A throughline of these cases, and emphasized in the Guidance, is that biometric and genetic data command a higher sensitivity and risk of harm than other forms of consumer data. Thus consumers, and the FTC, expect that security, truthfulness, and transparency should be heightened and in line with the sensitivity of the data.
This post focuses on the 1Health case, the lessons that can be learned, and what might be expected looking forward.
1Health, formerly known as Vitagene, Inc., is a direct-to-consumer genetic testing (DTC-GT) company. The compliant, announced on June 16, 2023 alleged that the company “left sensitive genetic and health data unsecured, deceived consumers about their ability to get their data deleted, and changed its privacy policy retroactively without adequately notifying and obtaining consent from consumers whose data the company had already collected.”
In its business model, consumers buy a DNA test kit and send the saliva sample back to the company, which then sequences and processes the information along with supplemental information provided by the consumer, such as health history, family history, and lifestyle. Packages range from $29-$259 and, in return, contain a report that may include a personalized assessment of purported potential health risk and problems and ancestry.
As the sequencing of DNA has become more economically feasible and available to consumers, the privacy of such information has come under increased scrutiny. In response, over the past couple of years, certain states, including Maryland, Wyoming, Arizona, and Utah, have passed laws directly regulating the DTC-GT industry regarding their collection and use of consumer data. The information is also generally captured by comprehensive consumer privacy laws, such as those passed in California, Colorado, Connecticut, Utah, Colorado, and Iowa. Consumer genetic data may also be protected by laws related directly to health data, such as the My Health My Data Act in Washington State.
In contrast, at the federal level, there is very limited regulation of DTC-GT companies. Outside of the medical context, genetic data is largely unregulated. The Genetic Information Nondiscrimination Act (GINA) is very limited in its scope, primarily reaching only employers and certain kinds of insurance providers. It does not reach GTC-GT companies or their ability to use or transfer genetic information. Similarly, the Health Insurance Portability and Accountability Act (HIPAA) has specific provisions for safeguarding genetic data, but it is limited to only healthcare providers and insurers, and therefore doesn’t reach DTC-GT companies.
As can be seen in the 1Health.io case, the FTC is attempting to enter the fray through its powers under Section 5 of the FTC Act, targeting practices that are “unfair or deceptive.” The FTC previously addressed the specific issues and concerns related to DTC-GT in a 2019 blog post dedicated to the topic. The 1Health.io enforcement action also follows a recent trend of the FTC cracking down on health-related data and generally targeting practices that it deems “unfair.” For example, in May, the FTC issued a policy statement warning about the misuses of consumers’ biometric information.
Here, the complaint against 1Health homes in on specific false or misleading representations that 1Health made on its website. These representations include, for example, that 1Health exceeded industry-standard security practices, that data was deidentified, and that it could and would delete consumer data or samples upon request. Lastly, the complaint alleged that a retroactive change to the company’s privacy policy, expanding third-party sharing, was impermissible as such third-party sharing was “material” and was carried out without notification or consent.
According to the complaint, over a two-year period, the FTC warned 1Health at least three times of the alleged violations. As part of the settlement, 1Health paid a $75,000 penalty. In addition to monetary damages, the company was required to implement comprehensive data security protections, instruct third-party laboratories to destroy all samples retained longer than 180 days, conduct biannual third-party assessments, and certify that the company is adhering to the terms of the settlement.
The proposed settlement was posted to the Federal Register on June 23, 2023, and was open for public comment for 30 days. At the close of the comment period, the FTC decided to make the proposed consent order final. The CEO of 1Health, Mehdi Maghsoodnia, stated that “[u]ltimately, we disagree with many of the FTC’s conclusions. But we look forward to finally putting this matter behind us.”
While 1Health can put the case behind them, it is likely that the FTC will hold it out in front, both as a warning to companies, and as support for future enforcement actions in this area.