Skip to main content

If you sell genetic testing kits to consumers, you’re probably familiar with the Genetic Information Nondiscrimination Act (GINA), which prohibits discrimination on the basis of genetic information under some circumstances. You’re also familiar with the Health Insurance Portability and Accountability Act (HIPAA), which protects health information collected by certain types of entities. Then there are laws enforced by the FDA and the Centers for Disease Control and Prevention that pertain to genetic testing kits.

These laws might – or might not – apply to your company. But when you’re thinking about your data practices, keep in mind another law that probably does apply to your business: the Federal Trade Commission Act.

The FTC Act prohibits unfair or deceptive trade practices. Implementing sound privacy and security practices can help you keep your company in line with the FTC Act. Here are a few tips on how to do that.

Consider describing uses of genetic information in one featured place.

Yes, it can be challenging to write a privacy policy that gives the right level of detail and is easy for consumers to understand. But there are practices that can make that task easier. Let’s say Company A responds to this challenge by creating a lengthy privacy policy with the discussion of genetic information buried in an overview of personal information generally. The right information is all there, but digging it out will require some excavation. As a result, consumers might struggle to understand the company’s most important data practices: What does it do with genetic information? With whom does it share this sensitive data? And how can the consumer make sure the company will expunge information upon request? Contrast that with Company B, which creates a stand-alone policy about genetic information or devotes a prominent section of a larger policy to that key topic, perhaps using graphics, color, or other cues. Companies sometimes say they’re stymied about how to convey privacy-related information clearly. Our suggestion is to start with the same principles that are second-nature to marketers: clear language, visual emphasis, and eye-catching presentation.

Explain who can see what profile information – and let users know about important changes.

Account settings can have a big effect on the privacy of genetic data. When you’re explaining those settings, make sure you state clearly who can see what information in user profiles. If anything significant changes, tell your customers right away so that they can make an informed choice about the current state of service. For example, suppose Company C’s privacy policy informs consumers that only other users can see their profiles. Now suppose Company C later reaches a deal to permit researchers to be “users” of the service, so that the researchers can access the DNA-derived matching information in customers’ profiles. If Company C doesn’t amend its privacy policy and account settings page to explain this expansion of “users” and doesn’t notify customers of the change, it risks misleading them. Similarly, consider Company D, which launches a new feature enabling users to see the location of their matches. If Company D doesn’t take steps to alert customers of the change, it, too, runs the risk of deceiving its customers. Also, keep in mind that tweaking your privacy policy might not be enough. If you plan to use your customers’ data in a manner that is materially different from what you promised them at the time of collection, make sure to obtain affirmative express consent for the new use.

Help users to make choices with set-up wizards and appropriate default settings.

When faced with numerous notices about thorny topics like health, medical research, and privacy, some consumers may feel overwhelmed. You can help your customers with this notice-overload problem with some simple design choices. First, consider creating a set-up wizard that walks users step-by-step through a registration process that addresses the choices you offer about those topics. Second, think through the defaults of any settings you offer. Starting off with privacy-protective settings for sensitive information and uses – with the option for consumers to opt in for more expansive sharing – will reduce the likelihood that consumers will feel blind-sided by uses or disclosures of their sensitive information they didn’t expect.

Explain third-party disclosures clearly.

Context can make a big difference in how consumers perceive your claims. If Company E asks its customers for consent to “share” their genetic information with researchers for important medical studies, some consumers might reasonably expect that “sharing” to involve a not-for-profit arrangement with an entity like a research university. Customers expecting this kind of sharing may be deceived if Company E is, in fact, selling users’ genetic information to a pharmaceutical company. To avoid deceiving consumers, Company E should explain its practices clearly – for example, by choosing more precise wording or by prominently clarifying the nature of the “sharing.”

Consider one-stop-shopping for expunging genetic information.

Consumers might not appreciate that genetic testing services often hold two types of genetic information about them: a physical sample (like saliva) and DNA information derived from that sample. Suppose Company F describes in its privacy policy the process for deleting genetic information, without referencing its entirely separate process for destroying the physical sample. Customers of Company F might be surprised to learn that, post-deletion, the company still holds their genetic information – in other words, the physical sample. Company F should avoid misleading consumers about the ability to expunge all genetic information. A better practice would be to explain both processes together (and any limitations on them) in the privacy policy and in appropriate places in its user interface.

Basic truth-in-advertising principles also apply to marketing genetic testing kits.

  • Tell the truth about what your genetic testing kit can do. Under the law, the definition of “advertising” covers pretty much anything a company tells a prospective buyer or user – expressly or by implication – about what a product can do. Whether it’s what you say in a commercial, in a YouTube video, on a website, on the product packaging itself, or via social media, you have to tell the truth. False or misleading claims, as well as the omission of certain important information, can land you in legal hot water. If you make objective claims about your genetic testing kit, you need solid proof to back them up before you start advertising. The law calls that “competent and reliable evidence.” If you claim your genetic testing kit provides benefits related to health, safety, or performance, you may need competent and reliable scientific evidence. If you claim your genetic testing kit is “clinically proven” to work, you must have methodologically sound clinical studies conducted on your kit that demonstrate consumer-relevant results matching your claims. Visit the FTC’s Business Center for more on keeping your claims compliant.
  • Disclose key information clearly and conspicuously. If you need to disclose information to make what you say accurate, your disclosures have to be “clear and conspicuous.” What does that mean? That they’re big enough and clear enough that users actually notice them and understand what they say. Generally, the law doesn’t dictate a specific font or type size, but the FTC has taken action against companies that have buried important terms and conditions in long licensing agreements, in dense blocks of legal mumbo jumbo, or behind vague hyperlinks. Clear and conspicuous disclosures make good business sense, too. Most people react negatively if they think a company is trying to pull a fast one by hiding important information. Users are more likely to continue to do business with a company that gives them the straight story up front. Consult .com Disclosures: How to Make Effective Disclosure in Digital Advertising for compliance advice.

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

Hector Benavente
March 21, 2019
A Company called Alliensys who does not have any regitration as a Corporation in all USA, is offering a business opportunity to individuals to work as representative taking saliva test to the people and getting their medical insurance information. Alliansys is offering to pay per insured $700.00. The only way to contact with Alliansys is only by email. They don't have any 1-800 phone number or phone number for customer service and don't have any website to display their services. They do have only a back office (website) but no contact at all with any human being. My question is: is legal the business opportunity they are offering?
FTC Staff
March 22, 2019

In reply to by Hector Benavente

You could check out a company with your local consumer protection agency, your state Attorney General, or the Better Business Bureau. You can check with the agencies that are located in the same place as the company, and where you live. These organizations can tell you whether they have complaints about the company. Even if there are no complaints, that does not show the company is legitimate.

If you want to check on a business, you can see what experience other people have had. You can type the company name into a search engine with the words “complaint,” “reviews,” or “scam.” Read what other people have said.

Get Business Blog updates