Navigating the Intersection of DNA Data and Privacy: Insights from the FTC

On January 5, 2024, the Federal Trade Commission (FTC) published an article discussing privacy issues related to the DNA information that many consumers provide to genetic testing companies. This post outlines key takeaways from the article and recent FTC enforcement actions, emphasizing the privacy implications for consumers and the responsibilities of businesses operating in this space.

For background, the FTC issued a Policy Statement on May 18, 2023, which outlined its position on the use and retention of consumers’ biometric information (i.e., data about a person’s biological or behavioral traits, characteristics, or measurements). The Policy Statement covers information about a person’s DNA from genetic testing as well as information taken from facial, iris and fingerprint-recognition technologies. It describes when the FTC will bring enforcement actions for unsubstantiated claims about the accuracy of biometric information services or improper use of consumers’ biometric data.

The FTC has since prioritized biometric data claims, bringing enforcement actions and recently announcing settlements in cases against sellers of direct-to-consumer DNA testing kits. In two of such cases, the FTC accused the sellers of having subpar data security—alleging that they failed to encrypt customers’ genetic data and failed to monitor who accessed it. One of the sellers also failed to inventory its customers’ genetic data and did not realize it was published in a publicly accessible, cloud-based location. In yet another case, the FTC accused the seller of falsifying customer reviews and misrepresenting the accuracy of its testing products, while at the same time selling supplements to customers based on their DNA test results, which it claimed (without scientific support) would treat various diseases.

Based on this history and the FTC’s recent article, here are the key takeaways for companies dealing with DNA and other biometric data:

  • Secure Genetic Data and Customer Accounts. Recent enforcement actions underscore the need for robust security of genetic and other biometric data, as well as any customer accounts where that data may be stored. At a minimum, this requires appropriately encrypting biometric data and keeping track of when and how that data is accessed by anyone other than the customer.
  • Be Accurate and Truthful in Advertising. Companies must avoid overstating the accuracy of genetic testing products or the benefits of any related products they sell based on test results. The FTC has emphasized the importance of substantiation and basing claims on reliable science—and being able to back it up when requested.
  • Avoid Deceptive “Dark Patterns” for Getting Consent. The FTC condemns the use of “Dark Patterns,” i.e., manipulative practices to coerce consumers into decisions they would not normally make, particularly when it comes to biometric data. In one recent case, the FTC accused a genetic testing company of using confusing pop-ups, bogus “rewards,” and false claims of urgency to pressure consumers into buying more. When consumers made those purchases, the company did not disclose—or get consent for—how it would use and share consumers’ data. In its settlement with the FTC, the company agreed to not only disclose when it collects DNA information and how it will use that information, separate from a general privacy policy, but also, to obtain express, affirmative consent each time.
  • Refresh Consent When Policies Change. In one recent case, the FTC alleged that a seller of genetic testing kits obtained consent from its customers for its privacy policy, but then, made a significant change to the policy, which applied retroactively, without getting consent for that change. This highlights that companies must obtain explicit consent for material changes in their data practices, particularly when handling sensitive genetic data.
  • Be Truthful About Data Practices. Relatedly, in the same case referenced above concerning privacy practices, the FTC charged that the company made detailed promises about its data practices but failed to follow through. Among other things, it allegedly failed to secure agreements requiring third-party labs to destroy customers’ DNA samples after they were tested. The FTC has stressed that when a company makes promises about its data handling and privacy practices, they must be fulfilled.
  • Be Careful with Artificial Intelligence and Genetic Algorithms. The FTC also noted that it is scrutinizing claims related to AI and genetic algorithms, focusing on preventing bias, avoiding privacy invasions, and ensuring accuracy.

Consumers should also be aware of the privacy risks associated with DNA testing and the potential misuse of their genetic data. The FTC is actively pursuing these cases, as its recent enforcement actions demonstrate, but the complaints often concern activities going back several years. For many consumers, the benefits of at-home genetic testing may outweigh the risks, but it’s important to be aware of the risks before any issues arise.


EU Reaches Agreement on New “AI Act”: The World’s First Comprehensive AI Law

FTC Will “Vigorously Enforce” the Law Against Companies That Fail to Protect Consumer Privacy