Vitagene, Inc.; Analysis of Proposed Consent Order To Aid Public Comment, 41104-41107 [2023-13329]
Download as PDF
41104
Federal Register / Vol. 88, No. 120 / Friday, June 23, 2023 / Notices
Estimated Time per Response: 0.17
hours–0.44 hours.
Frequency of Response: On occasion
reporting requirement; third party
disclosure requirement, recordkeeping &
other (5 & 10 yrs).
Obligation to Respond: Required to
obtain or retain benefits. Statutory
authority for this collection of
information is contained in 47 U.S.C.
154, 301 sections 4 and 301.
Total Annual Burden: 57,218 hours.
Total Respondent Cost: $4,550,000.
Needs and Uses: FCC 605 application
is a consolidated application form for
Ship, Aircraft, Amateur, Restricted and
Commercial Radio Operators, and
General Mobile Radio Services and is
used to collect licensing data for the
Universal Licensing System. The
Commission is requesting OMB
approval for a minor revision to the
reporting, recordkeeping and/or third
party disclosure requirements. The
Commission is removing Certification
#3 for the General Mobile Radio Service,
as well as making minor clarifications to
the general filing instructions.
The data collected on this form
includes the Date of Birth for
Commercial Operator licensees however
this information will be redacted from
public view.
The FCC uses the information in FCC
Form 605 to determine whether the
applicant is legally, technically, and
financially qualified to obtain a license.
Without such information, the
Commission cannot determine whether
to issue the licenses to the applicants
that provide telecommunication
services to the public, and therefore, to
fulfill its statutory responsibilities in
accordance with the Communications
Act of 1934, as amended. Information
provided on this form will also be used
to update the database and to provide
for proper use of the frequency
spectrum as well as enforcement
purposes.
Federal Communications Commission.
Marlene Dortch,
Secretary, Office of the Secretary.
[FR Doc. 2023–13408 Filed 6–22–23; 8:45 am]
BILLING CODE 6712–01–P
FEDERAL ELECTION COMMISSION
lotter on DSK11XQN23PROD with NOTICES1
Sunshine Act Meetings
FEDERAL REGISTER CITATION NOTICE OF
PREVIOUS ANNOUNCEMENT: 88 FR 39847.
PREVIOUSLY ANNOUNCED TIME AND DATE OF
THE MEETING: Thursday, June 22, 2023 at
10:30 p.m.
CHANGES IN THE MEETING:
The time of the
meeting is 10:30 a.m.
VerDate Sep<11>2014
18:01 Jun 22, 2023
Jkt 259001
CONTACT PERSON FOR MORE INFORMATION:
Judith Ingram, Press Officer, Telephone:
(202) 694–1220.
(Authority: Government in the Sunshine Act,
5 U.S.C. 552b)
Submitted: June 20, 2023.
Laura E. Sinram,
Secretary and Clerk of the Commission.
[FR Doc. 2023–13448 Filed 6–21–23; 11:15 am]
BILLING CODE 6715–01–P
FEDERAL RESERVE SYSTEM
Formations of, Acquisitions by, and
Mergers of Savings and Loan Holding
Companies
The companies listed in this notice
have applied to the Board for approval,
pursuant to the Home Owners’ Loan Act
(12 U.S.C. 1461 et seq.) (HOLA),
Regulation LL (12 CFR part 238), and
Regulation MM (12 CFR part 239), and
all other applicable statutes and
regulations to become a savings and
loan holding company and/or to acquire
the assets or the ownership of, control
of, or the power to vote shares of a
savings association.
The public portions of the
applications listed below, as well as
other related filings required by the
Board, if any, are available for
immediate inspection at the Federal
Reserve Bank(s) indicated below and at
the offices of the Board of Governors.
This information may also be obtained
on an expedited basis, upon request, by
contacting the appropriate Federal
Reserve Bank and from the Board’s
Freedom of Information Office at
https://www.federalreserve.gov/foia/
request.htm. Interested persons may
express their views in writing on
whether the proposed transaction
complies with the standards
enumerated in the HOLA (12 U.S.C.
1467a(e)). If the proposal also involves
the acquisition of a nonbanking
company, the review also includes
whether the acquisition of the
nonbanking company complies with the
standards in section 10(c)(4)(B) of the
HOLA (12 U.S.C. 1467a(c)(4)(B)). Unless
otherwise noted, nonbanking activities
will be conducted throughout the
United States.
Comments regarding each of these
applications must be received at the
Reserve Bank indicated or the offices of
the Board of Governors, Ann E.
Misback, Secretary of the Board, 20th
Street and Constitution Avenue NW,
Washington, DC 20551–0001, not later
than July 24, 2023.
A. Federal Reserve Bank of Kansas
City (Jeffrey Imgarten, Assistant Vice
PO 00000
Frm 00038
Fmt 4703
Sfmt 4703
President) One Memorial Drive, Kansas
City, Missouri 64198. Comments can
also be sent electronically to
KCApplicationComments@kc.frb.org:
1. Central Plains Bancshares, Inc.,
Grand Island, Nebraska; to become a
savings and loan holding company by
acquiring Home Federal Savings and
Loan Association of Grand Island,
Grand Island, Nebraska, in connection
with the conversion of Home Federal
Savings and Loan Association of Grand
Island from mutual to stock form.
Board of Governors of the Federal Reserve
System.
Michele Taylor Fennell,
Deputy Associate Secretary of the Board.
[FR Doc. 2023–13405 Filed 6–22–23; 8:45 am]
BILLING CODE P
FEDERAL TRADE COMMISSION
[File No. 192 3170]
Vitagene, Inc.; Analysis of Proposed
Consent Order To Aid Public Comment
Federal Trade Commission.
Proposed consent agreement;
request for comment.
AGENCY:
ACTION:
The consent agreement in this
matter settles alleged violations of
Federal law prohibiting unfair or
deceptive acts or practices. The attached
Analysis of Proposed Consent Order to
Aid Public Comment describes both the
allegations in the complaint and the
terms of the consent order—embodied
in the consent agreement—that would
settle these allegations.
DATES: Comments must be received on
or before July 24, 2023.
ADDRESSES: Interested parties may file
comments online or on paper by
following the instructions in the
Request for Comment part of the
SUPPLEMENTARY INFORMATION section
below. Please write ‘‘Vitagene, Inc.; File
No. 192 3170’’ on your comment and
file your comment online at https://
www.regulations.gov by following the
instructions on the web-based form. If
you prefer to file your comment on
paper, please mail your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
600 Pennsylvania Avenue NW, Suite
CC–5610 (Annex V), Washington, DC
20580.
FOR FURTHER INFORMATION CONTACT:
James Trilling (202–326–3497), or Elisa
Jillson (202–326–3001), Attorneys,
Division of Privacy and Identity
Protection, Bureau of Consumer
Protection, Federal Trade Commission,
600 Pennsylvania Ave. NW,
Washington, DC 20580.
SUMMARY:
E:\FR\FM\23JNN1.SGM
23JNN1
Federal Register / Vol. 88, No. 120 / Friday, June 23, 2023 / Notices
Pursuant
to section 6(f) of the Federal Trade
Commission Act, 15 U.S.C. 46(f), and
FTC Rule § 2.34, 16 CFR 2.34, notice is
hereby given that the above-captioned
consent agreement containing a consent
order to cease and desist, having been
filed with and accepted, subject to final
approval, by the Commission, has been
placed on the public record for a period
of 30 days. The following Analysis to
Aid Public Comment describes the
terms of the consent agreement and the
allegations in the complaint. An
electronic copy of the full text of the
consent agreement package can be
obtained at https://www.ftc.gov/newsevents/commission-actions.
You can file a comment online or on
paper. For the Commission to consider
your comment, we must receive it on or
before July 24, 2023. Write ‘‘Vitagene,
Inc.; File No. 192 3170’’ on your
comment. Your comment—including
your name and your state—will be
placed on the public record of this
proceeding, including, to the extent
practicable, on the https://
www.regulations.gov website.
Because of heightened security
screening, postal mail addressed to the
Commission will be subject to delay. We
strongly encourage you to submit your
comments online through the https://
www.regulations.gov website. If you
prefer to file your comment on paper,
write ‘‘Vitagene, Inc.; File No. 192
3170’’ on your comment and on the
envelope, and mail your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
600 Pennsylvania Avenue NW, Suite
CC–5610 (Annex V), Washington, DC
20580.
Because your comment will be placed
on the publicly accessible website at
https://www.regulations.gov, you are
solely responsible for making sure your
comment does not include any sensitive
or confidential information. In
particular, your comment should not
include sensitive personal information,
such as your or anyone else’s Social
Security number; date of birth; driver’s
license number or other state
identification number, or foreign
country equivalent; passport number;
financial account number; or credit or
debit card number. You are also solely
responsible for making sure your
comment does not include sensitive
health information, such as medical
records or other individually
identifiable health information. In
addition, your comment should not
include any ‘‘trade secret or any
commercial or financial information
which . . . is privileged or
confidential’’—as provided by section
lotter on DSK11XQN23PROD with NOTICES1
SUPPLEMENTARY INFORMATION:
VerDate Sep<11>2014
18:01 Jun 22, 2023
Jkt 259001
6(f) of the FTC Act, 15 U.S.C. 46(f), and
FTC Rule § 4.10(a)(2), 16 CFR
4.10(a)(2)—including competitively
sensitive information such as costs,
sales statistics, inventories, formulas,
patterns, devices, manufacturing
processes, or customer names.
Comments containing material for
which confidential treatment is
requested must be filed in paper form,
must be clearly labeled ‘‘Confidential,’’
and must comply with FTC Rule
§ 4.9(c). In particular, the written
request for confidential treatment that
accompanies the comment must include
the factual and legal basis for the
request and must identify the specific
portions of the comment to be withheld
from the public record. See FTC Rule
§ 4.9(c). Your comment will be kept
confidential only if the General Counsel
grants your request in accordance with
the law and the public interest. Once
your comment has been posted on the
https://www.regulations.gov website—as
legally required by FTC Rule § 4.9(b)—
we cannot redact or remove your
comment from that website, unless you
submit a confidentiality request that
meets the requirements for such
treatment under FTC Rule § 4.9(c), and
the General Counsel grants that request.
Visit the FTC website at https://
www.ftc.gov to read this document and
the news release describing the
proposed settlement. The FTC Act and
other laws the Commission administers
permit the collection of public
comments to consider and use in this
proceeding, as appropriate. The
Commission will consider all timely
and responsive public comments it
receives on or before July 24, 2023. For
information on the Commission’s
privacy policy, including routine uses
permitted by the Privacy Act, see
https://www.ftc.gov/site-information/
privacy-policy.
Analysis of Proposed Consent Order To
Aid Public Comment
The Federal Trade Commission (the
‘‘Commission’’) has accepted, subject to
final approval, an agreement containing
a consent order from 1Health.io Inc.
(formerly known as, and doing business
as, Vitagene, Inc.) (‘‘Vitagene’’). The
proposed consent order (‘‘proposed
order’’) has been placed on the public
record for 30 days for receipt of
comments from interested persons.
Comments received during this period
will become part of the public record.
After 30 days, the Commission again
will review the agreement and the
comments received, and will decide
whether it should withdraw from the
agreement or make final the agreement’s
proposed order.
PO 00000
Frm 00039
Fmt 4703
Sfmt 4703
41105
Since 2015, Vitagene has sold ‘‘DNA
Health Test Kits’’ to consumers. In each
DNA Health Test Kit, Vitagene instructs
the consumer to provide a saliva sample
by mail. Vitagene contracts with a
testing lab to analyze the sample and
map a portion of the consumer’s genetic
code.
Vitagene combines the testing lab’s
DNA analysis with the consumer’s
answers to an online ‘‘health
questionnaire’’ that probes the
individual’s health history, lifestyle,
and family health history. Using this
information, Vitagene generates reports
about the consumer’s health and
wellness (‘‘Health Reports’’) and
ancestry. Vitagene also sells to the
consumer Health Reports that it creates
by using the consumer’s answers to an
online ‘‘lifestyle questionnaire’’ and raw
DNA data that the consumer sends to
Vitagene after the consumer has
obtained DNA tests from certain
companies other than Vitagene. The
retail cost for a package that includes a
Health Report has ranged from $29 to
$259, with higher-priced packages
including add-ons such as subscriptions
to personalized vitamin packs and
nutritional coaching.
The Health Reports that Vitagene
creates contain numerous facts about
the consumer’s genetics and health. For
example, one type of Health Report first
lists the consumer’s name, date of birth,
and referring doctor or dietician, and
then identifies salient genotype data,
pertinent questionnaire answers, and,
based on the genotype data and
questionnaire answers, the level of risk
for having or developing certain health
conditions, such as high LDL
cholesterol, high triglycerides, obesity,
or blood clots.
As part of its information technology
infrastructure, Vitagene stores
consumers’ health and genetic
information in the Amazon Web
Services (‘‘AWS’’) Simple Storage
Service (the ‘‘Amazon S3 Datastore’’) in
virtual containers, called ‘‘buckets.’’ The
files Vitagene has stored in Amazon S3
Datastore buckets include, among other
things, consumers’ Health Reports;
genotype data called single-nucleotide
polymorphisms (‘‘SNPs’’), which are the
most common type of genetic variation
among people; and other raw genotype
data.
The proposed complaint alleges that,
despite the fact that Vitagene has stored
consumers’ sensitive personal
information in the Amazon S3
Datastore, Vitagene did not uniformly
apply basic safeguards to the data in
each of its Amazon S3 Datastore
buckets. In particular, the proposed
complaint alleges that, in or about 2016,
E:\FR\FM\23JNN1.SGM
23JNN1
lotter on DSK11XQN23PROD with NOTICES1
41106
Federal Register / Vol. 88, No. 120 / Friday, June 23, 2023 / Notices
Vitagene created a publicly accessible
bucket in which the company stored
Health Reports for at least 2,383
consumers and a publicly accessible
bucket in which it stored raw genetic
data (sometimes accompanied by first
name) for at least 227 consumers. The
proposed complaint alleges that
Vitagene’s failure to use access controls
to restrict access to this sensitive data,
encrypt it, log or monitor access to it, or
inventory it, to help ensure ongoing
security resulted in Vitagene publicly
exposing the data until July 2019.
According to the proposed complaint,
between July 2017 and June 2019,
Vitagene received at least three
warnings that it was storing consumers’
unencrypted health, genetic, and other
personal information in publicly
accessible buckets.
The proposed complaint alleges
Vitagene changed its name from
Vitagene, Inc. to 1Health.io Inc. in
October 2020. According to the
proposed complaint, the company
published revised privacy policies in
April and December 2020 that apply to
all the company’s customers, including
those who purchased products and
services from the company solely before
April 2020. The proposed complaint
alleges that, compared to Vitagene’s
previous privacy policy, the company’s
2020 privacy policies significantly
expand the types of third parties with
whom, and the purposes for which, the
company may share consumers’
sensitive personal information. The
company did not provide direct notice
to consumers of the change, but it also
did not implement the expanded
sharing.
The proposed five-count complaint
alleges that Vitagene violated section
5(a) of the FTC Act by misrepresenting
the company’s data security and privacy
practices, and by unfairly making
material retroactive changes to the
company’s policies regarding thirdparty sharing of sensitive personal
information.
Proposed complaint Count I alleges
Vitagene deceived consumers by
misrepresenting that it exceeded
industry-standard security practices. On
a web page that Vitagene devoted to
describing its privacy practices,
Vitagene claimed that ‘‘[w]e use the
latest technology and exceed industrystandard security practices to protect
your privacy.’’ The proposed complaint
alleges that Vitagene’s public exposure
of consumers’ Health Reports, raw
genetic data, and other personal
information in AWS S3 buckets until
July 2019 contradicted this claim.
Proposed complaint Count II alleges
Vitagene deceptively claimed on
VerDate Sep<11>2014
18:01 Jun 22, 2023
Jkt 259001
multiple web pages that it stored
consumers’ DNA results without name
or any other common identifying
information. The proposed complaint
alleges that this claim was deceptive
because Vitagene stored consumers’
DNA results with their names and other
common identifying information.
Proposed complaint Count III alleges
Vitagene deceptively claimed that it
would remove all of a consumer’s
information if the consumer requested
deletion of his or her data. Vitagene
made this claim on a web page that
Vitagene devoted to describing its
privacy practices. The proposed
complaint alleges that the claim was
deceptive because, from approximately
2016 through July 1, 2019, Vitagene’s
lack of a data inventory made it
impossible for the company to search
comprehensively in response to
consumers’ requests for Vitagene to
delete their data.
Proposed complaint Count IV alleges
Vitagene deceived consumers by
claiming on multiple web pages that it
destroys consumers’ physical DNA
saliva samples shortly after analysis of
them. The proposed complaint alleges
that this claim was deceptive because,
beginning in approximately December
2016, Vitagene did not have a contract
provision with its genotyping laboratory
partner requiring such destruction.
Proposed complaint Count V alleges it
was unfair for Vitagene to post on its
websites in April and December 2020
revised privacy policies that describe
materially expanded practices for the
company’s sharing of consumers’
sensitive health and genetic information
with third parties—including the
information of consumers who
purchased products and services from
Vitagene solely before April 2020—
without taking any additional steps to
notify consumers or obtain consumers’
consent.
The proposed order contains
provisions to address Vitagene’s
conduct and prevent it from engaging in
the same or similar acts or practices in
the future. Part I of the proposed order
prohibits Vitagene from misrepresenting
(1) the extent to which it meets or
exceeds industry-standard security or
privacy practices, (2) the extent to
which it stores any Health Information
(as defined in the order) with any other
element of Personal Information (as also
defined in the order), (3) the extent to
which, or the purposes for which, it
collects, uses, discloses, maintains,
deletes, or destroys a consumer’s (i)
physical DNA sample or (ii) Personal
Information upon request, (4) it is a
member of, adheres to, complies with, is
certified by, or otherwise participates in,
PO 00000
Frm 00040
Fmt 4703
Sfmt 4703
any privacy or security program
sponsored by a government entity or
third party, (5) the extent to which it
otherwise protects the privacy, security,
availability, confidentiality, or integrity
of Personal Information, or (6) it has
received approval or authorization for
its claims, products, or services from
any government agency.
Part II prohibits Vitagene from
disclosing Health Information to any
Third Party (as defined in the order)
unless the company obtains the
Affirmative Express Consent (as also
defined in the order) of the individual
who is identifiable by the Health
Information. Part III requires Vitagene to
instruct any laboratory that collected
physical DNA samples pursuant to a
contract with Vitagene to destroy any
such sample that the laboratory retained
for more than 180 days after Vitagene
accepted the results of the analysis of
the sample.
Part IV requires Vitagene to establish,
implement, and maintain a
comprehensive information security
program that protects the security,
confidentiality, and integrity of Personal
Information. Part V requires Vitagene to
obtain initial and biennial data security
assessments from a third-party assessor
for twenty years. Part VI requires
Vitagene to disclose all material facts to
the assessor and prohibits Vitagene from
misrepresenting any fact material to the
assessments required by Part V.
Part VII requires Vitagene to submit to
the Commission an annual certification
that Vitagene has implemented the
requirements of the Order and is not
aware of any material noncompliance
that has not been corrected or disclosed
to the Commission. Part VIII requires
Vitagene to submit a report to the
Commission if it discovers any Covered
Incident (as defined in the order).
Part IX requires Vitagene to pay
$75,000 in monetary relief. Part X
provides that the Commission may use
Vitagene’s monetary relief payment to
provide, and pay expenses related to the
administration of, consumer redress.
Part XI requires Vitagene to provide the
Commission customer information to
enable the Commission to efficiently
administer consumer redress.
Parts XII–XV are reporting and
compliance provisions. Part XII requires
Vitagene to acknowledge receipt of the
order and distribute it to persons with
responsibilities relating to the subject
matter of the order. Part XIII requires
Vitagene to submit an initial compliance
report to the Commission and notify the
Commission of changes in Vitagene’s
corporate status. Part XIV requires
Vitagene to create and retain certain
documents relating to its compliance
E:\FR\FM\23JNN1.SGM
23JNN1
Federal Register / Vol. 88, No. 120 / Friday, June 23, 2023 / Notices
with the order. Part XV requires that
Vitagene provide the Commission
additional information or compliance
reports, as requested. Part XVI states
that the proposed order will remain in
effect for 20 years, with certain
exceptions.
The purpose of this analysis is to aid
public comment on the proposed order.
It is not intended to constitute an
official interpretation of the complaint
or proposed order, or to modify in any
way the proposed order’s terms.
By direction of the Commission.
April J. Tabor,
Secretary.
[FR Doc. 2023–13329 Filed 6–22–23; 8:45 am]
BILLING CODE 6750–01–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Food and Drug Administration
[Docket No. FDA–2023–D–2204]
Formal Dispute Resolution and
Administrative Hearings of Final
Administrative Orders Under Section
505G of the Federal Food, Drug, and
Cosmetic Act; Draft Guidance for
Industry; Availability
AGENCY:
Food and Drug Administration,
HHS.
ACTION:
Notice of availability.
The Food and Drug
Administration (FDA or Agency) is
announcing the availability of a draft
guidance for industry entitled ‘‘Formal
Dispute Resolution and Administrative
Hearings of Final Administrative Orders
Under Section 505G of the Federal
Food, Drug, and Cosmetic Act.’’ This
draft guidance provides
recommendations for industry and
review staff on the formal dispute
resolution and administrative hearings
procedures for resolving scientific and/
or medical disputes between the Center
for Drug Evaluation and Research
(CDER) and requestors and sponsors of
drugs that will be subject to a final
administrative order (final order) under
section 505G of the Federal Food, Drug,
and Cosmetic Act (FD&C Act).
DATES: Submit either electronic or
written comments on the draft guidance
by August 22, 2023 to ensure that the
Agency considers your comment on this
draft guidance before it begins work on
the final version of the guidance.
ADDRESSES: You may submit comments
on any guidance at any time as follows:
lotter on DSK11XQN23PROD with NOTICES1
SUMMARY:
VerDate Sep<11>2014
18:01 Jun 22, 2023
Jkt 259001
Electronic Submissions
Submit electronic comments in the
following way:
• Federal eRulemaking Portal:
https://www.regulations.gov. Follow the
instructions for submitting comments.
Comments submitted electronically,
including attachments, to https://
www.regulations.gov will be posted to
the docket unchanged. Because your
comment will be made public, you are
solely responsible for ensuring that your
comment does not include any
confidential information that you or a
third party may not wish to be posted,
such as medical information, your or
anyone else’s Social Security number, or
confidential business information, such
as a manufacturing process. Please note
that if you include your name, contact
information, or other information that
identifies you in the body of your
comments, that information will be
posted on https://www.regulations.gov.
• If you want to submit a comment
with confidential information that you
do not wish to be made available to the
public, submit the comment as a
written/paper submission and in the
manner detailed (see ‘‘Written/Paper
Submissions’’ and ‘‘Instructions’’).
Written/Paper Submissions
Submit written/paper submissions as
follows:
• Mail/Hand Delivery/Courier (for
written/paper submissions): Dockets
Management Staff (HFA–305), Food and
Drug Administration, 5630 Fishers
Lane, Rm. 1061, Rockville, MD 20852.
• For written/paper comments
submitted to the Dockets Management
Staff, FDA will post your comment, as
well as any attachments, except for
information submitted, marked and
identified, as confidential, if submitted
as detailed in ‘‘Instructions.’’
Instructions: All submissions received
must include the Docket No. FDA–
2023–D–2204 for ‘‘Formal Dispute
Resolution and Administrative Hearings
of Final Administrative Orders Under
Section 505G of the Federal Food, Drug,
and Cosmetic Act.’’ Received comments
will be placed in the docket and, except
for those submitted as ‘‘Confidential
Submissions,’’ publicly viewable at
https://www.regulations.gov or at the
Dockets Management Staff between 9
a.m. and 4 p.m., Monday through
Friday, 240–402–7500.
• Confidential Submissions—To
submit a comment with confidential
information that you do not wish to be
made publicly available, submit your
comments only as a written/paper
submission. You should submit two
copies total. One copy will include the
PO 00000
Frm 00041
Fmt 4703
Sfmt 4703
41107
information you claim to be confidential
with a heading or cover note that states
‘‘THIS DOCUMENT CONTAINS
CONFIDENTIAL INFORMATION.’’ The
Agency will review this copy, including
the claimed confidential information, in
its consideration of comments. The
second copy, which will have the
claimed confidential information
redacted/blacked out, will be available
for public viewing and posted on
https://www.regulations.gov. Submit
both copies to the Dockets Management
Staff. If you do not wish your name and
contact information to be made publicly
available, you can provide this
information on the cover sheet and not
in the body of your comments and you
must identify this information as
‘‘confidential.’’ Any information marked
as ‘‘confidential’’ will not be disclosed
except in accordance with 21 CFR 10.20
and other applicable disclosure law. For
more information about FDA’s posting
of comments to public dockets, see 80
FR 56469, September 18, 2015, or access
the information at: https://
www.govinfo.gov/content/pkg/FR-201509-18/pdf/2015-23389.pdf.
Docket: For access to the docket to
read background documents or the
electronic and written/paper comments
received, go to https://
www.regulations.gov and insert the
docket number, found in brackets in the
heading of this document, into the
‘‘Search’’ box and follow the prompts
and/or go to the Dockets Management
Staff, 5630 Fishers Lane, Rm. 1061,
Rockville, MD 20852, 240–402–7500.
You may submit comments on any
guidance at any time (see 21 CFR
10.115(g)(5)).
Submit written requests for single
copies of the draft guidance to the
Division of Drug Information, Center for
Drug Evaluation and Research, Food
and Drug Administration, 10001 New
Hampshire Ave., Hillandale Building,
4th Floor, Silver Spring, MD 20993–
0002. Send one self-addressed adhesive
label to assist that office in processing
your requests. See the SUPPLEMENTARY
INFORMATION section for electronic
access to the draft guidance document.
FOR FURTHER INFORMATION CONTACT: Jung
Lee, Center for Drug Evaluation and
Research (HFD–600), Food and Drug
Administration, 10903 New Hampshire
Ave., Bldg. 22, Rm. 5494, Silver Spring,
MD 20993, 301–796–3599.
SUPPLEMENTARY INFORMATION:
I. Background
FDA is announcing the availability of
a draft guidance for industry entitled
‘‘Formal Dispute Resolution and
Administrative Hearings of Final
E:\FR\FM\23JNN1.SGM
23JNN1
Agencies
[Federal Register Volume 88, Number 120 (Friday, June 23, 2023)]
[Notices]
[Pages 41104-41107]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-13329]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 192 3170]
Vitagene, Inc.; Analysis of Proposed Consent Order To Aid Public
Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed consent agreement; request for comment.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of Federal law prohibiting unfair or deceptive acts or
practices. The attached Analysis of Proposed Consent Order to Aid
Public Comment describes both the allegations in the complaint and the
terms of the consent order--embodied in the consent agreement--that
would settle these allegations.
DATES: Comments must be received on or before July 24, 2023.
ADDRESSES: Interested parties may file comments online or on paper by
following the instructions in the Request for Comment part of the
SUPPLEMENTARY INFORMATION section below. Please write ``Vitagene, Inc.;
File No. 192 3170'' on your comment and file your comment online at
https://www.regulations.gov by following the instructions on the web-
based form. If you prefer to file your comment on paper, please mail
your comment to the following address: Federal Trade Commission, Office
of the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex V),
Washington, DC 20580.
FOR FURTHER INFORMATION CONTACT: James Trilling (202-326-3497), or
Elisa Jillson (202-326-3001), Attorneys, Division of Privacy and
Identity Protection, Bureau of Consumer Protection, Federal Trade
Commission, 600 Pennsylvania Ave. NW, Washington, DC 20580.
[[Page 41105]]
SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule Sec. 2.34, 16 CFR
2.34, notice is hereby given that the above-captioned consent agreement
containing a consent order to cease and desist, having been filed with
and accepted, subject to final approval, by the Commission, has been
placed on the public record for a period of 30 days. The following
Analysis to Aid Public Comment describes the terms of the consent
agreement and the allegations in the complaint. An electronic copy of
the full text of the consent agreement package can be obtained at
https://www.ftc.gov/news-events/commission-actions.
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before July 24, 2023.
Write ``Vitagene, Inc.; File No. 192 3170'' on your comment. Your
comment--including your name and your state--will be placed on the
public record of this proceeding, including, to the extent practicable,
on the https://www.regulations.gov website.
Because of heightened security screening, postal mail addressed to
the Commission will be subject to delay. We strongly encourage you to
submit your comments online through the https://www.regulations.gov
website. If you prefer to file your comment on paper, write ``Vitagene,
Inc.; File No. 192 3170'' on your comment and on the envelope, and mail
your comment to the following address: Federal Trade Commission, Office
of the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex V),
Washington, DC 20580.
Because your comment will be placed on the publicly accessible
website at https://www.regulations.gov, you are solely responsible for
making sure your comment does not include any sensitive or confidential
information. In particular, your comment should not include sensitive
personal information, such as your or anyone else's Social Security
number; date of birth; driver's license number or other state
identification number, or foreign country equivalent; passport number;
financial account number; or credit or debit card number. You are also
solely responsible for making sure your comment does not include
sensitive health information, such as medical records or other
individually identifiable health information. In addition, your comment
should not include any ``trade secret or any commercial or financial
information which . . . is privileged or confidential''--as provided by
section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule Sec.
4.10(a)(2), 16 CFR 4.10(a)(2)--including competitively sensitive
information such as costs, sales statistics, inventories, formulas,
patterns, devices, manufacturing processes, or customer names.
Comments containing material for which confidential treatment is
requested must be filed in paper form, must be clearly labeled
``Confidential,'' and must comply with FTC Rule Sec. 4.9(c). In
particular, the written request for confidential treatment that
accompanies the comment must include the factual and legal basis for
the request and must identify the specific portions of the comment to
be withheld from the public record. See FTC Rule Sec. 4.9(c). Your
comment will be kept confidential only if the General Counsel grants
your request in accordance with the law and the public interest. Once
your comment has been posted on the https://www.regulations.gov
website--as legally required by FTC Rule Sec. 4.9(b)--we cannot redact
or remove your comment from that website, unless you submit a
confidentiality request that meets the requirements for such treatment
under FTC Rule Sec. 4.9(c), and the General Counsel grants that
request.
Visit the FTC website at https://www.ftc.gov to read this document
and the news release describing the proposed settlement. The FTC Act
and other laws the Commission administers permit the collection of
public comments to consider and use in this proceeding, as appropriate.
The Commission will consider all timely and responsive public comments
it receives on or before July 24, 2023. For information on the
Commission's privacy policy, including routine uses permitted by the
Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.
Analysis of Proposed Consent Order To Aid Public Comment
The Federal Trade Commission (the ``Commission'') has accepted,
subject to final approval, an agreement containing a consent order from
1Health.io Inc. (formerly known as, and doing business as, Vitagene,
Inc.) (``Vitagene''). The proposed consent order (``proposed order'')
has been placed on the public record for 30 days for receipt of
comments from interested persons. Comments received during this period
will become part of the public record. After 30 days, the Commission
again will review the agreement and the comments received, and will
decide whether it should withdraw from the agreement or make final the
agreement's proposed order.
Since 2015, Vitagene has sold ``DNA Health Test Kits'' to
consumers. In each DNA Health Test Kit, Vitagene instructs the consumer
to provide a saliva sample by mail. Vitagene contracts with a testing
lab to analyze the sample and map a portion of the consumer's genetic
code.
Vitagene combines the testing lab's DNA analysis with the
consumer's answers to an online ``health questionnaire'' that probes
the individual's health history, lifestyle, and family health history.
Using this information, Vitagene generates reports about the consumer's
health and wellness (``Health Reports'') and ancestry. Vitagene also
sells to the consumer Health Reports that it creates by using the
consumer's answers to an online ``lifestyle questionnaire'' and raw DNA
data that the consumer sends to Vitagene after the consumer has
obtained DNA tests from certain companies other than Vitagene. The
retail cost for a package that includes a Health Report has ranged from
$29 to $259, with higher-priced packages including add-ons such as
subscriptions to personalized vitamin packs and nutritional coaching.
The Health Reports that Vitagene creates contain numerous facts
about the consumer's genetics and health. For example, one type of
Health Report first lists the consumer's name, date of birth, and
referring doctor or dietician, and then identifies salient genotype
data, pertinent questionnaire answers, and, based on the genotype data
and questionnaire answers, the level of risk for having or developing
certain health conditions, such as high LDL cholesterol, high
triglycerides, obesity, or blood clots.
As part of its information technology infrastructure, Vitagene
stores consumers' health and genetic information in the Amazon Web
Services (``AWS'') Simple Storage Service (the ``Amazon S3 Datastore'')
in virtual containers, called ``buckets.'' The files Vitagene has
stored in Amazon S3 Datastore buckets include, among other things,
consumers' Health Reports; genotype data called single-nucleotide
polymorphisms (``SNPs''), which are the most common type of genetic
variation among people; and other raw genotype data.
The proposed complaint alleges that, despite the fact that Vitagene
has stored consumers' sensitive personal information in the Amazon S3
Datastore, Vitagene did not uniformly apply basic safeguards to the
data in each of its Amazon S3 Datastore buckets. In particular, the
proposed complaint alleges that, in or about 2016,
[[Page 41106]]
Vitagene created a publicly accessible bucket in which the company
stored Health Reports for at least 2,383 consumers and a publicly
accessible bucket in which it stored raw genetic data (sometimes
accompanied by first name) for at least 227 consumers. The proposed
complaint alleges that Vitagene's failure to use access controls to
restrict access to this sensitive data, encrypt it, log or monitor
access to it, or inventory it, to help ensure ongoing security resulted
in Vitagene publicly exposing the data until July 2019. According to
the proposed complaint, between July 2017 and June 2019, Vitagene
received at least three warnings that it was storing consumers'
unencrypted health, genetic, and other personal information in publicly
accessible buckets.
The proposed complaint alleges Vitagene changed its name from
Vitagene, Inc. to 1Health.io Inc. in October 2020. According to the
proposed complaint, the company published revised privacy policies in
April and December 2020 that apply to all the company's customers,
including those who purchased products and services from the company
solely before April 2020. The proposed complaint alleges that, compared
to Vitagene's previous privacy policy, the company's 2020 privacy
policies significantly expand the types of third parties with whom, and
the purposes for which, the company may share consumers' sensitive
personal information. The company did not provide direct notice to
consumers of the change, but it also did not implement the expanded
sharing.
The proposed five-count complaint alleges that Vitagene violated
section 5(a) of the FTC Act by misrepresenting the company's data
security and privacy practices, and by unfairly making material
retroactive changes to the company's policies regarding third-party
sharing of sensitive personal information.
Proposed complaint Count I alleges Vitagene deceived consumers by
misrepresenting that it exceeded industry-standard security practices.
On a web page that Vitagene devoted to describing its privacy
practices, Vitagene claimed that ``[w]e use the latest technology and
exceed industry-standard security practices to protect your privacy.''
The proposed complaint alleges that Vitagene's public exposure of
consumers' Health Reports, raw genetic data, and other personal
information in AWS S3 buckets until July 2019 contradicted this claim.
Proposed complaint Count II alleges Vitagene deceptively claimed on
multiple web pages that it stored consumers' DNA results without name
or any other common identifying information. The proposed complaint
alleges that this claim was deceptive because Vitagene stored
consumers' DNA results with their names and other common identifying
information.
Proposed complaint Count III alleges Vitagene deceptively claimed
that it would remove all of a consumer's information if the consumer
requested deletion of his or her data. Vitagene made this claim on a
web page that Vitagene devoted to describing its privacy practices. The
proposed complaint alleges that the claim was deceptive because, from
approximately 2016 through July 1, 2019, Vitagene's lack of a data
inventory made it impossible for the company to search comprehensively
in response to consumers' requests for Vitagene to delete their data.
Proposed complaint Count IV alleges Vitagene deceived consumers by
claiming on multiple web pages that it destroys consumers' physical DNA
saliva samples shortly after analysis of them. The proposed complaint
alleges that this claim was deceptive because, beginning in
approximately December 2016, Vitagene did not have a contract provision
with its genotyping laboratory partner requiring such destruction.
Proposed complaint Count V alleges it was unfair for Vitagene to
post on its websites in April and December 2020 revised privacy
policies that describe materially expanded practices for the company's
sharing of consumers' sensitive health and genetic information with
third parties--including the information of consumers who purchased
products and services from Vitagene solely before April 2020--without
taking any additional steps to notify consumers or obtain consumers'
consent.
The proposed order contains provisions to address Vitagene's
conduct and prevent it from engaging in the same or similar acts or
practices in the future. Part I of the proposed order prohibits
Vitagene from misrepresenting (1) the extent to which it meets or
exceeds industry-standard security or privacy practices, (2) the extent
to which it stores any Health Information (as defined in the order)
with any other element of Personal Information (as also defined in the
order), (3) the extent to which, or the purposes for which, it
collects, uses, discloses, maintains, deletes, or destroys a consumer's
(i) physical DNA sample or (ii) Personal Information upon request, (4)
it is a member of, adheres to, complies with, is certified by, or
otherwise participates in, any privacy or security program sponsored by
a government entity or third party, (5) the extent to which it
otherwise protects the privacy, security, availability,
confidentiality, or integrity of Personal Information, or (6) it has
received approval or authorization for its claims, products, or
services from any government agency.
Part II prohibits Vitagene from disclosing Health Information to
any Third Party (as defined in the order) unless the company obtains
the Affirmative Express Consent (as also defined in the order) of the
individual who is identifiable by the Health Information. Part III
requires Vitagene to instruct any laboratory that collected physical
DNA samples pursuant to a contract with Vitagene to destroy any such
sample that the laboratory retained for more than 180 days after
Vitagene accepted the results of the analysis of the sample.
Part IV requires Vitagene to establish, implement, and maintain a
comprehensive information security program that protects the security,
confidentiality, and integrity of Personal Information. Part V requires
Vitagene to obtain initial and biennial data security assessments from
a third-party assessor for twenty years. Part VI requires Vitagene to
disclose all material facts to the assessor and prohibits Vitagene from
misrepresenting any fact material to the assessments required by Part
V.
Part VII requires Vitagene to submit to the Commission an annual
certification that Vitagene has implemented the requirements of the
Order and is not aware of any material noncompliance that has not been
corrected or disclosed to the Commission. Part VIII requires Vitagene
to submit a report to the Commission if it discovers any Covered
Incident (as defined in the order).
Part IX requires Vitagene to pay $75,000 in monetary relief. Part X
provides that the Commission may use Vitagene's monetary relief payment
to provide, and pay expenses related to the administration of, consumer
redress. Part XI requires Vitagene to provide the Commission customer
information to enable the Commission to efficiently administer consumer
redress.
Parts XII-XV are reporting and compliance provisions. Part XII
requires Vitagene to acknowledge receipt of the order and distribute it
to persons with responsibilities relating to the subject matter of the
order. Part XIII requires Vitagene to submit an initial compliance
report to the Commission and notify the Commission of changes in
Vitagene's corporate status. Part XIV requires Vitagene to create and
retain certain documents relating to its compliance
[[Page 41107]]
with the order. Part XV requires that Vitagene provide the Commission
additional information or compliance reports, as requested. Part XVI
states that the proposed order will remain in effect for 20 years, with
certain exceptions.
The purpose of this analysis is to aid public comment on the
proposed order. It is not intended to constitute an official
interpretation of the complaint or proposed order, or to modify in any
way the proposed order's terms.
By direction of the Commission.
April J. Tabor,
Secretary.
[FR Doc. 2023-13329 Filed 6-22-23; 8:45 am]
BILLING CODE 6750-01-P