A recent enforcement action by the Federal Trade Commission (“FTC”) against 1Health.io—which sells “DNA Health Test Kits” to consumers for health and ancestry insights—serves as a reminder that the FTC is increasingly exercising its consumer protection authority in the context of privacy and data protection. This is especially true where the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) does not reach. The FTC’s settlement with 1Health.io highlights a wide-range of privacy and security issues companies should consider relating to best practices for updating privacy policies, data retention policies, configuration of cloud storage and vendor management, especially when handling sensitive genetic data. 

Alleged Privacy and Security Violations

The FTC alleged 1Health.io committed a number of violations. One noteworthy allegation was that 1Health.io’s “material” change to its privacy policy, which had retroactive effect without additional notice or consent, was an unfair act or practice. This is consistent with the FTC’s position in prior cases. The policy change at issue involved expanding the categories of third parties with whom the company shares consumers’ data to include pharmacies, supermarket chains, nutrition and supplement manufacturers, and other providers and retailers. The FTC alleged these material changes harmed consumers who provided personal information predicated on an earlier version of the privacy policy, but who were not subsequently given appropriate notice, nor asked to consent to the newer expanded data sharing language. 

The FTC also alleged that 1Health.io stored customers’ genetic data in a publicly accessible “bucket” provided by Amazon Web Services (“AWS”), despite being notified of such during a penetration test of its web application, and by AWS itself. According to the complaint, in an email to 1Health.io, AWS warned 1Health.io that one or more of its storage buckets was “configured to allow read access from any user on the Internet.” 1Health.io allegedly did not correct the issue in time—about two years later, a “security researcher” sent 1Health.io a link to the publicly accessible data, but also notified the news media, resulting in numerous complaints from customers.

The FTC further alleged that, among other things, the public accessibility of consumer information resulted in a false or misleading statement in 1Hleath.io’s privacy policy.  Specifically, the FTC alleged that, because 1Health.io did not have an “inventory” of the data stored in the public AWS bucket, “in at least some instances, [1Health.io] could not delete all consumer information for consumers who requested deletion of their data,” as it promised to do in its privacy policy.

Additionally, according to the complaint, 1Health.io’s FAQs stated that DNA saliva samples would be destroyed after analysis. However, the FTC alleged that the company failed to require one of its vendors—a genotyping laboratory partner—to destroy saliva samples after they were analyzed.

Lessons Learned

There are several takeaways from the 1Health.io action. First, companies should carefully consider implications when making “material” changes to privacy policies governing consumers’ data, especially when sensitive data is implicated. While logistically challenging, in some situations, consent should be considered to minimize risk. Second, companies should carefully, and periodically, review data shared with vendors, including cloud providers, to ensure such vendor systems are configured to secure data from unauthorized access. Simple changes can minimize the risk of security incidents. Third, public-facing statements in privacy policies and even FAQs should always be consistent with business practices. Finally, companies ought to establish, communicate and abide by appropriate retention policies for consumer data.

These lessons learned are important to companies to consider when developing data governance programs guided by good data stewardship principles and fair information practices. You can learn more about developing a “Culture of Data Governance” by clicking the link here.