The order signals the FTC’s continued efforts to broaden enforcement for consumer health data. The order also suggests a broader definition of health data than existing law provides, including any individually identifiable information concerning the “propensity” of an individual to develop a health condition.
Background and Allegations Against 1Health.io
1Health.io markets DNA health test kits where, after submitting DNA samples, consumers may receive information relating to their health, wellness, and ancestry. Based on these DNA samples and a consumer’s responses to a questionnaire seeking health information, the company also markets health reports of a consumer’s likelihood of developing certain diseases based on their genetic makeup, and offers personalized nutritional, fitness, and beauty products and subscriptions.
The final order requires 1Health.io to take several remedial measures, and to provide existing customers with options to effectuate the deletion of their data and to potentially seek a refund for their product purchases.
Among its remedial measures, the order requires 1Health.io to pay $75,000 in monetary relief, obtain affirmative express consent prior to disclosing health data to third parties, and instruct its contracted third-party laboratories to destroy any DNA samples they retained past 180 days and provide written confirmation to the FTC of such deletions. The order also requires 1Health.io to create and maintain a comprehensive security program (subject to various certification and assessment requirements), notify the FTC of any security incidents related to health data, and undertake initial and biennial privacy assessments by an independent, third-party assessor for 20 years.
The FTC’s order against 1Health.io reinforces many of its prior concerns related to health data, and suggests the following takeaways:
- Companies looking to update their privacy policies should evaluate whether such changes constitute material retroactive changes, along with any applicable notice and consent requirements.
- Companies should evaluate whether their current security practices align with any public-facing representations, including in their privacy policies.
- Companies should audit their contracts with service providers and business partners to determine whether the company can fulfill its public-facing representations concerning its data practices.
- Companies that collect or generate information about the “propensity” of an individual to develop a health condition, including any predictions about likely physical or mental health conditions associated with an individual, should consider additional review of its privacy and security practices to confirm they comply with state and federal privacy and security requirements.