The DNA of privacy and the privacy of DNA

Companies selling genetic testing products tout the benefits of DNA-based insights – learning more about health, lineage, family tree – so that consumers can seek medical attention, customize their diet or exercise regimen, find long-lost relatives, or understand more about their background. But for consumers to realize benefits from DNA-based products or services, consumers need to be able to trust their accuracy – and trust that the company’s practices related to the DNA of privacy (data minimization, purpose limitations, retention limits, etc.) will protect the privacy of their DNA. Here are some lessons on privacy, data security, truth in advertising, and artificial intelligence (AI) drawn from a trio of FTC enforcement actions involving sellers of genetic testing products: CRI Genetics, 1Health/Vitagene, and Genelink.

Protecting biometric information – including genetic data – is a top FTC priority. Since announcing its Biometric Policy Statement in May 2023, the FTC has settled actions against two sellers of direct-to-consumer DNA testing kits. Why are these cases so important? Genetic data reveals sensitive information not only about consumers’ health, characteristics, and ancestry, but also about their families. While some other data types can be stripped of identifying characteristics, that’s not necessarily the case when it comes to genetic information. Where the sensitivity of the data is high, so too is the risk of harm, particularly in this era of increasing biometric surveillance. The FTC’s actions in Amazon/Alexa and Ring to protect voice recordings and videos further illustrate this point. To stay on the right side of the law, heed the lessons from these cases.

Secure genetic data. In both 1Health/Vitagene (consumers may know the company as Vitagene) and Genelink, the FTC charged that sellers of genetic-based products had subpar data security. The FTC’s Vitagene complaint alleges that the company didn’t inventory its genetic data, so it wasn’t even aware that it had stored some of it in a cloud storage “bucket” accessible to the public. In addition, the company allegedly didn’t use access controls, didn’t encrypt that publicly accessible data, didn’t log or monitor access to it, and didn’t remedy the problem even after receiving credible warnings. Genelink preceded Vitagene by about nine years – and yet there are eerie similarities. According to the Genelink complaint, the company maintained sensitive data in clear text, failed to limit employee and contractor access to sensitive data, failed to assess the risks to that data, and didn’t include terms in the contract to require contractors to use safeguards and to allow Genelink to oversee their practices. The data practices described in both complaints are shoddy for any data, but especially for sensitive genetic information, where the risk of harm to consumers from exposure of that data is high. If you collect or store genetic data, you’re on notice that the FTC expects security in line with the sensitivity of the data.

Secure customer accounts. Securing genetic data doesn’t just mean good network security (although that’s a must). It also means securing customer accounts through which a bad actor could access genetic data or other personal information. The more sensitive the data, the more valuable it may be to bad actors – which means customer accounts are likely targets for hackers. The Ring matter illustrates that point. According to the complaint, the home security camera company failed to take reasonable steps to secure customer accounts against common hacking techniques, including credential-stuffing attacks. (Credential stuffing involves the use of credentials, such as usernames and passwords, obtained from one breached account to gain access to a consumer’s other accounts.) The complaint alleges that Ring only used half-measures to prevent these attacks. For example, Ring made multi-factor authentication available to consumers, but didn’t require them to use it – even though customer accounts were the gateway to highly sensitive information like stored videos and live streams of consumers in private spaces of their homes. If your customer accounts offer data thieves a similar gateway to sensitive data (for example, results from genetic testing), learn from the Ring case and properly secure those accounts.

Don’t oversell: Can you support your accuracy claims about genetic testing? Be careful not to exaggerate your claims about your genetic testing product. There’s a line between puffery and deception that you don’t want to cross. According to the CRI Genetics complaint, the company – among other things – overstated the accuracy of their test results (“accuracy greater than 99.9%”) and falsified reviews. Here’s the truth about DNA testing for ancestry: Companies estimate consumers’ ancestry by comparing consumers’ DNA with the companies’ proprietary DNA reference data. Their algorithms “predict” consumers’ ancestry, with varying margins of error. DNA testing for ancestry is, therefore – at best – an estimation of ancestry, not a precise science. The Genelink complaint alleges that the company claimed their genetically customized nutritional supplements could treat diabetes, heart disease, arthritis, insomnia, and other health conditions – all without scientific support. When making claims about the accuracy of genetic testing or the purported benefits of DNA-related products, stick with reliable science. If you don’t have a reasonable basis to support your claim, don’t make it in the first place.

The FTC is watching how companies use – and claim to use – Artificial Intelligence. DNA algorithms are no exception. It’s no secret that the FTC is focused on making sure that consumers can enjoy the benefits of AI without suffering substantial harms like bias, privacy invasions (Amazon/Alexa and Ring), or questionable accuracy (WealthPress, DK Automation, Automators AI). That holds true when it comes to “DNA algorithms.” In the CRI Genetics matter, the FTC alleged that the “patented DNA algorithm” the company touted in its ads was not in fact patented and didn’t generate the highly accurate results the company claimed. In this age of AI, some companies may be tempted to use loose talk about AI and algorithms, perhaps as a means of conveying technological sophistication. Watch out. If you’re promoting your AI or algorithm, make sure your claims don’t deceive or otherwise harm consumers.

The FTC has a strong track record of challenging deceptive or unfair dark patterns, including when it comes to obtaining “consent” for the use and disclosure of genetic data. Recent enforcement actions like Amazon/Prime, Publishers Clearinghouse, and Vonage demonstrate the high priority the FTC places on challenging allegedly illegal dark patterns – manipulative designs that coerce consumers into decisions they wouldn’t knowingly agree to make. The CRI Genetics matter reinforces this point. According to the complaint, the company used dark patterns – confusing pop-ups and directions, bogus “rewards,” claimed urgency – to push consumers into buying more. In the ongoing battle against illegal dark patterns, the orders in both CRI Genetics and Vitagene require the companies to obtain “affirmative express consent” – consent that precludes the use of dark patterns – for future uses or disclosures of genetic data. Companies are on notice that they shouldn’t be using dark patterns to get consent.

Don’t commit a foul when changing the rules of the game. The Vitagene order includes that “affirmative express consent” requirement because the company had allegedly changed its terms on a key issue – but the company didn’t get real consent from consumers for this material retroactive change. According to the complaint, changing the rules of the game in the privacy policy was unfair, even though the company hadn’t yet implemented the change. The bottom line is that consumers should know what to expect from your data practices. A bait-and-switch approach to collecting personal information (especially genetic data) doesn’t fit with the FTC Act’s requirements.

Nothing but the truth. According to the FTC’s complaint in Vitagene, the company made detailed privacy promises – for example, about how it stored genetic data and destroyed genetic samples – but didn’t deliver on those promises.  The company made these promises prominently (a good thing!), including on a page dedicated to genetic privacy. But, according to the complaint, rather than storing genetic data without identifying information, it stored results with names and other personal information. When the time came to delete genetic data, the company couldn’t delete it because they didn’t even know where some of it was stored – meaning that they broke that promise, too. And the company failed to have a process in place – through contractual obligations, in particular – to ensure that third-party labs destroyed genetic samples after testing. The upshot: If you’re selling genetic testing products (or any product, for that matter), you owe consumers nothing less than the truth.

The consequences for ignoring these warnings can be significant. In both recent genetic testing matters, the companies ended up paying substantial financial settlements, either as civil penalties under California state law (CRI Genetics) or for consumers redress (Vitagene). Furthermore, the orders in both cases required the companies to delete or destroy certain valuable biometric data or materials. These remedies were on top of other order provisions, such as prohibitions on misrepresentations, required notice to consumers of the FTC’s action, mandates to obtain affirmative express consent for the future use or disclosure of genetic data, and a mandated security program with independent assessments. It’s clear that the consequences of non-compliance with the FTC Act and other laws can be significant. Your best bet is to stay on the right side of the law by following these lessons.