The more people plug their genes into a database, the more useful the service becomes for finding distant family or tracing one’s ancestry. There are deeper implications too: medical research, investigating cold cases, adoptees locating their parents. 23andMe, which along with Ancestry has the largest genetic database of these companies, also has FDA approval to test for genetic health risks like Alzheimer’s and Type 2 diabetes. Then there are the weirder frontiers: companies that claim to match you with genetically compatible roommates, dates, diet plans and vacation spots.
The business only works because we share our unique genetic identity. But the more this data is shared with strangers, researchers and corporations, the less private that data becomes. We’ve looked at the data policies of big tech companies before and found them severely inconsistent. Your genes are as personal as it gets.
On top of that, privacy experts say that direct-to-consumer DNA testing is highly unregulated. A genetic test in the doctor’s office is protected by HIPAA laws, which limit its sharing. These newer companies are bound primarily to their own privacy policies as well as committing to voluntary best practices by the Future of Privacy Forum.
The problem is, according to a major 2017 study from Vanderbilt University of 90 DNA testing companies, 39 percent of them had no written policy online about how they use genetic data. We looked at four of the biggest companies — 23andMe, Ancestry, MyHeritage and FamilyTreeDNA — to see what they really do with your identity.
What kind of data is being shared?
All four companies have accessible privacy policies online. And all four companies talk about “de-identifying” your genetic data. This can take two forms.
Aggregate data is generally a summary — say, the percentage of men who have a certain genetic trait. Most companies will use this data both internally and externally. 23andMe says it shares aggregate information “to perform business development, initiate research, send you marketing emails and improve our services.”
Individual data pertains to a specific person’s genotypes and characteristics but with identifying details like name and contact information removed. To have this information shared with third parties usually requires an opt-in and for good reason. Some research has shown that it may be possible to locate individuals using public information based on their genetic profile.
Who gets your data?
With this in mind, you should be aware of three major groups that DNA-testing companies share data with: research institutions, private corporations and law enforcement.