The more people plug their genes into a database, the more useful the service becomes for finding distant family or tracing one’s ancestry. There are deeper implications too: medical research, investigating cold cases, adoptees locating their parents. 23andMe, which along with Ancestry has the largest genetic database of these companies, also has FDA approval to test for genetic health risks like Alzheimer’s and Type 2 diabetes. Then there are the weirder frontiers: companies that claim to match you with genetically compatible roommates, dates, diet plans and vacation spots.
The business only works because we share our unique genetic identity. But the more this data is shared with strangers, researchers and corporations, the less private that data becomes. We’ve looked at the data policies of big tech companies before and found them severely inconsistent. Your genes are as personal as it gets.
On top of that, privacy experts say that direct-to-consumer DNA testing is highly unregulated. A genetic test in the doctor’s office is protected by HIPAA laws, which limit its sharing. These newer companies are bound primarily to their own privacy policies as well as committing to voluntary best practices by the Future of Privacy Forum.
The problem is, according to a major 2017 study from Vanderbilt University of 90 DNA testing companies, 39 percent of them had no written policy online about how they use genetic data. We looked at four of the biggest companies — 23andMe, Ancestry, MyHeritage and FamilyTreeDNA — to see what they really do with your identity.
What kind of data is being shared?
All four companies have accessible privacy policies online. And all four companies talk about “de-identifying” your genetic data. This can take two forms.
Aggregate data is generally a summary — say, the percentage of men who have a certain genetic trait. Most companies will use this data both internally and externally. 23andMe says it shares aggregate information “to perform business development, initiate research, send you marketing emails and improve our services.”
Individual data pertains to a specific person’s genotypes and characteristics but with identifying details like name and contact information removed. To have this information shared with third parties usually requires an opt-in and for good reason. Some research has shown that it may be possible to locate individuals using public information based on their genetic profile.
Who gets your data?
With this in mind, you should be aware of three major groups that DNA-testing companies share data with: research institutions, private corporations and law enforcement.
Sharing of de-identified individual data for research requires an opt-in for Ancestry, 23andMe, MyHeritage and FamilyTreeDNA. But there are subtle differences. FamilyTreeDNA asks for customer approval for every specific research project; 23andMe’s consent form says, “For the most part, we won’t be able to contact you every time we would like to share your data.”
Last year, 23andMe announced a $300 million deal to share data with pharmaceutical company GlaxoSmithKline and has had partnerships with P&G Beauty and Pfizer. 23andMe’s unique approval to test for health risks also means that it collects more information from your saliva sample than other companies. Wirecutter reported that regardless of whether you purchase the biomedical or ancestry analysis, the company still tests your DNA the same way.
In the Vanderbilt University study, only 12 companies said explicitly that they wouldn’t share genetic data with third parties. For those that said they would share the data, “no company provided a specific or exhaustive list of exactly which third parties would receive access to the data, or for what specific purposes.”
This proved to still be true for the four big testing firms. Ancestry lists “some” of its collaborators online like the University of Utah, American Society of Human Genetics and National Marrow Donor Program.
You should be aware of three major groups that DNA testing companies share data with: research institutions, private corporations and law enforcement.
When it comes to law enforcement, 23andMe states, “We will not provide information to law enforcement or regulatory authorities unless required by law to comply with a valid court order, subpoena, or search warrant.”
MyHeritage says, “It is our policy to resist law enforcement inquiries to protect the privacy of our customers” unless the company is served a court order. It does not assist in cold case investigations.
Ancestry similarly states, “If we are compelled to disclose your Personal Information to law enforcement, we will do our best to provide you with advance notice, unless we are prohibited under the law from doing so.” Last year it had 10 requests relating to credit card misuse, fraud and identity theft but none that required disclosing genetic information.
However, FamilyTreeDNA doesn’t just share data when it’s legally compelled. This year, the company confirmed that — unlike the other three companies — law enforcement can create accounts to upload DNA from crime victims and search its database. Customers can choose to opt out of “Law Enforcement Matching.”
How can you delete it?
The safest thing you can do after taking a company’s test is delete your data and get your DNA sample destroyed. (The main trade-off would be missing out on future matches, if locating family members is a primary reason for taking the test).
All four companies allow you to erase your account and destroy your DNA sample either through their websites or by contacting customer service. 23andMe destroys saliva samples after analysis unless you opt-in to having it stored.
But how far your genetic information has spread by then may be unclear. Your DNA info can be removed from the testing company’s servers, but it can’t be recalled from the third-party corporations or universities who already have it. In general, the less diffused your data is, the less likely it will escape into the wrong hands.