Dear Chair Khan and Commissioners Slaughter and Bedoya,
By notice published June 23, 2023, the Federal Trade Commission (FTC) announced its proposed consent order and settlement with Vitagene, Inc, for Vitagene’s alleged violations of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. §45(a), prohibiting unfair or deceptive acts or practices. The proposed consent order with Vitagene is the result of the FTC’s five-count complaint alleging that Vitagene misrepresented the company’s data security and privacy practices involving consumers’ genetic information and retroactively revised material privacy policies without providing direct notice to consumers.
The Electronic Privacy Information Center (EPIC) submits this letter in support of the proposed consent order. EPIC is a public interest research center in Washington, D.C. established in 1994 to focus on public attention on emerging civil liberties issues and to secure the fundamental right to privacy in the digital age for all people through advocacy, research, and litigation. EPIC routinely files comments in response to proposed FTC consent orders and complaints regarding business practices that violate privacy rights.
EPIC commends the Commission for using its Section 5 authority to take enforcement action against companies like Vitagene that engage in unfair and deceptive practices involving sensitive health data privacy and security. Notably, as the direct-to-consumer (DTC) genetic testing market continues to prosper, it is critical that the FTC take strong enforcement action against consumer data abuse that falls outside of the narrow protections of the Health Insurance Portability and Accountability Act (HIPAA). The DTC genetic testing market has continued to diversify and invest in different types of testing, including carrier screening, genetic health risk, cancer predisposition, ancestry and for pharmacogenomic purposes. From data collection to testing and storage of personal and genetic information, each step in the DTC genetic testing process carries serious privacy and data security risks for consumers.
EPIC applauds the Commission for using its deception authority to address Vitagene’s privacy and data security misrepresentations. According to the complaint, Vitagene’s insufficient data security was below industry standards and put sensitive consumer health and genetic information at risk by storing Health Reports in publicly accessible Amazon S3 Datastore buckets. As a cumulative product of the genetic testing process, Vitagene Health Reports included an expansive range of facts about the consumer’s genetics and health: “consumer’s name, date of birth, and referring doctor or dietician, […] salient genotype data, pertinent questionnaire answers, and, based on the genotype data and questionnaire answers, the level of risk for having or developing certain health conditions, such as high LDL cholesterol, high triglycerides, obesity, or blood clots.” By prohibiting this data security misrepresentation in the proposed order, the Commission makes clear to the DTC genetic testing industry that, irrespective of a breach, it is a Section 5 violation to publicly expose sensitive consumer health information.
Relatedly, the Mandated Information Security Program outlined in Section IV of the proposed order facilitates strong compliance oversight and internal privacy controls. The Information Security Program requires certain documentation, reporting, and risk assessment after a Covered Incident. EPIC commends the definition of Covered Incident in the order, which rightly including situations where “Health Information of or about an individual consumer was, or is reasonably believed to have been, accessed, acquired, or publicly exposed without authorization.” This definition reflects the understanding that cybersecurity enforcement should prevent data from being stored insecurely in the first place, not just retroactively address security breaches. Vitagene’s lack of adequate security was persistent. According to the complaint, Vitagene received at least three warnings over nearly two years that it was “storing consumer’ unencrypted health, genetic, and other personal information in publicly accessible buckets.”
EPIC encourages the Commission to build on this understanding of what constitutes cybersecurity incident in the future. In addition to Section 5 enforcement actions, the FTC should apply this idea to the concept of a breach in its revision of the Health Breach Notification Rule (HBNR). If a vendor makes personal data accessible to unauthorized parties under circumstances where it is substantially likely that it would be accessed and/or acquired by an unauthorized party, that alone should be considered a presumptive breach under the HBNR, even in the absence of direct evidence that such access occurred. To offer an analogy: if a person displayed a defamatory message on the side of their remote mountain cabin, it may be difficult to prove that another person read that message, but if the same dwelling were on a busy street with heavy foot traffic and the sign was up for many years, an inference of unauthorized access would be appropriate. While the HBNR is focused on breach notification, it has a significant deterrent effect. That effect is strongest if the HBNR—like the FTC’s Section 5 enforcement—understands covered incidents to include the exposure of personal data in circumstances that would give rise to an inference of unauthorized access.
EPIC urges the Commission to finalize the proposed Vitagene consent order. Additionally, EPIC encourages the Commission to both (1) continue building on its use of Section 5 deception and unfairness authority in privacy and security cases involving health data, and (2) build on the order’s understanding of what constitutes a cybersecurity incident through Section 5 enforcement and the HBNR.
/s/ John Davisson EPIC Director of Litigation & Senior Counsel
/s/ Suzanne Bernstein EPIC Law Fellow
INFORMATION CENTER (EPIC)
1519 New Hampshire Ave. NW
Washington, DC 20036
 Analysis of Proposed Consent Order to Aid Public, 88 Fed. Reg. 41,104 (June 23, 2023), https://www.federalregister.gov/documents/2023/06/23/2023-13329/vitagene-inc-analysis-of-proposed-consent-order-to-aid-public-comment.
See, e.g., Comments of EPIC, In re BetterHelp, Inc,, FTC File No. 202-3169 (2023), https://epic.org/documents/comments-of-epic-in-re-the-federal-trade-commissions-proposed-order-settlement-with-betterhelp-inc/; Comments of EPIC, In re Chegg, Inc., FTC File No. 202-3151 (2022), https://epic.org/documents/comments-of-epic-in-re-the-federal-trade-commissions-proposed-order-settlementwith-chegg-inc/; Comments of EPIC, FTC Proposed Trade Regulation Rule on Commercial Surveillance and Data Security (Nov. 2022), https://epic.org/wp-content/uploads/2022/12/EPIC-FTC-commercial-surveillanceANPRM-comments-Nov2022.pdf; Comments of EPIC, In re CafePress, File No. 192-3209 (2022), https://epic.org/wp-content/uploads/2022/04/EPIC-comments-in-re-cafepress.pdf; Comments of EPIC, In re Matter of Support King, LLC (SpyFone.com), FTC File No. 192-3003 (2021), https://archive.epic.org/apa/comments/In-re-SpyFone-Order-EPIC-comment-100821.pdf.
See Suzanne Bernstein, Data Minimization: Bolstering the FTC’s Health Data Privacy Authority, EPIC Analysis (July 13, 2023), https://epic.org/data-minimization-bolstering-the-ftcs-health-data-privacy-authority/.
 Corey H. Basch et al., Direct-to-consumer genetic testing in the news: a descriptive analysis, 14 J of Community Genetics 63, 63-4 (2022), https://doi.org/10.1007/s12687-022-00613-z.
See Catherine Roberts, The Privacy Problems of Direct-to-Consumer Genetic Testing, Consumer Report (Jan. 14, 2022), https://www.consumerreports.org/health/dna-test-kits/privacy-and-direct-to-consumer-genetic-testing-dna-test-kits-a1187212155/ (evaluating privacy policies).
 Vitagene, Inc. Complaint, In the Matter of Vitagene, Inc., FTC File No. 192-3170 at 8 (2023), https://www.ftc.gov/system/files/ftc_gov/pdf/complaint.pdf.
 Analysis of Proposed Consent Order to Aid Public, 88 Fed. Reg. 41,105 (June 23, 2023), https://www.federalregister.gov/documents/2023/06/23/2023-13329/vitagene-inc-analysis-of-proposed-consent-order-to-aid-public-comment.
 Vitagene Inc. Decision and Proposed Order, In the Matter of Vitagene, Inc., FTC File No. 192-3170 at 6 (2023), https://www.ftc.gov/system/files/ftc_gov/pdf/complaint.pdf.