Vitagene, Inc.; Analysis of Proposed Consent Order To Aid Public Comment

Issuing agencies

Abstract

The consent agreement in this matter settles alleged violations of Federal law prohibiting unfair or deceptive acts or practices. The attached Analysis of Proposed Consent Order to Aid Public Comment describes both the allegations in the complaint and the terms of the consent order--embodied in the consent agreement--that would settle these allegations.

Full Text

<html>
<head>
<title>Federal Register, Volume 88 Issue 120 (Friday, June 23, 2023)</title>
</head>
<body><pre>
[Federal Register Volume 88, Number 120 (Friday, June 23, 2023)]
[Notices]
[Pages 41104-41107]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2023-13329]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 192 3170]


Vitagene, Inc.; Analysis of Proposed Consent Order To Aid Public 
Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed consent agreement; request for comment.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged 
violations of Federal law prohibiting unfair or deceptive acts or 
practices. The attached Analysis of Proposed Consent Order to Aid 
Public Comment describes both the allegations in the complaint and the 
terms of the consent order--embodied in the consent agreement--that 
would settle these allegations.

DATES: Comments must be received on or before July 24, 2023.

ADDRESSES: Interested parties may file comments online or on paper by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Please write ``Vitagene, Inc.; 
File No. 192 3170'' on your comment and file your comment online at 
<a href="https://www.regulations.gov">https://www.regulations.gov</a> by following the instructions on the web-
based form. If you prefer to file your comment on paper, please mail 
your comment to the following address: Federal Trade Commission, Office 
of the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex V), 
Washington, DC 20580.

FOR FURTHER INFORMATION CONTACT: James Trilling (202-326-3497), or 
Elisa Jillson (202-326-3001), Attorneys, Division of Privacy and 
Identity Protection, Bureau of Consumer Protection, Federal Trade 
Commission, 600 Pennsylvania Ave. NW, Washington, DC 20580.

[[Page 41105]]


SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal 
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule Sec.  2.34, 16 CFR 
2.34, notice is hereby given that the above-captioned consent agreement 
containing a consent order to cease and desist, having been filed with 
and accepted, subject to final approval, by the Commission, has been 
placed on the public record for a period of 30 days. The following 
Analysis to Aid Public Comment describes the terms of the consent 
agreement and the allegations in the complaint. An electronic copy of 
the full text of the consent agreement package can be obtained at 
<a href="https://www.ftc.gov/news-events/commission-actions">https://www.ftc.gov/news-events/commission-actions</a>.
    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before July 24, 2023. 
Write ``Vitagene, Inc.; File No. 192 3170'' on your comment. Your 
comment--including your name and your state--will be placed on the 
public record of this proceeding, including, to the extent practicable, 
on the <a href="https://www.regulations.gov">https://www.regulations.gov</a> website.
    Because of heightened security screening, postal mail addressed to 
the Commission will be subject to delay. We strongly encourage you to 
submit your comments online through the <a href="https://www.regulations.gov">https://www.regulations.gov</a> 
website. If you prefer to file your comment on paper, write ``Vitagene, 
Inc.; File No. 192 3170'' on your comment and on the envelope, and mail 
your comment to the following address: Federal Trade Commission, Office 
of the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex V), 
Washington, DC 20580.
    Because your comment will be placed on the publicly accessible 
website at <a href="https://www.regulations.gov">https://www.regulations.gov</a>, you are solely responsible for 
making sure your comment does not include any sensitive or confidential 
information. In particular, your comment should not include sensitive 
personal information, such as your or anyone else's Social Security 
number; date of birth; driver's license number or other state 
identification number, or foreign country equivalent; passport number; 
financial account number; or credit or debit card number. You are also 
solely responsible for making sure your comment does not include 
sensitive health information, such as medical records or other 
individually identifiable health information. In addition, your comment 
should not include any ``trade secret or any commercial or financial 
information which . . . is privileged or confidential''--as provided by 
section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule Sec.  
4.10(a)(2), 16 CFR 4.10(a)(2)--including competitively sensitive 
information such as costs, sales statistics, inventories, formulas, 
patterns, devices, manufacturing processes, or customer names.
    Comments containing material for which confidential treatment is 
requested must be filed in paper form, must be clearly labeled 
``Confidential,'' and must comply with FTC Rule Sec.  4.9(c). In 
particular, the written request for confidential treatment that 
accompanies the comment must include the factual and legal basis for 
the request and must identify the specific portions of the comment to 
be withheld from the public record. See FTC Rule Sec.  4.9(c). Your 
comment will be kept confidential only if the General Counsel grants 
your request in accordance with the law and the public interest. Once 
your comment has been posted on the <a href="https://www.regulations.gov">https://www.regulations.gov</a> 
website--as legally required by FTC Rule Sec.  4.9(b)--we cannot redact 
or remove your comment from that website, unless you submit a 
confidentiality request that meets the requirements for such treatment 
under FTC Rule Sec.  4.9(c), and the General Counsel grants that 
request.
    Visit the FTC website at <a href="http://www.ftc.gov">http://www.ftc.gov</a> to read this document 
and the news release describing the proposed settlement. The FTC Act 
and other laws the Commission administers permit the collection of 
public comments to consider and use in this proceeding, as appropriate. 
The Commission will consider all timely and responsive public comments 
it receives on or before July 24, 2023. For information on the 
Commission's privacy policy, including routine uses permitted by the 
Privacy Act, see <a href="https://www.ftc.gov/site-information/privacy-policy">https://www.ftc.gov/site-information/privacy-policy</a>.

Analysis of Proposed Consent Order To Aid Public Comment

    The Federal Trade Commission (the ``Commission'') has accepted, 
subject to final approval, an agreement containing a consent order from 
1Health.io Inc. (formerly known as, and doing business as, Vitagene, 
Inc.) (``Vitagene''). The proposed consent order (``proposed order'') 
has been placed on the public record for 30 days for receipt of 
comments from interested persons. Comments received during this period 
will become part of the public record. After 30 days, the Commission 
again will review the agreement and the comments received, and will 
decide whether it should withdraw from the agreement or make final the 
agreement's proposed order.
    Since 2015, Vitagene has sold ``DNA Health Test Kits'' to 
consumers. In each DNA Health Test Kit, Vitagene instructs the consumer 
to provide a saliva sample by mail. Vitagene contracts with a testing 
lab to analyze the sample and map a portion of the consumer's genetic 
code.
    Vitagene combines the testing lab's DNA analysis with the 
consumer's answers to an online ``health questionnaire'' that probes 
the individual's health history, lifestyle, and family health history. 
Using this information, Vitagene generates reports about the consumer's 
health and wellness (``Health Reports'') and ancestry. Vitagene also 
sells to the consumer Health Reports that it creates by using the 
consumer's answers to an online ``lifestyle questionnaire'' and raw DNA 
data that the consumer sends to Vitagene after the consumer has 
obtained DNA tests from certain companies other than Vitagene. The 
retail cost for a package that includes a Health Report has ranged from 
$29 to $259, with higher-priced packages including add-ons such as 
subscriptions to personalized vitamin packs and nutritional coaching.
    The Health Reports that Vitagene creates contain numerous facts 
about the consumer's genetics and health. For example, one type of 
Health Report first lists the consumer's name, date of birth, and 
referring doctor or dietician, and then identifies salient genotype 
data, pertinent questionnaire answers, and, based on the genotype data 
and questionnaire answers, the level of risk for having or developing 
certain health conditions, such as high LDL cholesterol, high 
triglycerides, obesity, or blood clots.
    As part of its information technology infrastructure, Vitagene 
stores consumers' health and genetic information in the Amazon Web 
Services (``AWS'') Simple Storage Service (the ``Amazon S3 Datastore'') 
in virtual containers, called ``buckets.'' The files Vitagene has 
stored in Amazon S3 Datastore buckets include, among other things, 
consumers' Health Reports; genotype data called single-nucleotide 
polymorphisms (``SNPs''), which are the most common type of genetic 
variation among people; and other raw genotype data.
    The proposed complaint alleges that, despite the fact that Vitagene 
has stored consumers' sensitive personal information in the Amazon S3 
Datastore, Vitagene did not uniformly apply basic safeguards to the 
data in each of its Amazon S3 Datastore buckets. In particular, the 
proposed complaint alleges that, in or about 2016,

[[Page 41106]]

Vitagene created a publicly accessible bucket in which the company 
stored Health Reports for at least 2,383 consumers and a publicly 
accessible bucket in which it stored raw genetic data (sometimes 
accompanied by first name) for at least 227 consumers. The proposed 
complaint alleges that Vitagene's failure to use access controls to 
restrict access to this sensitive data, encrypt it, log or monitor 
access to it, or inventory it, to help ensure ongoing security resulted 
in Vitagene publicly exposing the data until July 2019. According to 
the proposed complaint, between July 2017 and June 2019, Vitagene 
received at least three warnings that it was storing consumers' 
unencrypted health, genetic, and other personal information in publicly 
accessible buckets.
    The proposed complaint alleges Vitagene changed its name from 
Vitagene, Inc. to 1Health.io Inc. in October 2020. According to the 
proposed complaint, the company published revised privacy policies in 
April and December 2020 that apply to all the company's customers, 
including those who purchased products and services from the company 
solely before April 2020. The proposed complaint alleges that, compared 
to Vitagene's previous privacy policy, the company's 2020 privacy 
policies significantly expand the types of third parties with whom, and 
the purposes for which, the company may share consumers' sensitive 
personal information. The company did not provide direct notice to 
consumers of the change, but it also did not implement the expanded 
sharing.
    The proposed five-count complaint alleges that Vitagene violated 
section 5(a) of the FTC Act by misrepresenting the company's data 
security and privacy practices, and by unfairly making material 
retroactive changes to the company's policies regarding third-party 
sharing of sensitive personal information.
    Proposed complaint Count I alleges Vitagene deceived consumers by 
misrepresenting that it exceeded industry-standard security practices. 
On a web page that Vitagene devoted to describing its privacy 
practices, Vitagene claimed that ``[w]e use the latest technology and 
exceed industry-standard security practices to protect your privacy.'' 
The proposed complaint alleges that Vitagene's public exposure of 
consumers' Health Reports, raw genetic data, and other personal 
information in AWS S3 buckets until July 2019 contradicted this claim.
    Proposed complaint Count II alleges Vitagene deceptively claimed on 
multiple web pages that it stored consumers' DNA results without name 
or any other common identifying information. The proposed complaint 
alleges that this claim was deceptive because Vitagene stored 
consumers' DNA results with their names and other common identifying 
information.
    Proposed complaint Count III alleges Vitagene deceptively claimed 
that it would remove all of a consumer's information if the consumer 
requested deletion of his or her data. Vitagene made this claim on a 
web page that Vitagene devoted to describing its privacy practices. The 
proposed complaint alleges that the claim was deceptive because, from 
approximately 2016 through July 1, 2019, Vitagene's lack of a data 
inventory made it impossible for the company to search comprehensively 
in response to consumers' requests for Vitagene to delete their data.
    Proposed complaint Count IV alleges Vitagene deceived consumers by 
claiming on multiple web pages that it destroys consumers' physical DNA 
saliva samples shortly after analysis of them. The proposed complaint 
alleges that this claim was deceptive because, beginning in 
approximately December 2016, Vitagene did not have a contract provision 
with its genotyping laboratory partner requiring such destruction.
    Proposed complaint Count V alleges it was unfair for Vitagene to 
post on its websites in April and December 2020 revised privacy 
policies that describe materially expanded practices for the company's 
sharing of consumers' sensitive health and genetic information with 
third parties--including the information of consumers who purchased 
products and services from Vitagene solely before April 2020--without 
taking any additional steps to notify consumers or obtain consumers' 
consent.
    The proposed order contains provisions to address Vitagene's 
conduct and prevent it from engaging in the same or similar acts or 
practices in the future. Part I of the proposed order prohibits 
Vitagene from misrepresenting (1) the extent to which it meets or 
exceeds industry-standard security or privacy practices, (2) the extent 
to which it stores any Health Information (as defined in the order) 
with any other element of Personal Information (as also defined in the 
order), (3) the extent to which, or the purposes for which, it 
collects, uses, discloses, maintains, deletes, or destroys a consumer's 
(i) physical DNA sample or (ii) Personal Information upon request, (4) 
it is a member of, adheres to, complies with, is certified by, or 
otherwise participates in, any privacy or security program sponsored by 
a government entity or third party, (5) the extent to which it 
otherwise protects the privacy, security, availability, 
confidentiality, or integrity of Personal Information, or (6) it has 
received approval or authorization for its claims, products, or 
services from any government agency.
    Part II prohibits Vitagene from disclosing Health Information to 
any Third Party (as defined in the order) unless the company obtains 
the Affirmative Express Consent (as also defined in the order) of the 
individual who is identifiable by the Health Information. Part III 
requires Vitagene to instruct any laboratory that collected physical 
DNA samples pursuant to a contract with Vitagene to destroy any such 
sample that the laboratory retained for more than 180 days after 
Vitagene accepted the results of the analysis of the sample.
    Part IV requires Vitagene to establish, implement, and maintain a 
comprehensive information security program that protects the security, 
confidentiality, and integrity of Personal Information. Part V requires 
Vitagene to obtain initial and biennial data security assessments from 
a third-party assessor for twenty years. Part VI requires Vitagene to 
disclose all material facts to the assessor and prohibits Vitagene from 
misrepresenting any fact material to the assessments required by Part 
V.
    Part VII requires Vitagene to submit to the Commission an annual 
certification that Vitagene has implemented the requirements of the 
Order and is not aware of any material noncompliance that has not been 
corrected or disclosed to the Commission. Part VIII requires Vitagene 
to submit a report to the Commission if it discovers any Covered 
Incident (as defined in the order).
    Part IX requires Vitagene to pay $75,000 in monetary relief. Part X 
provides that the Commission may use Vitagene's monetary relief payment 
to provide, and pay expenses related to the administration of, consumer 
redress. Part XI requires Vitagene to provide the Commission customer 
information to enable the Commission to efficiently administer consumer 
redress.
    Parts XII-XV are reporting and compliance provisions. Part XII 
requires Vitagene to acknowledge receipt of the order and distribute it 
to persons with responsibilities relating to the subject matter of the 
order. Part XIII requires Vitagene to submit an initial compliance 
report to the Commission and notify the Commission of changes in 
Vitagene's corporate status. Part XIV requires Vitagene to create and 
retain certain documents relating to its compliance

[[Page 41107]]

with the order. Part XV requires that Vitagene provide the Commission 
additional information or compliance reports, as requested. Part XVI 
states that the proposed order will remain in effect for 20 years, with 
certain exceptions.
    The purpose of this analysis is to aid public comment on the 
proposed order. It is not intended to constitute an official 
interpretation of the complaint or proposed order, or to modify in any 
way the proposed order's terms.

    By direction of the Commission.
April J. Tabor,
Secretary.
[FR Doc. 2023-13329 Filed 6-22-23; 8:45 am]
BILLING CODE 6750-01-P


</pre></body>
</html>