Edmund Coby
Don't Sell My Data campaign intern
Genetic test kits are a popular gift. But before you swab your cheek, here are some DNA testing privacy concerns you may want to know.
Don't Sell My Data campaign intern
Director, Don't Sell My Data Campaign, U.S. PIRG Education Fund
If you’re thinking about giving a DNA test kit this holiday – or have just gotten one yourself – you’re not alone. These popular products promise insights into your ancestry, health, and personality. But behind the convenience lies a serious trade-off: your genetic data—and your family’s—may be at risk. From privacy breaches to questionable data-sharing practices, these kits expose your most sensitive information to threats you can’t always control.
Genetic testing kits, offered by biotech companies, are widely available through their websites or major retailers like Walmart and Amazon. Over 30 million people globally have used a commercial test, The market is even expanding to include DNA tests for pets.
These kits are easy to use: set up an online account, collect a saliva sample (via spit vial or cheek swab), seal it in a prepaid package, and send it to the lab. Within weeks, results provide ancestry breakdowns, family history insights, and health-related information, such as genetic predispositions to conditions like heart disease or Alzheimer’s. Some even claim to reveal traits, like a genetic dislike for cilantro or natural knack for self-discipline.
Neat as they are, the risks are real. Here are some factors to take into consideration before sending in a swab.
When you submit your DNA, you are sharing your most unique and sensitive identifier—your genetic code—with a for-profit company, and you can’t exactly control what happens with it next. In fact, your data may be sold to or shared with other companies. In 2018, for example, 23andMe signed a deal with the pharmaceutical company GlaxoSmithKline allowing the company to use customer data for drug research.
Companies may ask if you want to allow your DNA data to be used for research purposes. While it may sound like the benevolent thing to do, opting into such sharing opens you up to bigger risks. Data may pass through the hands of many research partners, and the more other entities that get involved, the harder it is for the company to guarantee what is or isn’t happening with your data. In some cases agreeing to your data being used for research purposes not only allows third parties access to your genetic data, but may include other personal identifiers like account numbers or contact details.
More unscrupulous companies may share data even more widely. According to a complaint filed by the FTC, the DNA test kit companylHealth.io Inc. quietly changed its privacy policy in 2020, expanding the types of firms it could share user data with to include supermarkets and nutrition and supplement manufacturers without alerting consumers.
To best protect your DNA, Consumer Reports recommends declining “informed consent research” requests from services like Ancestry.com. We also advise opting out of having your data stored in a “biobank” or other extended storage options. The sooner your DNA is deleted from their databases and your samples destroyed, the better it is for keeping your information safe.
This is no longer just a hypothetical question. 23andMe is reportedly facing financial trouble, raising questions about what happens to all of the DNA the company holds if it’s sold off. As reported by CBS News, the company’s user agreement states that “if the company is acquired, customers’ data may be accessed or sold as part of such a transaction.” The possibility that a new corporate owner could choose to sell your DNA more widely is a little unsettling.
If you’ve submitted a swab to 23andMe, you can request the company delete your data in your account settings. You can also ask that your sample be destroyed, and withdraw consent for your data being used for future research. We recommend taking these steps.
In the U.S. it’s illegal for insurance companies to use genetic information to determine your health insurance rates. However there’s no federal law stopping companies from using DNA to determine rates for life insurance, disability insurance or long-term care policies. The Genetic Information Nondiscrimination Act, which was passed in 2008, carved these types of insurance offerings out.
With DNA testing being so prevalent, some Americans have already experienced denials for life insurance policies based not on a disease they currently have, but on one their genes suggest they may develop in the future.
Particularly in the case of 23andMe, there are fears that if the company were to end up in different hands, the insurance industry could more easily access people’s genetic information when making decisions about policies.
Your genetic data isn’t just valuable to companies—it’s also a target for malicious actors. In October 2023, a breach at 23andMe exposed data for over 6.9 million users, including ethnicity estimates, locations, and family trees. While raw DNA profiles were not leaked, the data stolen in the hack was enough to “reveal information about an individual and their family members, including about their health, ethnicity, and biological relationships”, according to the UK Information Commissioner’s office.
Data as sensitive as DNA can be appealing for bad actors. It can be more profitable for bad actors to sell on the dark web than more commonly stolen types of data like email addresses and passwords.. In the case of a ransomware attack – where a hacker holds data for ransom and may begin leaking samples of it online in order to create more urgency around a payoff – DNA may also command a higher price more quickly paid.
There are surprisingly few laws protecting your DNA once you give it to a company. For example, many people think of HIPAA as our nation’s health data privacy law. But in fact HIPAA only protects your health data when it’s in the hands of doctor’s offices, hospital systems or insurance companies. It does not cover health data collected by apps, websites – or even your DNA when it’s in the hands of a test kit company.
At least until we have strong rules protecting DNA data, you may be better off doing some old fashioned genealogy research without the spit sample.
Don't Sell My Data campaign intern
R.J. focuses on data privacy issues and the commercialization of personal data in the digital age. Her work ranges from consumer harms like scams and data breaches, to manipulative targeted advertising, to keeping kids safe online. In her work at Frontier Group, she has authored research reports on government transparency, predatory auto lending and consumer debt. Her work has appeared in WIRED magazine, CBS Mornings and USA Today, among other outlets. When she’s not protecting the public interest, she is an avid reader, fiction writer and birder.