DNA Testing Privacy Risks: What Happens to Your Genetic Data

Consumer DNA testing services like 23andMe, AncestryDNA, and MyHeritage have collected genetic data from over 40 million people. This data reveals not just your ancestry but predispositions to diseases, drug sensitivities, and biological relationships. Unlike a stolen password that can be changed, your DNA is permanent, unique, and shared with every biological relative. Privacy risks from DNA testing are lifelong and extend beyond the person who submits the sample.

What DNA Tests Reveal

Consumer DNA tests analyze hundreds of thousands to millions of genetic markers. From these, companies derive ancestry composition, relative matching (connecting you with biological relatives who have also tested), health predispositions (BRCA cancer variants, Alzheimer’s risk, carrier status for genetic conditions), and physical trait predictions.

This information is intensely personal and impossible to anonymize meaningfully. Research has demonstrated that just 100 genetic markers can uniquely identify a person from a database of millions. De-identified genetic data can be re-identified using publicly available genealogical databases.

Privacy Risks

Data breaches. The 2023 23andMe breach compromised 6.9 million user profiles, including ancestry data and relative matches. Genetic data, once breached, cannot be rotated like a password. The exposure is permanent.

Law enforcement access. Law enforcement has used consumer DNA databases to solve crimes through genetic genealogy, a technique that does not require the suspect to have taken a DNA test. If a distant relative has tested, their DNA can lead investigators to you. The Golden State Killer was identified through a third cousin’s DNA on the GEDmatch platform. While GEDmatch and FamilyTreeDNA have opted into law enforcement partnerships, 23andMe and Ancestry have generally resisted without valid legal process.

Insurance discrimination. The Genetic Information Nondiscrimination Act (GINA) prohibits health insurers and employers from using genetic data for discrimination, but GINA does not cover life insurance, disability insurance, or long-term care insurance. Companies offering these products can legally use genetic information in underwriting decisions.

Third-party sharing. Companies may share genetic data with research partners, pharmaceutical companies, or other third parties. 23andMe has partnerships with pharmaceutical companies for drug development research. While participation is opt-in, the terms and scope of data use may not be fully understood by consumers who consent.

Protecting Yourself

Read the privacy policy completely before submitting a DNA sample. Understand who the data will be shared with and under what conditions. Opt out of research participation if you do not want your data used by third parties. Use the most restrictive sharing settings available. Delete your account and request sample destruction if you no longer want the service to retain your data. Consider that testing affects not just your privacy but the privacy of every biological relative.

For understanding your data privacy rights, see our CCPA privacy rights guide. To remove your personal information from data aggregators, explore our data broker removal guide.

Family Implications

Your decision to take a DNA test affects your biological relatives without their consent. Your genetic data reveals information about parents, siblings, children, and extended family members. A DNA test can reveal family secrets: previously unknown siblings, misattributed parentage, and undisclosed adoptions. These revelations, while sometimes positive, can cause significant family disruption.

Before testing, consider discussing it with close family members. Be prepared for unexpected relative matches. Understand that your DNA data, combined with that of other testers, contributes to a growing genetic database that can be used to identify family members who have not themselves tested.

If you have already tested and want to limit your exposure, most platforms allow you to delete your account and request destruction of your physical sample. However, any data already shared with research partners or matched with other users cannot be fully recalled. DNA testing, once done, cannot be fully undone.