DNA testing privacy concerns at AncestryDNA, 23andMe, FTDNA, MyHeritage, Living DNA and GEDmatch are real. Here’s what’s at stake and how each company handles your genetic data.
Are you worried about DNA testing and privacy considerations? You’re not alone.
Here, we consider 3 common DNA privacy issues, and then review specific privacy policies at the “big 5” DNA testing companies: 23andMe, AncestryDNA, FamilyTreeDNA, Living DNA and MyHeritage. We also share recommendations on the free GEDmatch website.
DNA privacy considerations
1. Relatives’ privacy
The privacy concern that has, to date, affected the most people most profoundly is the reality that when you take a DNA test, you may unearth your relatives’ secrets or find unknown birth relatives.
Depending on who in your family takes a test, you may learn (immediately or in the future) that you or a relative are not genetically connected to one or both parents. You may discover unexpected birth relatives, including sperm donor fathers, half-siblings, grandchildren, nephews, nieces, etc. If you’re a genetic male, you may discover a child you didn’t know about. If one of your relatives in the past few generations had an unknown child, it’s possible that analysis of your DNA match list will eventually reveal it.
Many people today are not troubled at the idea of revealing these relationships, and in fact see it as a healthy discovery process. Many people pursue DNA testing in the hopes of finding these connections. Others may think you should “let sleeping dogs lie” when it comes to unknown biological relationships. The reality is that somebody in the family will eventually test and possibly make unexpected discoveries. Each person who takes a DNA test decides for themselves and their relatives whether and when to open the door to these possibilities. When you do this yourself, you become involved in the process, so you have more control over how and when you find out about things, and how and when that information is disseminated to your family.
There is a middle-ground option for the unsure. If you’re ready to explore your DNA ethnicity, but aren’t ready to learn about any genetic relatives, you can choose not to participate in DNA matching for now. If you do this, you won’t see any DNA matches and they won’t see you. When you’re ready, you can change your test settings to opt in. Depending on which testing company you use, you may be automatically opted in or out, and you’ll need to adjust your settings according to preference.
2. Licensing or selling of individual genetic data
Genetic data is valuable. Selling or licensing clients’ individual genetic information is a practice that is expressly forbidden in the privacy policies of all five major companies. They will not interact with insurance companies, other databases, research companies, government agencies, or marketers in regards to selling any individual private data.
In contrast, recently 23andMe sold its rights to a new drug it developed using customers’ combined data. No individual client’s private genetic information is identifiable in this licensing agreement with the pharmaceutical company, just the rights to produce and market the drug they developed. This is an example of the type of sale or licensing of products that companies may produce from research of the pooled data of many DNA clients, but that still protects the privacy of individual database participants.
Keep reading to learn more about policies at each DNA testing company.
3. Law enforcement access
We have written previously on the topic of law enforcement access to genetic genealogy databases. Here’s a little backstory. In 2018, California law enforcement officials identified the serial murderer known as the “Golden State Killer” after a sample of his DNA was uploaded to the GEDmatch genetic genealogy website. Techniques we now use in genetic genealogy to identify our unknown ancestors and find birth relatives were used to successfully identify the perpetrator, Joseph DeAngelo. He later pled guilty to 13 counts of first-degree murder and other charges.
While, as we’ve written previously, we all want to catch criminals–especially serial murderers–questions arise as to ethics of the use of genetic genealogy databases for criminal investigation without the express consent of the DNA testers. Each person may or may not be okay with their DNA being used to identify criminals. Each DNA testing company has terms of service (TOS) that specify whether and how law enforcement can submit DNA samples to the database. See those TOS below.
DNA testing privacy: A look at each company
Of all of the companies, 23andMe communicates their commitment to client privacy in the strongest terms and gives the most granular control to each customer as to how they consent to their DNA being used.
Law Enforcement Access. 23andMe clearly communicates their priority for client privacy and has an aggressive legal team positioned to closely scrutinize inquiries from law enforcement, and rebuff any external requests for individual-level personal information.
Short of lawfully valid court orders, subpoenas, and search warrants, 23andMe does not collaborate with law enforcement. These situations have proved to be quite rare. Of the millions of clients throughout the history of 23andMe, there have been only 8 government requests for customer information which involved 11 individual clients. In ZERO of those cases was data relinquished without the prior explicit consent of the client. 23andMe updates a quarterly Transparency Report that details the number of clients connected to law enforcement requests in an effort to illustrate their commitment to keeping customers informed and their individual data secure.
Licensing/Selling Genetic Information. It is the policy of 23andMe to never share genetic or self-reported data with employers, insurance companies, public databases or third party marketers. There is no selling or licensing of clients’ information, period.
Further, 23andMe has been an active advocate in legislative action that prevents genetic discrimination and protects individuals’ genetic privacy. In the US, 23andMe participated in the development of the Genetic Information Nondiscrimination Act (GINA, 2008), along with California’s state version of this initiative (Senate Bill No. 559, 2011).
23andMe does collaborate with qualified research partners in academia, non-profit organizations, pharmaceutical and diagnostic companies. This is the only case in which data is shared with any other organization. Clients are able to opt-in or -out of participation in any of these research initiatives. In-house research conducted by 23andMe is addressed through the Research Consent Document, available to clients at initiation of their account and any subsequent time for modification of permissions. Clients can also choose to allow their individual de-identified data to be shared with research collaborators through the Individual Data Sharing Consent Document. Neither of these constitute data selling or licensing, but is mentioned in contrast as fully-informed consent for research participation under the umbrella of 23andMe.
Law Enforcement Access. With a similar posture as 23andMe toward working with law enforcement, AncestryDNA does not voluntarily release customer data to government agencies. Customers are provided the greatest protection under the law, and only legally enforced requests backed by court order, subpoena, or search warrants would make exception. Also similarly to 23andMe, AncestryDNA publishes a Transparency Report documenting requests from law enforcement for client’s private records, which is updated semi-annually. In the first half of 2021, AncestryDNA received five lawful government requests for non-DNA customer data, all of which were related to credit card fraud and identity theft. The non-DNA related data was provided to the agency in one of those cases. Considering the millions of customers that AncestryDNA hosts, the interaction with law enforcement over individual cases is rare.
Licensing/Selling Genetic Information. AncestryDNA clearly states multiple times in their privacy documentation that they do not sell personal information to any third party entity.
The only organizations that AncestryDNA shares data with are well-qualified research partners. Only clients that have expressly consented to participating in research initiatives will be included in internal or collaborative investigations. This is accomplished through the Informed Consent to Research and can be modified or withdrawn by clients at any time. A full list of research partners is found here, and in some cases AncestryDNA may have financial interest in the research arrangement. However, this is a separate issue from selling individual client data, which practice the company rejects.
Where other companies actively resist requests from law enforcement, FamilyTreeDNA* has established a framework for allowing limited query of their database to investigate violent crime. Here’s what you need to know as a client of FamilyTreeDNA (FTDNA).
Law Enforcement Access. In cases of homicide, sexual assault, abduction or identifying human remains, FTDNA may allow investigators to create a limited account to upload DNA data related to a violent crime. FTDNA tracks these law enforcement (LE) accounts in a way that allows general clients to completely opt-out of any database queries related to crime investigation. If a customer opts-in to LE Matching, their profile will become visible to investigators only if (1) the client is a genetic relative to the person LE has uploaded and is investigating, and (2) the customer and LE account have the same matching levels selected. The information that LE will see in DNA matches is the same as that is seen by any other general match:
- First and last name provided by the customer
- Email address
- Personal Story/About Me details
- Ancestral Surnames
- Earliest known ancestors
- Family tree, self-entered
- Ethnicity, mtDNA and Y-DNA test results and information
For clients that choose to opt-out of LE Matching, there may be legal situations where FTDNA will still be compelled to share a customer’s personal data with government agencies. This is true of all of the DNA companies, as they cannot lawfully disregard valid court orders, subpoenas, or search warrants. FTDNA states that it will make efforts to provide the minimum degree of cooperation required by valid legal requests.
FamilyTreeDNA also publishes a Transparency Report showing a total of 2 valid criminal subpoenas the company has fielded since the initiation of the report in 2019.
Licensing/Selling Genetic Information. As for licensing or selling your DNA data, FamilyTreeDNA states, “we do not share, trade or barter your genetic information.” Users can consent to participate in research projects, and if any of these include sharing client’s data with a research partner, they will be contacted to ask for express consent. This is the only circumstance under which data would be shared, and is a distinct practice from selling or licensing customers’ private information.
This company has a distinct legal privacy profile because it is based in the UK, and EU-based clients (where the data is stored) may benefit from the privacy protections of regulatory regime in the EU. Users outside of the EU, and EU-based clients are advised that passing their personal information outside of the EU (through their Family Networks product) will put this data outside of certain protective policies.
Law Enforcement Access. Living DNA* reports that they do not share the personal information of clients with law enforcement agencies unless it determines it is legally required to do so.
Licensing/Selling Genetic Information. Living DNA states, “We do not sell customer data, ever.”
Situations where clients’ data may be shared with third parties include research initiatives where clients have opted-in. The anonymous data is pooled with other customers’, and no individuals or their personal information can be identified. There is never a payment arrangement when data is shared for research purposes in this way.
Law Enforcement Access. Among the key privacy principles MyHeritage operates under is a longstanding commitment to prohibit law enforcement from use of its DNA Services. With the exception of valid court order or subpoena, MyHeritage will not provide customer information to law enforcement.
Licensing/Selling Genetic Information. Over its 18-year history, MyHeritage has never sold or licensed personal data (customer names, email addresses, residential addresses, family trees) or genetic data, and will never engage in this practice. MyHeritage states that it will never provide data to insurance companies.
What about privacy and GEDmatch?
Out of concern for privacy, and frankly because we feel you can find more of what you need in other places, we discourage use of GEDmatch, a free site for pooling DNA test results from different testing companies.
When GEDmatch first started out, a high level of security and privacy was not expected, or even on the radar. But as GEDmatch grew in popularity and notoriety, that mentality did not change. 2019 was an especially bad year for GEDmatch as they breached their agreement with their users and lost the confidence of many noted genetic genealogists, including The Legal Genealogist, Judy G. Russell.
Some indicated that GEDmatch would be more secure and dependable after its sale to Verogen in late 2019 (even though the site was being sold to a forensics company), but as of July 2020 they were still facing security issues.
However, being able to share your test results across DNA testing companies is crucial to genetic genealogy success. That’s why we give away a free guide on alternative strategies to using GEDmatch.
So which is the Best DNA test for YOU?
Privacy is one important consideration of many when you take a DNA test. Read Best DNA Tests for Family History for reviews and comparisons of 23andMe, AncestryDNA, MyHeritage, Living DNA and FTDNA on multiple criteria.