The crux of the order stems from allegations that 1Health.io:
- Failed to adequately protect sensitive genetic and health data.
- Misled consumers regarding their ability to have their data removed.
- Changed its privacy policy retroactively without properly notifying and obtaining the consent of its users.
Specific Allegations
The
- Data Sharing Practices: Contrary to its publicly-stated commitments, 1Health.io did not restrict the sharing of sensitive data as promised.
- DNA Sample Retention: The company did not destroy consumers' DNA samples promptly post-analysis as assured.
Data Storage : 1Health.io stored DNA results with identifiable consumer information and failed to remove this data upon consumers' requests.- Lack of Security: Despite advertising "rock-solid security", 1Health.io stored unencrypted health and genetic data in publicly accessible locations.
- Retroactive Privacy Policy Changes (2020): The company expanded the categories of third parties with whom it could share consumers' data without prior notice or consumer consent.
Settlement Terms
- Monetary Penalty: 1Health.io will pay
$75,000 , intended for use by theFTC for consumer refunds. - DNA Sample Destruction: The company must instruct third-party laboratories to destroy all retained consumer DNA samples older than 180 days.
- Data Sharing Restrictions: 1Health.io is prohibited from sharing health data with third parties without receiving clear and affirmative consent from consumers. This also applies to data provided by consumers before the 2020 privacy policy alterations.
- Incident Reporting: Any unauthorized disclosure of consumer health data must be promptly reported to the
FTC . - Comprehensive Security Measures: The company must roll out a robust information security program to address the security failures identified in the
FTC's complaint.
Lessons Learned & Practical Advice for Companies
- Transparent Data Practices: Confirm that any promises or claims made to consumers about data privacy and security are accurate, transparent, and consistently implemented.
- Clear Communication: If there is a need to amend privacy policies, especially in ways that may expand data-sharing, provide timely and clear notifications to affected consumers and obtain their explicit consent.
- Data Security Protocols: Regularly review and enhance data security measures to minimize the risk of potential breaches and unauthorized access. Consider periodic third-party audits to maintain compliance and security robustness.
- Retention Practices: Establish and adhere to a defined data retention policy, confirming that unnecessary data is promptly and securely disposed of.
- Stay Updated: Be aware of evolving regulations and guidelines related to data privacy and security, especially in sensitive industries like genetic testing. Regularly check resources like consumer.ftc.gov and ReportFraud.ftc.gov to stay informed.
Conclusion
The
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Mr
Suite 4000
Tel: 2122501800
Fax: 2122507900
E-mail: media@lewisbrisbois.com
URL: www.lewisbrisbois.com
© Mondaq Ltd, 2023 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source