On January 5, 2024, the Federal Trade Commission (FTC) published an article discussing privacy issues related to the DNA information that many consumers provide to genetic testing companies. This post outlines key takeaways from the article and recent FTC enforcement actions, emphasizing the privacy implications for consumers and the responsibilities of businesses operating in this space.
For background, the FTC issued a Policy Statement on May 18, 2023, which outlined its position on the use and retention of consumers’ biometric information (i.e., data about a person’s biological or behavioral traits, characteristics, or measurements). The Policy Statement covers information about a person’s DNA from genetic testing as well as information taken from facial, iris and fingerprint-recognition technologies. It describes when the FTC will bring enforcement actions for unsubstantiated claims about the accuracy of biometric information services or improper use of consumers’ biometric data.
The FTC has since prioritized biometric data claims, bringing enforcement actions and recently announcing settlements in cases against sellers of direct-to-consumer DNA testing kits. In two of such cases, the FTC accused the sellers of having subpar data security—alleging that they failed to encrypt customers’ genetic data and failed to monitor who accessed it. One of the sellers also failed to inventory its customers’ genetic data and did not realize it was published in a publicly accessible, cloud-based location. In yet another case, the FTC accused the seller of falsifying customer reviews and misrepresenting the accuracy of its testing products, while at the same time selling supplements to customers based on their DNA test results, which it claimed (without scientific support) would treat various diseases.
Based on this history and the FTC’s recent article, here are the key takeaways for companies dealing with DNA and other biometric data:
- Secure Genetic Data and Customer Accounts. Recent enforcement actions underscore the need for robust security of genetic and other biometric data, as well as any customer accounts where that data may be stored. At a minimum, this requires appropriately encrypting biometric data and keeping track of when and how that data is accessed by anyone other than the customer.
- Be Accurate and Truthful in Advertising. Companies must avoid overstating the accuracy of genetic testing products or the benefits of any related products they sell based on test results. The FTC has emphasized the importance of substantiation and basing claims on reliable science—and being able to back it up when requested.
- Be Truthful About Data Practices. Relatedly, in the same case referenced above concerning privacy practices, the FTC charged that the company made detailed promises about its data practices but failed to follow through. Among other things, it allegedly failed to secure agreements requiring third-party labs to destroy customers’ DNA samples after they were tested. The FTC has stressed that when a company makes promises about its data handling and privacy practices, they must be fulfilled.
- Be Careful with Artificial Intelligence and Genetic Algorithms. The FTC also noted that it is scrutinizing claims related to AI and genetic algorithms, focusing on preventing bias, avoiding privacy invasions, and ensuring accuracy.
Consumers should also be aware of the privacy risks associated with DNA testing and the potential misuse of their genetic data. The FTC is actively pursuing these cases, as its recent enforcement actions demonstrate, but the complaints often concern activities going back several years. For many consumers, the benefits of at-home genetic testing may outweigh the risks, but it’s important to be aware of the risks before any issues arise.