Washington, D.C. (September 12, 2023) – The Federal Trade Commission (FTC) recently finalized an order with the genetic testing company, 1Health.io (formerly known as Vitagene), to resolve allegations stemming from 1Health.io's handling of sensitive consumer data and changes to its privacy policy.

The crux of the order stems from allegations that 1Health.io:

  1. Failed to adequately protect sensitive genetic and health data.
  2. Misled consumers regarding their ability to have their data removed.
  3. Changed its privacy policy retroactively without properly notifying and obtaining the consent of its users.

Specific Allegations

The FTC's complaint, initially disclosed in June 2023, detailed the following primary concerns:

  1. Data Sharing Practices: Contrary to its publicly-stated commitments, 1Health.io did not restrict the sharing of sensitive data as promised.
  2. DNA Sample Retention: The company did not destroy consumers' DNA samples promptly post-analysis as assured.
  3. Data Storage: 1Health.io stored DNA results with identifiable consumer information and failed to remove this data upon consumers' requests.
  4. Lack of Security: Despite advertising "rock-solid security", 1Health.io stored unencrypted health and genetic data in publicly accessible locations.
  5. Retroactive Privacy Policy Changes (2020): The company expanded the categories of third parties with whom it could share consumers' data without prior notice or consumer consent.

Settlement Terms

  1. Monetary Penalty: 1Health.io will pay $75,000, intended for use by the FTC for consumer refunds.
  2. DNA Sample Destruction: The company must instruct third-party laboratories to destroy all retained consumer DNA samples older than 180 days.
  3. Data Sharing Restrictions: 1Health.io is prohibited from sharing health data with third parties without receiving clear and affirmative consent from consumers. This also applies to data provided by consumers before the 2020 privacy policy alterations.
  4. Incident Reporting: Any unauthorized disclosure of consumer health data must be promptly reported to the FTC.
  5. Comprehensive Security Measures: The company must roll out a robust information security program to address the security failures identified in the FTC's complaint.

Lessons Learned & Practical Advice for Companies

  1. Transparent Data Practices: Confirm that any promises or claims made to consumers about data privacy and security are accurate, transparent, and consistently implemented.
  2. Clear Communication: If there is a need to amend privacy policies, especially in ways that may expand data-sharing, provide timely and clear notifications to affected consumers and obtain their explicit consent.
  3. Data Security Protocols: Regularly review and enhance data security measures to minimize the risk of potential breaches and unauthorized access. Consider periodic third-party audits to maintain compliance and security robustness.
  4. Retention Practices: Establish and adhere to a defined data retention policy, confirming that unnecessary data is promptly and securely disposed of.
  5. Stay Updated: Be aware of evolving regulations and guidelines related to data privacy and security, especially in sensitive industries like genetic testing. Regularly check resources like consumer.ftc.gov and ReportFraud.ftc.gov to stay informed.

Conclusion

The FTC's action against 1Health.io serves as a reminder of the serious implications of failing to uphold privacy and security commitments to consumers, especially in sectors handling sensitive data. It is paramount for companies to invest in robust data protection frameworks, transparent communication, and a genuine commitment to consumer rights and trust.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.