FTC settles case on privacy, security of genetic information with1Health.io

By Danielle Masterson

- Last updated on GMT

Getty Images / Black_Kira
Getty Images / Black_Kira

Related tags Ftc

The agency claims precision health company 1Health.io failed to protect privacy and security of DNA data and unfairly changed its privacy policy.

The Federal Trade Commission recently announced it settled a case with 1Health.io, formerly Vitagene, charging that it failed to protect sensitive genetic and health data of consumers–marking the first FTC case that was focused on both the privacy and security of genetic information. Vitagene, which launched in 2014, helped people craft diet and exercise regimens based on their biological traits by offering the Vitagene Diet Report, Supplement Report, Exercise Report, Skin Report, and Ancestry Report. According to its website​, the company currently offers tests for vitamin D, food sensitivities, inflammation and more.

The settlement finalizes a complaint originally announced in June, which accused the company of failing to only share consumers’ sensitive data in limited circumstances.

“Your privacy is our top priority”

“The FTC alleged that 1Health.io, a genetic testing company, committed privacy and data security violations. The company sold ‘DNA Health Test Kits’' which collected and analyzed saliva samples to provide reports about the consumers’ health and wellness. The company allegedly claimed to have robust practices, stating on its website, ‘The most personal information must also be the most private,’ ‘As your lifelong partner on your health journey, your privacy is our top priority,’ and that it had ‘Rock-solid security,’” explained advertising lawyer John Villafranco, partner at Kelley Drye & Warren LLP.

The company also changed its privacy policy in 2020 by retroactively expanding the types of third parties it could share consumers’ data with, but did not notify users or obtain their consent, according to FTC.

While there weren't any records indicating any information was exposed, the files were not protected nonetheless and therefore could have been accessed. 1Health.io also failed to destroy customers’ DNA samples shortly after they had been analyzed.

“According to the complaint, the company did not live up to its promises, making false claims regarding handling of sensitive genetic information, including that it shared sensitive data in limited circumstances, that it destroyed customers’ DNA samples after completing its analysis, and that it de-identified DNA data. The company also allegedly did not notify customers prior to modifying its privacy policy to add third parties with whom it shared personal information and made DNA data and health reports of 2,600 consumers publicly available in an unencrypted format,” he added.

Under the order, 1Health.io must pay $75,000, which the FTC intends to use for consumer refunds. The company is also required to instruct third-party contract laboratories to destroy all consumer DNA samples that have been retained for more than 180 days. Other provisions of the order prohibit 1Health.io from sharing health data with third parties—including information provided by consumers before and after its 2020 privacy policy changes—without obtaining consumers’ affirmative express consent; require the company to notify the FTC about incidents of unauthorized disclosure of consumers’ personal health data; and implement a comprehensive information security program addressing the security failures outlined in the complaint.

Best practices

While personalized nutrition and microbiome testing kits are a booming business, security concerns are also increasing. The FTC has previously issued guidance on protecting consumer privacy for genetic testing companies, and some states have went a step further by tightening up regulations.

The FTC’s tips for testing kit sellers:

  • Consider describing uses of genetic information in one featured place
  • Explain who can see what profile information – and let users know about important changes
  • Help users to make choices with set-up wizards and appropriate default settings
  • Explain third-party disclosures clearly
  • Consider one-stop-shopping for expunging genetic information

Basic truth-in-advertising principles also apply to marketing genetic testing kits:

  • Tell the truth about what your genetic testing kit can do
  • Disclose key information clearly and conspicuously. If you need to disclose information to make what you say accurate, your disclosures have to be “clear and conspicuous.” 

At the end of the day, Villafranco said like all advertising claims, privacy and data security claims must be truthful and substantiated and any claim that a company makes about how they are using data must be truthful and honest or the FTC may consider these claims to be deceptive under Section 5 of the FTC Act.

“Creating personalized reports inherently means that the company will be collecting personal, and potentially sensitive, information. If a company is collecting personal information, then it should evaluate the way in which it is collecting, processing, sharing, storing, and deleting data. These processes should prioritize protecting sensitive data from being exposed to bad actors or sharing data with parties without obtaining consumer consent,” Villafranco said.

Related topics Regulation Personalized Nutrition

Related news

Follow us

Products

View more

Webinars