In 2017, Senator Chuck Schumer urged the Federal Trade Commission to investigate DNA testing companies in an effort to ensure that data collection and use practices comply with applicable privacy laws, including those that prohibit the sale of information contained in DNA databases to third-parties without consent.
Recent reports indicate that companies like 23andMe and Ancestry.com are currently being investigated by the FTC with regard to their privacy and data protection practices, including the manner in which personal genetic data is being utilized and disseminated.
Apparently, the investigation was indirectly revealed in conjunction with a Freedom of Information Act request. More specifically, the FTC denied the request by citing an exemption based upon the potential interference with law enforcement activities. The FTC typically refuses to comment on an active investigation.
Consumers must be clearly, conspicuously and accurately advised what information is collected, how it used, who it is shared with and how it is monetized. Additionally, privacy law requires companies that license or own consumer data to implement and maintain reasonable security measures, contractually require the same of third-party service providers and implement written disposal policies.
Last week, genealogy and DNA testing service MyHeritage announced that a security researcher found a file containing information on approximately 92 million users, including email addresses and hashed passwords. The company has stated that it has no reason to believe user data was compromised.
In his November 2017 letter, Sen. Schumer expressed that “…putting your most personal genetic information in the hands of third parties for their exclusive use raises a lot of concerns, from the potential for discrimination by employers all the way to health insurance. That’s why I am asking the Federal Trade Commission to take a serious look at this relatively new kind of service and ensure that these companies have clear, fair privacy policies and standards for all kinds of at-home DNA test kits. We don’t want to impede research but we also don’t want to empower those looking to make a fast buck or an unfair judgement off your genetic information. We can find the right balance here, and we must.”
Privacy and data security will continue to be a regulatory priority for the FTC for the foreseeable future, including the transparent disclosure of privacy practices, informed consent and the adequacy of disclosures. Recent investigations and enforcement actions unambiguously demonstrate the seriousness of a company’s failure to obtain informed consent or failure to disclose data collection and sharing practices.
Contact the author at firstname.lastname@example.org.
Richard B. Newman is an FTC defense lawyer at Hinch Newman LLP focusing on interactive advertising matters. His practice includes conducting legal compliance reviews of advertising campaigns, and representing clients in investigations and government litigation matters. Follow him in LinkedIn.
Informational purposes only. These materials are not legal advice, nor do they create a lawyer-client relationship. Do not act or rely on any information contained herein without seeking the advice of an attorney. Previous results do not guarantee a similar future result. Hinch Newman LLP | 40 Wall St., 35th Floor, New York, NY 10005 | (212) 756-8777.