The FTC Act prohibits companies from unilaterally applying material privacy policy changes to previously collected data.
1Health.io, a genetic testing company, said it would only share consumers’ sensitive health and other personal information in limited circumstances, then later expanded its data sharing to third parties, like supermarket chains.
The FTC views “genetics” to be a “biometric identifier” and therefore it is not “de-identified.”
Subscribe HERE to Legal HIE’s backend compliance library to gain access to tools, checklists, whitepapers, sample policies and a lot more to help your organization stay on top of the newest compliance challenges in 2023!
Last Friday, the FTC published a Press Release announcing a new Proposed Settlement with 1Health.io (formerly Vitagene), a California-based company that, according to the FTC, was “in the business of selling DNA health test kids and using DNA test results, along with other information made available by the consumer, to provide its consumer reports about their health, wellness, and ancestry as part of their product packages.”
In its Complaint, the FTC alleged that 1Health.io violated its own privacy and security policies. The FTC found that on its website, the company held out that:
- It did not store DNA results with a consumer’s name or other identifying information;
- Consumers could delete their personal information at any time and that such data would be removed from all of the company’s servers; and
- It would destroy DNA saliva samples shortly after they have been analyzed.
Additionally, and perhaps most importantly, the FTC also found that from 2017-2020, the company informed consumers that it would only share consumers’ sensitive health and other personal information “in limited circumstances” such as providing information to a customer’s doctor or with the lab doing genetic testing. However, what the company said it was going to do with consumers’ data did not match what they then actually did with it.
The FTC alleged that numerous things that 1Health.io did violated the FTC Act, but the company’s “retroactive expansion” of the types of third parties that they decided to share consumers’ data with is the one that everyone reading this post needs to pay particular attention to. What essentially appears to have happened is consumers originally signed consents to allow their genetic and other information to be shared with certain groups of third parties, like health care providers and researchers. However, in 2020 the company unilaterally “expanded” its privacy policies to allow it to also share such consumers’ information with additional types of third parties, like supermarket chains and nutrition and supplement manufacturers – but the company did not notify their consumers who had previously shared personal data with the company of this expanded class of recipients, nor did it obtain their additional specific consent to share such sensitive information with the expanded list of third parties.
Therefore, genetic testing companies, and those who partner with them, must take care to ensure that the scope of how consumers’ sensitive data is used and shared in the future aligns with the scope of consent that was given by the consumer at the point of data collection. Many states have privacy laws that protect genetic data (see NIH Genome Statute and Legislation Database). Such laws often require that a valid consent form specifically identify the recipient party/parties who are authorized to access or receive an individual’s “genetic information.” Therefore, if a signed consent does not identify particular types of recipients as among those who the individual “authorized” to access/receive their genetic information, their information cannot at a later time be shared with such additional third parties (unless additional consent is obtained).
In addition to privacy concerns, the FTC raised security violations as well. Specifically, the FTC found that 1Health.io stored “in publicly accessible buckets” on Amazon Web Service’s (AWS) cloud storage service nearly 2,400 health reports about consumers and raw genetic data of at least 227 consumers sometimes accompanied by a first name—despite promising users its security practices would “exceed industry-standard security practices.” Moreover, such data was not encrypted, access was not restricted, and log-in was not monitored. The FTC explained in its complaint that over a two-year period, the company was warned at least three times that it was storing unencrypted health, genetic, and other personal information in publicly accessible data buckets.
As part of the proposed order, 1Health.io is being required to pay a penalty of $75,000, delete all collected DNA data, and will be prohibited from sharing health data with third parties—including information provided by consumers before and after its 2020 privacy policy change—without obtaining consumers’ affirmative express consent.
This latest development comes at the heels of the FTC publishing a recent Policy Statement in May 2023 on Biometric Information and Section 5 of the FTC Act. Here, it’s worth noting that the FTC views an individual’s “genetics” to be “biometric information.” Therefore, any data set containing such “genetics” should never be assumed to be “de-identified” under HIPAA’s Safe Harbor exception which requires the removal of any and all “biometric identifiers.” See 45 C.F.R. 164.514(b)(2).
