On June 16, the Federal Trade Commission (FTC) announced an enforcement action against 1Health.io Inc. (“1Health,” also known as Vitagene, Inc.), a genetic testing company that analyzes consumer-provided DNA samples and uses the results of that analysis to generate personalized reports and other tailored products. This is the latest in a series of enforcement actions that the FTC has brought in 2023 against companies for processing sensitive data in violation of Section 5 of the FTC Act (though the first that specifically focuses on both privacy and security practices related to genetic data).
Perhaps the most notable element of this decision is that, according to the FTC, 1Health retroactively changed its privacy policy in a manner that was “unfair” under Section 5 of the FTC Act. The FTC alleged that 1Health’s privacy policy changes with regard to the sharing of consumers’ sensitive data were “material,” such that they required additional steps by the company to notify consumers or obtain their consent. The FTC has historically enforced retroactive material privacy policy changes as a potentially “deceptive” practice under Section 5 but had not brought a recent enforcement action against a company for this violation specifically.
This case highlights that the FTC is continuing to expand its enforcement authority by labeling more practices that it views unfavorably as “unfair,” as well as the fact that the agency is focusing on this issue related to the retroactive changing of privacy policies specifically. As companies continue to routinely revise their privacy policies in order to comply with new state privacy law obligations, they should be aware that the FTC is paying attention to what they say.
In this post, we summarize the key allegations made in the FTC’s complaint against 1Health, identify notable elements of the proposed consent order, and highlight key takeaways for companies looking to determine what this enforcement action means for their data privacy and security programs.
The Complaint
1Health.io is a genetic testing company that sells “DNA Health Test Kits” to consumers. 1Health uses these kits to collect saliva samples from consumers, which the company then sends to a third-party testing lab for analysis. 1Health combines this analysis with other consumer-provided information (such as responses to health and lifestyle questionnaires) to generate health and ancestry reports for consumers. The company also offers a range of other tailored products (e.g., nutritional supplements, fitness and beauty plans) tailored to a consumer’s genetic makeup.
The overarching narrative of the FTC’s complaint against 1Health is that the company misled consumers about how it was handling and protecting their sensitive personal information, and that these practices amounted to unfair or deceptive acts or practices under Section 5 of the FTC Act.
The complaint’s specific allegations include the following:
- Deceptive Claims About Handling of Sensitive Personal Information: The complaint asserts that 1Health made numerous deceptive claims about how it handled consumers’ sensitive health and genetic information. These included claims that 1Health would keep customers’ DNA information separate from other identifying information; that 1Health would delete consumer information upon request; and that 1Health would destroy the physical DNA samples that it collected from consumers after they had been analyzed.
- Unfair Retroactive Privacy Policy Revisions. The complaint alleges that 1Health revised its privacy policy to greatly expand the scope of third parties with which it could share consumers’ sensitive personal information, and that it made these revisions without providing notice to affected consumers or obtaining consumers’ consent for this expanded sharing. Specifically, the complaint asserts that, up until April 2020, the 1Health privacy policy allowed 1Health to share personal information with third parties only in limited and narrow contexts. Such scenarios included, for example, “with [consumers’] physicians or other medical professionals under consumers’ direction; with [1Health’s] business partners or service providers, such as credit card processors or contracted genotyping laboratories, ‘only as necessary to’ help [1Health] provide, understand, or improve its services; as required by law; with any third party with a consumer’s prior consent; or via transfer of [1Health’s] business to another entity.” In April 2020 and December 2020, however, 1Health revised its privacy policy to allow for sharing of sensitive personal information with a broader set of third parties, including, for example, “pharmacies, supermarket chains, nutrition and supplement manufacturers, and other providers and retailers so they can promote and offer their products and services to [1Health’s] customers; with third parties for their own services and marketing purposes … and with partners, third parties, or affiliates, including for those third parties’ own purposes.” Notably, these revisions applied to all 1Health customers, including those who had only provided their personal information prior to the revisions. And, the complaint asserted, 1Health neither notified such customers of these changes nor obtained consent for the expanded sharing.
- Public Exposure of Health and Genetic Information. The complaint alleges that 1Health publicly exposed the health and genetic information of more than 2,600 consumers by storing that information in publicly accessible containers on a cloud storage service and failing to shield these containers with appropriate protections (such as access controls or encryption).
The Proposed Consent Order
The proposed consent order imposes the following key requirements on 1Health:
- No Misrepresentations About Protection of Customer Personal Information: 1Health is prohibited from making any misrepresentations about its protection of customers’ personal information, such as the extent to which its security practices meet industry or government standards; its data deletion practices; and the degree to which it separates health information from other types of personal information.
- Affirmative Express Consent for Disclosure of Health Information: 1Health is required to obtain a consumer’s affirmative express consent before disclosing that consumer’s health information to any third party.
- Facilitate Destruction of Saliva Samples: 1Health must instruct all laboratories that collected 1Health customers’ DNA saliva samples to destroy any samples that it has retained for more than 180 days after 1Health accepted said laboratory’s analysis of a given sample.
- Information Security Program: 1Health must establish a comprehensive information security program, including such elements as periodic risk assessments, implementation of safeguards (including data access controls and encryption), monitoring and testing of safeguard effectiveness, and screening of service providers. Additionally, 1Health must obtain assessments from an independent, third-party assessor regarding its compliance with the information security program.
- Incident Reporting: 1Health must submit incident reports to the FTC for any incident that requires notification to another government entity or entails the exposure of consumer health information.
- Monetary Judgment: 1Health must pay the FTC $75,000, which the Commission has stated it intends to use for consumer refunds.
Key Takeaways
- Providing Notice and Obtaining Consent for Material, Retroactive Privacy Policy Changes: One notable part of the FTC complaint is its focus on 1Health’s adoption of retroactive privacy policy changes without providing notice to or obtaining consent from consumers. Moving forward, companies should ensure that any material changes to their privacy policies (particularly those that apply retroactively to data collected before the revisions) are accompanied by notice to consumers and, where appropriate, the obtaining of appropriate consent.
- Compliance With Data Deletion Requests: The 1Health complaint is yet another example of the FTC taking a company to task for failing to adhere to consumers’ data deletion requests —something that we have seen in at least one other recent FTC enforcement action. Here, the FTC noted that 1Health was unable to fully comply with consumer data deletion requests because it lacked a full inventory of the consumer information that it collected. Companies that collect consumer personal information should thus ensure that they (1) have a full accounting and inventory of the personal information that they collect; and (2) that they fully comply with consumers’ requests to delete that information (including by flowing down data deletion requests to relevant third parties).
- Using Third-Party Contract Requirements to Fulfill Data Protection Commitments: One of the complaint’s allegations centered on 1Health’s failure to ensure the destruction of consumers’ physical DNA saliva samples after they had been analyzed. 1Health itself did not conduct this analysis; rather, such analysis was outsourced to a third-party laboratory partner. However, that made little difference to the FTC, which indicated that 1Health should have had a contract provision in place to ensure the destruction of these samples consistent with the company’s public-facing representations. This complaint thus emphasizes that companies should use contract requirements, where appropriate, to ensure that they are adhering to data protection promises made to consumers.