The Federal Trade Commission (FTC) recently published a post on their Business Guidance Blog discussing lessons learned from three enforcement actions against sellers of genetic testing products. These guidelines address company practices for data privacy, security, advertising, and artificial intelligence (AI) claims relating to customer DNA or other biometric information. Three enforcement actions drove the development of these guidelines: (1) CRI Genetics, a 2023 enforcement action by both the FTC and California Attorney General that alleged the company used deceptive marketing and AI claims about its genetic testing reports and uses dark patterns for online billing; (2) 1Health/Vitagene, a 2023 FTC enforcement action that alleged the company had insufficient security practices and lied about some of its privacy policies; and (3) Genelink, a 2014 FTC enforcement action that alleged the company had insufficient security practices and made false claims relating to how it could use a consumer’s genetic information to make personalized health supplements.
Although the post summarizes lessons targeted at companies that collect, process, and store customer genetic information for DNA-based products or services, this guidance can be considered by any company that uses sensitive data as a core part of their product offerings. In the past couple of years, we have seen the FTC forecast its enforcement actions by first publishing a business guidance or blog post—such as the May 2023 policy statement on misuse of biometric information preceding the enforcement action against Rite Aid, and the January 2022 guidance resource on complying with the Health Breach Notification Rule preceding the enforcement action against GoodRx. According to this blog post, “If you collect or store genetic data, you’re on notice that the FTC expects security in line with the sensitivity of the data.” And these expectations can translate to substantial penalties for noncompliance, such as deletion of valuable data and high financial settlements (as seen in the $700,000 civil penalty against CRI Genetics and the $75,000 settlement agreement with 1Health/Vitagene).
For more updates and analysis of current developments in data privacy and cybersecurity, please subscribe to the WilmerHale Privacy and Cybersecurity Law blog.
Compliance Takeaways
- The FTC’s priorities include the security of biometric and genetic information. One of the main reasons why the FTC is so concerned about the data practices of companies that develop services or products with this information is because “genetic data reveals sensitive information not only about consumers’ health, characteristics, and ancestry, but also about their families.”
- Expected data security measures scale with how sensitive (and potentially harmful) the data is. The blog post emphasized that the higher the sensitivity of the data, the higher the risk of harm.
- Strong security also includes protection of customer accounts. To protect customer accounts, a company can use access controls, encrypt publicly accessible data, and monitor access to the account data.
- Claims about genetic testing should be accurate and supported by data. CRI Genetics allegedly overstated the accuracy of their test results and falsified reviews. While companies can advertise positive aspects of their genetic testing products, claims should be based in scientific research and should not be exaggerated.
- AI or algorithm claims also should be accurate and supported by data. The same points in #4 apply to any claims about the use of AI or an algorithm.
- Gather customers’ affirmative, express consent for the use and disclosure of genetic data. The blog reminds readers that “the FTC has a strong record of challenging deceptive or unfair dark patterns” and goes on to state the affirmative express consent is a recommended way to get consumer consent.
- New consent is needed for any substantial change to a company’s privacy policy.
- Make sure there are processes in place (data inventories, vendor agreements, etc.) that support a company’s privacy claims. Vitagene made detailed privacy promises around storing genetic data only in a de-identified form and a consumer’s ability to fully delete their data. The FTC alleged that the company could not uphold these promises because it didn’t have the protocols and capabilities to support the assertions.
Looking Ahead
The blog post also references a policy statement published by the FTC in May 2023 that warned about the misuses of biometric information and potential harm to consumers. The warnings anticipated many of the allegations that the FTC charged against Rite Aid seven months later for allegedly unfair and discriminatory practices relating to a facial recognition technology surveillance system deployed in selected stores nationwide. Now, the guidance in this post is urging companies to look this policy statement again, hinting that we might expect to see more enforcement around the privacy and security of genetic and biometric data in the coming months.