Genetics

The DNA of privacy and the privacy of DNA – Federal Trade Commission News

Companies selling genetic testing products tout the benefits of DNA-based insights learning more about health, lineage, family tree so that consumers can seek medical attention, customize their diet or exercise regimen, find long-lost relatives, or understand more about their background. But for consumers to realize benefits from DNA-based products or services, consumers need to be able to trust their accuracy and trust that the companys practices related to the DNA of privacy (data minimization, purpose limitations, retention limits, etc.) will protect the privacy of their DNA. Here are some lessons on privacy, data security, truth in advertising, and artificial intelligence (AI) drawn from a trio of FTC enforcement actions involving sellers of genetic testing products: CRI Genetics, 1Health/Vitagene, and Genelink.

Protecting biometric information including genetic data is a top FTC priority. Since announcing itsBiometric Policy Statementin May 2023, the FTC has settled actions against two sellers of direct-to-consumer DNA testing kits. Why are these cases so important? Genetic data reveals sensitive information not only about consumers health, characteristics, and ancestry, but also about their families. While some other data types can be stripped of identifying characteristics, thats not necessarily the case when it comes to genetic information. Where the sensitivity of the data is high, so too is the risk of harm, particularly in this era of increasing biometric surveillance. The FTCs actions in Amazon/Alexa and Ring to protect voice recordings and videos further illustrate this point. To stay on the right side of the law, heed the lessons from these cases.

Secure genetic data. In both 1Health/Vitagene (consumers may know the company as Vitagene) and Genelink, the FTC charged that sellers of genetic-based products had subpar data security. The FTCs Vitagene complaint alleges that the company didnt inventory its genetic data, so it wasnt even aware that it had stored some of it in a cloud storage bucket accessible to the public. In addition, the company allegedly didnt use access controls, didnt encrypt that publicly accessible data, didnt log or monitor access to it, and didnt remedy the problem even after receiving credible warnings. Genelink preceded Vitagene by about nine years and yet there are eerie similarities. According to the Genelink complaint,the company maintained sensitive data in clear text, failed to limit employee and contractor access to sensitive data, failed to assess the risks to that data, and didnt include terms in the contract to require contractors to use safeguards and to allow Genelink to oversee their practices. The data practices described in both complaints are shoddy for any data, but especially for sensitive genetic information, where the risk of harm to consumers from exposure of that data is high. If you collect or store genetic data, youre on notice that the FTC expects security in line with the sensitivity of the data.

Secure customer accounts. Securing genetic data doesnt just mean good network security (although thats a must). It also means securing customer accounts through which a bad actor could access genetic data or other personal information. The more sensitive the data, the more valuable it may be to bad actors which means customer accounts are likely targets for hackers. The Ring matter illustrates that point. According to the complaint, the home security camera company failed to take reasonable steps to secure customer accounts against common hacking techniques, including credential-stuffing attacks. (Credential stuffing involves the use of credentials, such as usernames and passwords, obtained from one breached account to gain access to a consumers other accounts.) The complaint alleges that Ring only used half-measures to prevent these attacks. For example, Ring made multi-factor authentication available to consumers, but didnt require them to use it even though customer accounts were the gateway to highly sensitive information like stored videos and live streams of consumers in private spaces of their homes. If your customer accounts offer data thieves a similar gateway to sensitive data (for example, results from genetic testing), learn from the Ring case and properly secure those accounts.

Dont oversell: Can you support your accuracy claims about genetic testing? Be careful not to exaggerate your claims about your genetic testing product. Theres a line between puffery and deception that you dont want to cross. According to the CRI Genetics complaint, the company among other things overstated the accuracy of their test results (accuracy greater than 99.9%) and falsified reviews. Heres the truth about DNA testing for ancestry: Companies estimate consumers ancestry by comparing consumers DNA with the companies proprietary DNA reference data. Their algorithms predict consumers ancestry, with varying margins of error. DNA testing for ancestry is, therefore at best an estimation of ancestry, not a precise science. The Genelink complaint alleges that the company claimed their genetically customized nutritional supplements could treat diabetes, heart disease, arthritis, insomnia, and other health conditions all without scientific support. When making claims about the accuracy of genetic testing or the purported benefits of DNA-related products, stick with reliable science. If you dont have a reasonable basis to support your claim, dont make it in the first place.

The FTC is watching how companies use and claim to use Artificial Intelligence. DNA algorithms are no exception. Its no secret that the FTC is focused on making sure that consumers can enjoy the benefits of AI without suffering substantial harms like bias, privacy invasions (Amazon/Alexa and Ring), or questionable accuracy (WealthPress, DK Automation, Automators AI). That holds true when it comes to DNA algorithms. In the CRI Genetics matter, the FTC alleged that the patented DNA algorithm the company touted in its ads was not in fact patented and didnt generate the highly accurate results the company claimed. In this age of AI, some companies may be tempted to use loose talk about AI and algorithms, perhaps as a means of conveying technological sophistication. Watch out. If youre promoting your AI or algorithm, make sure your claims dont deceive or otherwise harm consumers.

The FTC has a strong track record of challenging deceptive or unfair dark patterns, including when it comes to obtaining consent for the use and disclosure of genetic data. Recent enforcement actions like Amazon/Prime, Publishers Clearinghouse, and Vonage demonstrate the high priority the FTC places on challenging allegedly illegal dark patterns manipulative designs that coerce consumers into decisions they wouldnt knowingly agree to make. The CRI Genetics matter reinforces this point. According to the complaint, the company used dark patterns confusing pop-ups and directions, bogus rewards, claimed urgency to push consumers into buying more. In the ongoing battle against illegal dark patterns, the orders in both CRI Genetics and Vitagene require the companies to obtain affirmative express consent consent that precludes the use of dark patterns for future uses or disclosures of genetic data. Companies are on notice that they shouldnt be using dark patterns to get consent.

Dont commit a foul when changing the rules of the game. The Vitagene order includes that affirmative express consent requirement because the company had allegedly changed its terms on a key issue but the company didnt get real consent from consumers for this material retroactive change. According to the complaint, changing the rules of the game in the privacy policy was unfair, even though the company hadnt yet implemented the change. The bottom line is that consumers should know what to expect from your data practices. A bait-and-switch approach to collecting personal information (especially genetic data) doesnt fit with the FTC Acts requirements.

Nothing but the truth. According to the FTCs complaint in Vitagene, the company made detailed privacy promises for example, about how it stored genetic data and destroyed genetic samples but didnt deliver on those promises. The company made these promises prominently (a good thing!), including on a page dedicated to genetic privacy. But, according to the complaint, rather than storing genetic data without identifying information, it stored results with names and other personal information. When the time came to delete genetic data, the company couldnt delete it because they didnt even know where some of it was stored meaning that they broke that promise, too. And the company failed to have a process in place through contractual obligations, in particular to ensure that third-party labs destroyed genetic samples after testing. The upshot: If youre selling genetic testing products (or any product, for that matter), you owe consumers nothing less than the truth.

The consequences for ignoring these warnings can be significant. In both recent genetic testing matters, the companies ended up paying substantial financial settlements, either as civil penalties under California state law (CRI Genetics) or for consumers redress (Vitagene). Furthermore, the orders in both cases required the companies to delete or destroy certain valuable biometric data or materials. These remedies were on top of other order provisions, such as prohibitions on misrepresentations, required notice to consumers of the FTCs action, mandates to obtain affirmative express consent for the future use or disclosure of genetic data, and a mandated security program with independent assessments. Its clear that the consequences of non-compliance with the FTC Act and other laws can be significant. Your best bet is to stay on the right side of the law by following these lessons.

Continue reading here:
The DNA of privacy and the privacy of DNA - Federal Trade Commission News

Related Posts