DNA Data Privacy: What Happens to Your Genetic Data

Why DNA privacy is different from other data

Genetic data is unlike any other personal information:

• It's permanent. You can change a password or get a new credit card number. You can't change your DNA. A data breach involving genetic information has lifelong implications.
• It's shared with relatives. Your DNA reveals information about your biological family members, even if they never consented to testing. A sibling shares roughly 50% of your variants. Even a second cousin shares enough to be identifiable.
• It reveals health predispositions. Genetic data can indicate risk for diseases, carrier status for inherited conditions, and drug metabolism differences. This information could theoretically be used against you by insurers or employers.
• It can't be anonymized easily. Even "de-identified" genetic data can potentially be re-identified using genealogy databases and public records.

What happens to your data at major companies

23andMe

23andMe stores your saliva sample and genetic data. They have a research arm that uses aggregated, de-identified genetic data for studies (with user consent). Users can opt out of research. Account deletion is available through settings, though 23andMe's financial difficulties and bankruptcy proceedings have raised questions about what happens to user data during ownership transitions. If you're a 23andMe customer, downloading your raw data and understanding the current deletion process is recommended.

AncestryDNA

Ancestry stores genetic data and connects it to family tree information. They also have a research program. Users can request sample destruction and data deletion through their account settings. Ancestry has historically been more transparent about data handling than some competitors, but policies can change with corporate direction.

Third-party interpretation services

Services that analyze your raw DNA data (rather than collecting a sample) generally handle less data — they receive a text file, not biological material. However, they still receive your full genotype data, which is sensitive. Policies vary widely. Some store your data permanently, others process it and delete it. Always check before uploading.

Questions to ask before uploading DNA anywhere

1. Can I delete my data? How? Look for a clear, self-service deletion process. If deletion requires emailing support and waiting weeks, that's a yellow flag.
2. Is my data shared with third parties? Check who has access — research partners, pharmaceutical companies, law enforcement. Understand what "de-identified" means in their context.
3. Is it used for research? Can I opt out? Some companies use genetic data for drug development research. This isn't inherently bad, but you should have a real choice.
4. Where is it stored? How is it encrypted? Look for specifics about encryption at rest and in transit. Cloud hosting details matter — which provider, which jurisdiction.
5. What happens if the company is sold or goes bankrupt? This is the question most people forget to ask. When a company changes ownership, data policies can change with it. The 23andMe bankruptcy situation made this concern very real.
6. Can law enforcement access my data? Some companies have clear policies about law enforcement requests. Others are vague. GEDmatch famously allowed law enforcement access (leading to the Golden State Killer identification), which changed the landscape of genetic privacy discussions.

Legal protections: what exists and what doesn't

GINA (Genetic Information Nondiscrimination Act)

GINA is a US federal law passed in 2008. It provides two key protections:

• Employment — employers cannot use genetic information in hiring, firing, promotion, or other employment decisions.
• Health insurance — health insurers cannot use genetic information to deny coverage or set premiums.

What GINA does NOT cover:

• Life insurance — life insurance companies can legally ask about and use genetic test results in underwriting decisions.
• Disability insurance — same as life insurance, not covered by GINA.
• Long-term care insurance — also not covered.
• Military — GINA doesn't apply to members of the military.
• Companies with fewer than 15 employees — the employment protection doesn't apply to very small businesses.

State laws

Some US states have passed additional genetic privacy laws that go beyond GINA. California, for example, has broader protections. If you're concerned, check your state's specific laws.

International protections

The EU's GDPR classifies genetic data as a "special category" requiring explicit consent for processing. This provides stronger baseline protections for EU residents. Other countries have varying levels of genetic privacy legislation.

Practical privacy tips

• Download your raw data from your testing company. Having your own copy means you're not dependent on the company continuing to exist or maintaining current policies.
• Read the privacy policy before uploading. It takes 10 minutes and can save years of regret. Look for the specific sections on data sharing, retention, and deletion.
• Opt out of research if you're uncomfortable. Most companies make this an opt-in or opt-out choice. Know what you've agreed to.
• Use services with clear deletion processes. If a service can't clearly explain how to delete your data, consider whether you trust them with it.
• Be cautious about sharing results publicly. Posting genetic results on social media or forums reveals permanent information about you and your family.
• Consider timing of life insurance. If you're planning to apply for life insurance, consider doing so before genetic testing, since GINA doesn't cover life insurance underwriting.

The 23andMe bankruptcy situation

23andMe's financial difficulties and bankruptcy filing brought genetic data privacy into mainstream attention. The key concerns:

• When a company enters bankruptcy, its assets (including user data) can be sold to new owners.
• New owners may not honor previous privacy commitments.
• The California Attorney General and other regulators have weighed in on protecting consumer genetic data during the process.
• Users were advised to download their data and request deletion if concerned.

This situation serves as a concrete reminder that corporate promises about data handling are only as durable as the company making them. Having your own copy of your raw data and choosing services with strong deletion capabilities are practical safeguards.

Frequently asked questions

Should I avoid DNA testing entirely because of privacy risks?

That's a personal decision. The health insights from DNA testing can be genuinely valuable (pharmacogenomics alone can prevent adverse drug reactions). The key is being informed about the tradeoffs and choosing services with good privacy practices.

Can my genetic data be used against me by insurance companies?

For health insurance, no (GINA protects you). For life, disability, and long-term care insurance, the legal protections are weaker. In practice, most insurers don't currently request genetic test results, but the legal landscape may evolve.

If I delete my data from a company, is it really gone?

Companies typically confirm deletion of your data from active systems. Backup systems may retain data temporarily. Research datasets that included your de-identified data before deletion may still exist. Complete removal from all systems is difficult to guarantee — but deletion from active databases and sample destruction still significantly reduces your exposure.

What about law enforcement access to DNA databases?

Investigative genetic genealogy (using DNA databases to identify suspects) has solved many cold cases but has also raised privacy concerns. Different databases have different policies — GEDmatch and FamilyTreeDNA have allowed law enforcement access, while 23andMe and Ancestry generally require warrants. Check each service's law enforcement policy before uploading.

Does genetic testing affect my existing health insurance?

Under GINA, no. Health insurers cannot use genetic information to deny coverage, change premiums, or impose pre-existing condition exclusions based on genetic test results. This protection applies regardless of what your genetic tests reveal.