16 minutes of reading

Who owns your DNA? Privacy concerns in genetic testing services

With the holiday season here again, at-home DNA testing kits are once again a popular gift option. As one of the most popular DNA testing services, 23andMe, faces bankruptcy, many consumers are looking into alternatives. However, choosing the right service may not be as straightforward as it may seem. 

While the types of services provided and the accuracy of the tests are important factors, we think privacy is equally (if not more) important, especially considering the sensitive nature of the data these companies handle. This includes both digital records and physical genetic samples. To evaluate how these companies manage user privacy, Incogni’s research team analyzed the privacy policies of 10 popular DNA testing services.

We’ve found that the legal language in these privacy policies is often muddy, making it difficult to make concrete claims about how they actually reflect users’ data safety. Despite this, the analysis uncovered significant trends regarding data anonymization, the storage and destruction of physical DNA samples, and the policies governing data sharing with law enforcement. These insights are critical for anyone considering entrusting their most sensitive information—genetic data—to a for-profit DNA testing company.

Table of Contents
Key insights:

Key insights:

  • A total of 4 out of 10 services (23andMe, SelfDecode, Toolbox Genomics, and Everlywell) collect personal data for marketing purposes, claiming to do so with aggregated or anonymized data.
  • Every service analyzed collects technical user data and user interactions, such as IP addresses and browser details, which can be used to identify users even when anonymized.
  • Four services (SelfDecode, LetsGetChecked, Toolbox Genomics, and Everlywell) state they comply with law enforcement when “legally compelled only” or under a “good faith belief” that disclosure is necessary—terms that are vague and could allow information sharing without a warrant.
  • Among the services we analyzed, 4 out of 10 do not specify where physical samples are stored. The remaining services vaguely reference storage locations like a “secure facility” (Ancestry), “Biobank” (23andMe), or a “lab in Houston” (FamilyTreeDNA). All services retain physical samples for extended periods.
  • Half of the services (Living DNA, FamilyTreeDNA, DNA Complete, SelfDecode, and Toolbox Genomics) lack a clear Health Data Privacy Policy as required by Washington’s My Health My Data Act, which mandates transparency in handling state residents’ health data.

How DNA testing services use genetic information


When handing over data as sensitive as genetic information, it’s important that consumers understand what the company intends to do with it. 

Our overview of the DNA testing services’ privacy policies led us to identify 4 major purposes for which user data is processed:

  1. Providing users with the intended service. All of the investigated companies state this purpose. 
  2. Improving the service. This purpose is given by Ancestry, 23andMe, FamilyTreeDNA, DNA Complete (formerly Nebula Genomics), SelfDecode, Toolbox Genomics, and Everlywell.
  3. Conducting internal and/or external research (usually with user consent). This purpose is given by Ancestry, MyHeritage, DNA Complete (formerly Nebula Genomics), SelfDecode, and LetsGetChecked. 
  4. Marketing. This purpose is given by 23andMe, SelfDecode, Toolbox Genomics, and Everlywell, all of which claim to use aggregated/anonymized data for marketing purposes. 

While using genetic information for providing and improving the service is understandable, research and marketing are both less clear as purposes. Without knowing the internal processes, it’s impossible to tell exactly what genetic information is used and what kinds of research and advertising are conducted based on it. 

A quick overview of these companies’ Google ads (using the Ads Transparency Center1) and social media posts doesn’t immediately reveal where they use aggregated genetic information. However, we observed that 23andMe publishes articles on their blog about their users’ ancestry, such as a recent piece about how many users are descendants of Mayflower passengers.2 

We also found one instance where research (not for the purpose of product improvement) does not seem to require explicit consent. The phrasing of FamilyTreeDNA’s privacy policy implies that they can conduct statistical research using their users’ anonymized and aggregated genetic data. 

Where DNA testing services get their data 

Not all of the companies we analyzed provide the same kinds of services. Some of them aim primarily to help people look for diseases or other predispositions. Others simply offer a centralized and simplified way to build a family tree. This means that different companies process and collect different types of data, both physical genetic samples and supplementary information. 

In all of the companies our researchers analyzed, the user provides the most sensitive data—their genetic information. 

Meanwhile, services like Ancestry, MyHeritage, and Living DNA also collect information that may be related to their users from a variety of other sources (such as newspapers and public records) in order to help them provide their family tree-building functionality. 

Many of these companies also receive some information about their users from third parties—whether affiliates, other users (as they build their family tree, it might include other users) or other sources.

Our researchers found that DNA testing companies get information through their service providers as well. This includes a lot of “technical” user data such as interactions with the website, IP addresses, and browser information.  

Genetic data and law enforcement

DNA testing services sometimes share users’ genetic information with law enforcement. This not only challenges the balance between public safety and individual freedoms but also raises concerns about consent, data security, and the potential misuse of genetic information. 

When choosing a DNA analysis service, it’s important that consumers consider how these companies interact with law enforcement. While law enforcement can request access to data or genetic samples, these requests should be sanctioned by court order or subpoena and have to be proportional. Commercial DNA testing services also have the right to challenge the proportionality and legality of such requests.

Some of the companies our researchers analyzed leverage their collaboration with law enforcement in their advertising, claiming that by joining their genealogical database, you might help solve a crime.3 We’ve also seen the opposite, with other companies emphasizing privacy—assuring users that their data won’t be shared with law enforcement.4

Almost half of the services we looked at explicitly state that they will resist disclosing any information to law enforcement agencies and only comply with legal orders. Ancestry, 23andMe, MyHeritage, and Living DNA, particularly, emphasize their resistance to law enforcement inquiries. 

That’s not to say that the other DNA testing services just give up user data. However, SelfDecode, LetsGetChecked, Toolbox Genomics, and Everlywell each include a “good faith” caveat in their privacy policies, suggesting that these companies are free to disclose users’ information to law enforcement if they believe it necessary. Without a court order or warrant, this belief might be very subjective, leading to scenarios where individuals’ privacy and rights may be compromised.

Ancestry and 23andMe offer a transparency report—a document they update periodically that discloses how many requests for user information the companies received from law enforcement, and how many of those requests they complied with

FamilyTreeDNA allows its users to opt in to a genetic database that is accessible to law enforcement without a court order or any other enforcement mechanism. However, the company claims that unless a user opts in to this database, any law enforcement requests will be met with resistance. 
Even when DNA testing companies resist sharing user DNA and other genetic information with law enforcement, it’s not always enough. The past has shown that courts can force genealogy websites to provide access to their databases.5

How companies store physical samples

In order to use these services, consumers either need to provide a physical sample containing their DNA (usually saliva) or a digitized version of their DNA, where a sample was already processed by a different company. 

Our researchers noted a concerning lack of transparency in how these companies store physical samples. Users almost never know where their sample is stored

We found some specificity (of varying levels) provided by 6 out of 10 companies: 

  • Ancestry stores samples in a “secure facility.” 
  • 23andMe stores them in a “Biobank.” 
  • FamilyTreeDNA keeps their samples in a “lab in Houston.” 
  • MyHeritage discloses the name of the company securing their samples (Gene by Gene) and that it is located in Texas.
  • Living DNA keeps samples belonging to US customers in US-based labs and those belonging to EU customers in EU labs. 
  • DNA Complete indicates that they or one of their third-party partners store their samples. 

SelfDecode, LetsGetChecked, Toolbox Genomics, and Everlywell provide no information on where they store their samples.

While all of the services we analyzed allow the user to have their physical DNA sample destroyed, investigative reports have shown that this can be really difficult.6 

It’s unclear why commercial DNA testing companies would want to hold on to genetic samples. While most of these services offer subscriptions and new tests that can be done using the original sample, prolonged storage, especially without clear and explicit purpose, can pose privacy and security risks to users.

My Health My Data Act

While looking into their privacy policies, our researchers noticed that some of the companies may be breaking Washington state law by not providing a dedicated Health Data Privacy Policy.

Washington’s My Health My Data Act requires companies that work with the health data of Washington state residents to provide detailed explanations (in a dedicated Health Data Privacy Policy page) of the purposes and justifications for processing it.7 These pages also inform Washingtonians of their state-given rights. 

To this end, half of the investigated companies have specialized Health Data Privacy Policy pages. These pages help users (and our research team) better understand how and why the companies use their data. However, among the investigated services, we found 5 companies (Living DNA, FamilyTreeDNA, DNA Complete, SelfDecode, and Toolbox Genomics) that don’t have such a page. In these cases, we were unable to find such a page  (at least it was not prominently displayed to users connecting from Washington at the time of data collection) nor any indication that the service was unavailable in the state of Washington.  

While we can’t make claims about whether the My Health My Data Act applies to all investigated companies, the fact that some competitors have Health Data Privacy Policies may indicate a privacy concern for companies that don’t. 

Outside of the legal considerations, this also means that users are likely to have a harder time getting a thorough understanding of what’s happening with their health data, which is equally concerning.  

Risks associated with genetic data

Wherever sensitive data is involved, there are associated risks. Commercial DNA testing and ancestry services are no exception. These risks can range from data breaches to flaws in the company’s own privacy practices. 

For example, Nebula Genomics (which rebranded during our data collection and is now DNA Complete) recently became the subject of a class action lawsuit for allegedly violating Illinois state law by disclosing users’ genetic information without written consent.8 

Another service we examined, Everlywell, also faced a class-action lawsuit for exposing users’ protected health information to media giants like Facebook and Google through tracking pixels.9

Consumers should also consider what may happen to their genetic data if the DNA testing company undergoes an acquisition or merger. By law, the processing of personal information must match the terms outlined by the original data processor (service), or the new data processor must obtain explicit consent from users. However, it’s possible for users to miss such notifications or neglect to read new terms fully (which 56% don’t10), which could have serious implications for their privacy. 

Half of the companies we analyzed use genetic information for internal or external research, further amplifying privacy risks. Each transfer of genetic data increases the likelihood of errors in anonymization or data handling, potentially exposing sensitive information. In fact, a recent study has shown that anonymized genetic data can be re-identified with only information publicly available on the internet.11 

The more places sensitive data like genetic information is held, the greater the risk of that data ending up in a data breach. 

We found that 3 out of 5 of these services have experienced breaches:

  • Ancestry (December 2017): A vulnerability exposed 297,000 email and password combinations, although customer DNA data was reportedly unaffected.12
  • 23andMe (2023): A credential-stuffing attack targeted Ashkenazi Jewish and Chinese users, leading to the theft of user profiles and sensitive information.13
  • MyHeritage (October 2017): Details of over 92 million users, including email addresses and hashed passwords, were exposed in a security breach.14

Overview of the DNA testing and ancestry services

While we can’t make concrete statements about user data safety and privacy based solely on the privacy policies, we compiled a list of main takeaways for each service we analyzed. 

Ancestry:

  • Strongly resists law enforcement requests for user data and publishes a transparency report detailing such requests.
  • Uses genetic data to provide and improve its service and for conducting research.
  • Collects additional, potentially identifiable information to help construct family trees.
  • Offers a vague explanation of where DNA samples are stored. But allows users to not have their sample stored after initial analysis.
  • Complies with Washington’s My Health My Data Act by providing a Health Data Privacy Policy.

23andMe:

  • Strongly resists law enforcement requests for user data and provides a transparency report.
  • Uses genetic data for service improvement and marketing purposes.
  • Provides a vague explanation of where DNA samples are stored.
  • Has a Health Data Privacy Policy, complying with Washington’s My Health My Data Act.
  • Currently reported to be on the brink of bankruptcy.
  • Experienced a high-profile data breach targeting Ashkenazi Jewish users in 2023.
  • Offers the clearest privacy policy in the sample, despite recent controversies.

MyHeritage:

  • Strongly resists law enforcement requests for user data.
  • Uses genetic data for service provision and research purposes.
  • Collects additional information to aid in family tree construction.
  • States that DNA samples are stored in a Texas-based lab.
  • Complies with Washington’s My Health My Data Act with a Health Data Privacy Policy.

Living DNA:

  • Claims to resist law enforcement requests but may share data under a good faith belief of necessity.
  • Uses genetic data to provide its service.
  • Collects additional, potentially identifiable information for family tree construction.
  • Provides a vague explanation of where DNA samples are stored.
  • Lacks a Health Data Privacy Policy as required by Washington’s My Health My Data Act.

FamilyTreeDNA:

  • Offers an opt-in feature for sharing genetic data with law enforcement but otherwise only shares data when legally compelled.
  • Uses genetic data to provide and improve its service.
  • States that DNA samples are stored in a Texas lab.
  • Lacks a Health Data Privacy Policy as required by Washington’s My Health My Data Act.

DNA Complete (formerly Nebula Genomics):

  • Resists law enforcement requests without good faith clauses.
  • Uses genetic data for service improvement and research purposes.
  • Provides a vague description of DNA sample storage.
  • Lacks a Health Data Privacy Policy as required by Washington’s My Health My Data Act.
  • Associated with Nebula Genomics, which is facing a class-action lawsuit for privacy violations.

SelfDecode:

  • Claims to resist law enforcement requests but includes good faith exceptions for sharing.
  • Uses genetic data for service improvement, research, and marketing.
  • Provides no information about DNA sample storage.
  • Lacks a Health Data Privacy Policy as required by Washington’s My Health My Data Act.

LetsGetChecked:

  • Claims to resist law enforcement requests but includes good faith exceptions for sharing.
  • Uses genetic data for service provision and research.
  • Provides no information about DNA sample storage.
  • Complies with Washington’s My Health My Data Act with a Health Data Privacy Policy.

Toolbox Genomics:

  • Claims to resist law enforcement requests but includes good faith exceptions for sharing.
  • Uses genetic data for service improvement and marketing.
  • Provides no information about DNA sample storage.
  • Lacks a Health Data Privacy Policy as required by Washington’s My Health My Data Act.

Everlywell:

  • Claims to resist law enforcement requests but includes good faith exceptions for sharing.
  • Uses genetic data for service improvement and marketing.
  • Provides no information about DNA sample storage.
  • Complies with Washington’s My Health My Data Act but has the least user-friendly privacy policy, according to legal counsel.
  • Implications of commercial DNA testing and ancestry services

Implications of commercial DNA testing and ancestry services

While many DNA testing and ancestry services promise privacy, our research shows significant risks, including data breaches, vague policies on law enforcement access, and the potential for de-anonymization. 

This has a lot of implications for personal privacy. Genetic data, even when anonymized, is often combined with other technical and identifiable information which makes it possible to re-identify individuals. These vulnerabilities can expose users to misuse, intentional or otherwise, and even targeted attacks, as seen in the 23andMe breach that singled out Jewish and Chinese users.

The use of genetic data in research and advertising raises further ethical and privacy concerns. While research can drive innovation, it also introduces risks if data is improperly shared, anonymization processes fail, or the data is repurposed in ways not anticipated by users. Similarly, the use of genetic information in personalized marketing creates unsettling possibilities for discrimination and manipulation based on an individual’s genetic traits.

This research highlights the importance of greater awareness when engaging with DNA testing services, particularly during the holiday season when these kits are frequently purchased as gifts. 

For policymakers, the findings suggest a need for dialogue around clearer regulations. Requiring explicit and transparent disclosures regarding the use and storage of genetic and health data could improve accountability. Limiting how this data can be processed, shared, and sold, especially in states where such regulations are currently absent, may also help protect individuals from harm. Thoughtful regulation could also address ethical concerns around the use of genetic information in research and advertising to ensure that these practices align with broader societal expectations of privacy and fairness. Balancing innovation in genetic testing with robust safeguards for personal rights will be crucial as this industry continues to grow.

Methodology

After compiling a list of the most popular DNA testing services according to DNA Weekly16, Incogni researchers, with the help of legal experts, derived a set of areas of comparison. We then went through the privacy policies, terms of service and other pages made available by the analyzed services, noting down the information relevant to our areas of comparison. 

The data was collected on October 30th – 31st, except for Nebula Genomics which, during the initial period of data collection, had made their privacy policy unavailable. We found that DNA Complete was being pitched at the top of Nebula Genomics website, and since only DNA Complete had an available privacy policy, we collected data for and analyzed that service on November 14th.

Following the collection of privacy policy sections relevant to our set of questions, and with the help of Incogni legal experts, we simplified and standardized the information to allow for comparisons across services. 

The privacy-related topics we found interesting are presented above, with findings across services standardized and their implications analyzed.

The data used in this research is available here: Public dataset.

Sources

  1. Google. “Ads Transparency.” Accessed December 3, 2024. https://adstransparency.google.com/?region=anywhere.
  2. 23andMe. “Are You Genetically Connected to Early Colonial Americans?” Blog. Accessed December 3, 2024. https://blog.23andme.com/articles/are-you-genetically-connected-to-early-colonial-americans.
  3. Slate. “How FamilyTreeDNA Became a Resource for Law Enforcement to Solve Crimes.” March 12, 2019. https://slate.com/technology/2019/03/familytreedna-dna-testing-solve-crimes-law-enforcement.html.
  4. Harwell, Drew. “Ancestry, 23andMe and Others Say They Will Follow These Rules When Giving DNA Data to Businesses or Police.” Washington Post, July 31, 2018. https://www.washingtonpost.com/technology/2018/07/31/ancestry-andme-others-say-they-will-follow-these-rules-when-giving-dna-data-businesses-or-police/.
  5. Callaway, Ewen. “Judge Says Police Can Search DNA of Millions of Americans Without Their Consent. What’s Next?” Science, August 31, 2023. https://www.science.org/content/article/judge-said-police-can-search-dna-millions-americans-without-their-consent-what-s-next.
  6. Bloomberg News. “Deleting Your Online DNA Data Is Brutally Difficult.” June 15, 2018. https://www.bloomberg.com/news/articles/2018-06-15/deleting-your-online-dna-data-is-brutally-difficult.
  7. International Association of Privacy Professionals. “Washington My Health My Data Act Overview.” Accessed December 3, 2024. https://iapp.org/resources/article/washington-my-health-my-data-act-overview/.
  8. Reuters. “DNA Testing Company Nebula Accused of Violating Privacy in U.S. Lawsuit.” October 11, 2024. https://www.reuters.com/legal/litigation/dna-testing-company-nebula-accused-violating-privacy-us-lawsuit-2024-10-11/.
  9. Cook County Record. “Class Action: Everlywell Exposes Private Medical Information Through Tracking Pixels.” Accessed December 3, 2024. https://cookcountyrecord.com/stories/657548780-class-action-everlywell-exposes-private-medical-information-through-tracking-pixels.
  10. Pew Research Center. “Key Findings About Americans and Data Privacy.” October 18, 2023. https://www.pewresearch.org/short-reads/2023/10/18/key-findings-about-americans-and-data-privacy/.
  11. Technology Review. “Study Highlights the Risk of Handing Over Your Genome.” January 17, 2013. https://www.technologyreview.com/2013/01/17/180448/study-highlights-the-risk-of-handing-over-your-genome/.
  12. Twingate. “Ancestry Data Breach.” Accessed December 3, 2024. https://www.twingate.com/blog/tips/ancestry-data-breach.
  13. Weise, Karen. “Hack at 23andMe Exposes User Data.” New York Times, January 26, 2024. https://www.nytimes.com/2024/01/26/business/23andme-hack-data.html.
  14. Reuters. “Security Breach at MyHeritage Website Leaks Details of Over 92 Million Users.” June 5, 2018. https://www.reuters.com/article/business/security-breach-at-myheritage-website-leaks-details-of-over-92-million-users-idUSKCN1J1301/.
  15. DNA Weekly. Accessed October 31, 2024. https://www.dnaweekly.com/.

Other resources

We welcome the reuse of our images if proper attribution is given to Incogni. The charts, graphs, and tables used in this research can seamlessly embed into your website. Use the menu that appears at the top right of the visual when you hover over it with your mouse. When embedded, these visuals maintain their interactivity and preserve their original quality.

Is this article helpful?
YesNo
Scroll to Top