This is the FTC’s first case involving genetic data privacy since its May 2023 biometric policy statement. The case follows the FTC’s recent enforcement actions against digital health companies, including the prescription drug price tracking company GoodRx, mental health platform BetterHelp, and fertility tracking app Premom. Collectively, these actions signal the FTC’s continued attention to the privacy and security of health information managed by businesses.
Background and Complaint
1Health.io is a genetic testing company that combines genetic information from consumer saliva samples with health information supplied by consumer questionnaires to provide the consumers with health, wellness, and ancestry reports as part of various product packages.
The FTC complaint against 1Health.io (Complaint) charged 1Health.io with four misrepresentation counts. Specifically, the Complaint alleges that 1Health.io represented that:
- its security practices “exceed industry standard” but stored consumers’ unencrypted health reports and raw genetic information in a publicly accessible cloud repository without implementing access controls or monitoring access;
- it stored consumers’ DNA results without any common identifying information, but did store DNA results with consumers’ names and other common identifying information;
- it would remove all consumer data following consumer data deletion requests, but lacked the capability to do so, as it did not maintain an inventory of consumers’ information in at least some instances; and
- it would destroy consumers’ physical DNA saliva samples shortly after analysis, but allegedly failed to contractually require its genotyping laboratory partner to destroy samples.
The Proposed Order
Under the proposed order, 1Health.io would, among other things, be required to:
- pay $75,000 in monetary relief;
- obtain affirmative express consent from consumers before disclosing any health information to third parties (with limited exceptions set forth in the proposed order);
- require contract laboratories to destroy all consumer DNA samples stored for more than six months;
- implement a comprehensive information security program to protect the security, confidentiality, and integrity of consumers’ personal information; and
- obtain initial and biennial information security assessments by a third party.
The proposed order also includes a novel requirement that 1Health.io immediately notify the FTC about any unauthorized access or acquisition of consumers’ personal health information. Notably, this provision mirrors requirements from the FTC’s Health Breach Notification Rule, notwithstanding the fact that the complaint did not allege a Health Breach Notification Rule violation.
Businesses that collect consumer health information, including genetic information, should consider taking the following actions:
- review data inventory, access control, encryption, and monitoring practices to protect sensitive consumer health information. Notably, this is at least the third time in the past year that the FTC has cited in its complaint a company’s failure to implement proper access controls to its Amazon Web Services (AWS) storage bucket;
- incorporate data minimization practices by collecting only strictly necessary information and automatically destroying physical biological samples after requisite analysis; and
- notify consumers and obtain affirmative consent prior to implementing material changes to privacy policies. Material changes include sharing consumers’ health information with a third party for marketing or advertising purposes.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning your compliance efforts related to consumer health information, please contact Tracy Shapiro, Haley Bavasi, Maneesha Mithal, Hale Melnick, Yeji Kim, or any member of the firm’s privacy and cybersecurity practice.
 FTC v. Kochava, Inc., No. 2:22-cv-00377 (D. Idaho. May 4, 2023) (dismissing the FTC’s complaint because the FTC failed to demonstrate “significant risk” of concrete harm to prove unfairness under Section 5 of the FTC Act).
 In the Matter of LabMD, Inc., FTC Docket No. 9357 (Nov. 13, 2015), aff’d, LabMD v. FTC, 891 F.3d 1286 (11th Cir. 2018) (clarifying that the mere possibility of consumer harm is insufficient to prove unfairness under Section 5 of the FTC Act).