The Federal Trade Commission recently published a blog post regarding the privacy of DNA.

What do you need to know?

  • Protecting biometric information – including genetic data – is a top FTC priority. (See FTC Biometric Policy Statement from May 2023). These cases can and have involved serious penalties, a requirement to delete biometrics data, requirements to get affirmative express consent in the future, a mandated security program and more.
  • Genetic data is sensitive. While some other data types can be stripped of identifying characteristics, that’s not necessarily the case when it comes to genetic information. Here the sensitivity of the data is high, as is the risk of harm (particularly in this era of increasing biometric surveillance).
  • Secure genetic data in line with the heightened sensitivity of this data.
  • Secure customer accounts — you must take reasonable steps to secure customer accounts against common hacking techniques, including credential-stuffing attacks. Consider whether two-factor authentication should be mandatory (check the Ring case for guidance).
  • Your accuracy claims about genetic testing much be correct. DNA testing for ancestry is, therefore — at best — an estimation of ancestry, not a precise science. Stick to reliable science for all claims you make.
  • The FTC is watching how companies use — and claim to use — Artificial Intelligence. DNA algorithms are no exception. If you’re promoting your AI or algorithm, make sure your claims don’t deceive or otherwise harm consumers.
  • The FTC has a strong track record of challenging deceptive or unfair dark patterns, including when it comes to obtaining “consent” for the use and disclosure of genetic data
  • You can’t make material retroactive changes in your privacy notice.
  • Don’t lie. Ever. Review your privacy notice to make sure that it is clear, complete and accurate.