Privacy of Biometrics and DNA: Lessons from Recent Enforcement Actions

Biometric information, including DNA, is highly sensitive due to its unalterable and impactful nature. Beyond that, DNA is particularly sensitive and its use comes with heightened risks because it contains information not only about a certain individual and their health, characteristics, and ancestry, but also about their relatives. Over the past year, the Federal Trade Commission (FTC) has taken enforcement actions against companies that process biometric information, including DNA. These recent enforcement actions provide valuable lessons on privacy, data security, and advertising with respect to biometric information, and DNA in particular.

FTC Priorities

For starters, the FTC’s recent enforcement actions indicate that protecting biometric information is a top priority for the FTC, which is further supported by the FTC’s May 2023 policy statement on the recent proliferation of technology using biometric information and concerns posed thereby with respect to consumer privacy, data security, and the potential for bias and discrimination. In this policy statement, the FTC avowed that it is committed to combatting unfair or deceptive acts and practices related to the collection and use of consumers’ biometric information and the marketing and use of biometric information technologies. The FTC subsequently settled multiple actions against sellers of DNA testing kits and voice-enabled home devices.

Heightened Risk Necessitates Heightened Security

The FTC has made it clear that it expects security in line with the sensitivity of the data because the more sensitive the data, the more risk of harm to consumers. In a June 2023 settlement against a genetic testing company, the FTC found that the company left sensitive genetic and health data unsecured, contrary to claims of “Rock-solid security” and storage of personal information “in a responsible, transparent and secure environment.” According to the complaint, the company stored sensitive data in publicly accessible “buckets” in its Amazon Web Service cloud and did not encrypt that data, restrict access to it, or log or monitor access to it. In its settlement agreement with the FTC, the company agreed to pay $75,000 and take certain corrective actions, including to implement a comprehensive information security program addressing the security failures outlined in the complaint.

Ensure Accuracy and Honesty

The FTC also took issue with claims by genetic testing companies that lacked scientific support, holding true to its general principle that if a company does not have a reasonable basis to support its claim, then it should not make it in the first place. Because consumers may have increased dependency on claims about the accuracy of genetic testing or the purported health benefits of DNA-related products, those claims must stand upon reliable science. More generally, the FTC also highlighted the need for companies to stand behind their privacy promises. For example, the FTC asserted that a company who prominently made detailed promises about how it stored genetic data and destroyed genetic samples failed to deliver on those promises when it could not identify where they stored it and failed to have a process in place to ensure that third-party labs destroyed it after testing. From these actions, the FTC summarized its concerns into one simple lesson: “If you’re selling genetic testing products (or any product, for that matter), you owe consumers nothing less than the truth.”

Be Transparent

The FTC also warns that the contents of a company’s privacy policy must be transparent, and that a company cannot retroactively absolve a lack of transparency without a responsibility to consumers. For example, when one company’s privacy policy failed to adequately disclose the types of third parties who may receive a consumer’s genetic data, it was insufficient to change the policy without notifying consumers who had previously shared data with the company or obtaining their consent to share such sensitive information. As explained by the FTC, “the bottom line is that consumers should know what to expect from your data practices.”

Additional Sensitivity of Children’s Data

While the FTC raised issues generally with a voice-enabled home device company’s failure to delete, and lengthy retention of, voice recordings for its own training purposes, it found heightened concerns when these practices involved the voice recordings of children, triggering violations of the Children’s Online Privacy Protection Act along with the FTC Act. The FTC said the company failed to ensure that it honored users’ data deletion requests and to give parents meaningful notice about deletion. The FTC noted that children’s speech patterns and accents differ from those of adults, so the unlawfully retained voice recordings provided the company with a valuable database for training its algorithm to understand children, which benefitted its bottom line, but only at the expense of children’s privacy.

The FTC’s enforcement priorities with respect to biometric information, including DNA, are expected to continue, especially as biometrics-driven technologies become more widespread. Data privacy and security are evolving areas, with industry standards adapting as threats and risks change and grow. The FTC warns that companies must stay vigilant in protecting sensitive data and stand behind their promises to consumers. If you need assistance complying with biometric information laws or evaluating privacy and security of biometric information, please contact one of the authors of this alert.