Genealogy websites and DNA testing services like Ancestry, 23andMe, MyHeritage, and FamilyTreeNow have made it remarkably easy to explore your family history and genetic heritage. But in handing over your DNA — the most unique and permanent identifier you have — you may be exposing yourself and your relatives to serious privacy risks that can never be fully undone.
Why Genetic Privacy Is Different
Unlike a password or even a Social Security number, your DNA cannot be changed. Once it's compromised, it's compromised forever. And your DNA doesn't just identify you — it reveals information about your biological relatives, even those who never consented to testing.
Researchers have found that a genetic database covering just 2% of a target population can provide a third-cousin match to nearly any person. This means even if you've never taken a DNA test, your relatives' participation may have already exposed your genetic information.
The Privacy Risks of Genealogy Websites
Data Breaches
In October 2023, 23andMe suffered a major data breach that exposed the personal and genetic data of approximately 6.9 million users. The company later filed for bankruptcy in 2024, raising concerns about what would happen to the genetic data of its 15 million customers. This isn't a hypothetical risk — it has already happened.
Third-Party Data Sales
Genealogy companies have a history of monetizing user data. In 2018, GlaxoSmithKline purchased access to 23andMe customer data in a deal worth $300 million, gaining the ability to mine genetic data for pharmaceutical research. While users technically consented, many didn't fully understand what they were agreeing to.
Law Enforcement Access
Police and federal agencies have used genealogy databases to solve cold cases by uploading crime-scene DNA and searching for familial matches. While this has led to the capture of dangerous criminals, it also means your DNA could be searched by law enforcement even if you've never been suspected of a crime.
Insurance and Employment Discrimination
While the Genetic Information Nondiscrimination Act (GINA) prohibits health insurers and employers from using genetic information, it does not cover life insurance, disability insurance, or long-term care insurance. Your genetic data could theoretically be used against you in those contexts.
Re-identification Attacks
Academic research has demonstrated that anonymized genetic data can often be re-identified using publicly available genealogy databases, demographic information, and other data sources.
You Can't Undo a DNA Test
You can delete an account and request data destruction, but you can't know for certain that all copies of your genetic data have been removed — especially if it was shared with third-party researchers or partners before you requested deletion.
How to Protect Your Privacy
Before You Test
- Read the privacy policy carefully: Pay special attention to sections about data sharing, third-party access, and what happens to your data if the company is sold or goes bankrupt.
- Opt out of research: Most services ask if you want your data used for research. Choose "no" unless you fully understand what that entails.
- Use a pseudonym and separate email: Create a new email address specifically for the genealogy service. Consider using a name variant rather than your full legal name.
- Consider the family implications: Your DNA reveals information about parents, children, siblings, and even distant cousins. Discuss the decision with family members first.
While You're Using the Service
- Limit profile visibility: Set your profile and DNA results to the most private settings available.
- Don't link social media accounts: Keep your genealogy profile separate from your other online identities.
- Review sharing settings regularly: Companies often update their privacy settings and terms of service. Check yours at least quarterly.
- Be cautious with DNA relative matching: Enabling this feature shares your genetic information with other users who match as relatives.
If You Want to Leave
- Download your data first: Before deleting, download a copy of any family tree research or records you want to keep.
- Request data deletion: Submit a formal deletion request for both your account data and your genetic sample. Most services allow this through account settings.
- Request sample destruction: Explicitly ask for the physical destruction of any DNA sample the company may still have on file.
- Opt out of research: Even before deleting, ensure your data is removed from any research programs.
- Follow up in writing: Send a written request via email citing your rights under CCPA, GDPR, or applicable state privacy law.
23andMe Users: Act Now
Following 23andMe's 2024 bankruptcy filing, privacy experts recommend that all current and former users delete their accounts and request destruction of their DNA samples as soon as possible. The fate of user data in bankruptcy proceedings remains uncertain.
Protect Your Broader Online Privacy
Genetic data is just one piece of your privacy puzzle. Data brokers aggregate information from dozens of sources — public records, social media, purchase history, and more — to build detailed profiles that can reveal nearly as much about you as your DNA. Sites like FamilyTreeNow, for example, function as both genealogy platforms and people-search data brokers.
PrivacyOn monitors and removes your personal information from 100+ data broker sites, including people-search services that aggregate family and household data. While no service can put your DNA back in the bottle, PrivacyOn can help ensure the rest of your personal data isn't freely available online.