FTC sues genetic testing company over privacy failures

Federal Issues Privacy, Cyber Risk & Data Security FTC FTC Act Enforcement Consumer Protection

On June 16, the FTC filed an administrative complaint against a California-based genetic testing company for allegedly deceiving consumers about its privacy and data security practices. Marking the FTC’s first case to focus on both the privacy and security of genetic information, the complaint claims the respondent (which sells DNA health test kits and provides health reports to consumers that include personal information) failed to secure genetic and health data and misled consumers about its ability to delete consumers’ data. These alleged actions contradicted claims made by the respondent on its website that personal health information is collected, processed, and stored “in a responsible, transparent and secure environment.” Additionally, the FTC alleged that the respondent failed to implement a policy to ensure DNA samples were destroyed by contract laboratories and made changes to its privacy policy that retroactively expanded the types of third parties authorized to share consumers’ data without notifying consumers or obtaining their consent. “The FTC Act prohibits companies from unilaterally applying material privacy policy changes to previously collected data,” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said in the announcement.

The respondent is further accused of storing unencrypted personal health information on a publicly accessible cloud storage repository. Several warnings about storing unencrypted data were allegedly sent to the respondent before customers were notified.

Under the terms of the proposed consent order, the respondent will be required to pay $75,000 to go towards consumer refunds. The respondent must also strengthen its protection measures, cease misrepresenting the extent of its security or privacy practices, and instruct third-party contract laboratories to delete all DNA samples that have been retained longer than 180 days. Additionally, the respondent must obtain consumers’ affirmative express consent before sharing health data with third parties, notify the FTC should consumers’ personal health information be compromised, and implement a comprehensive information security program to address the identified alleged security failures.