Ancestry DNA and 23 and Me are both companies that offer DNA testing kits for people to have genetic testing done. However, both companies have had public scandals revolving around selling user data and data leaks. So, how do they protect user data? 23 and Me states that they conduct all analyses with de-identified data, so the genomic information and personal identifying information are separate. They also do not publish any research information that identifies any particular individuals. Ancestry DNA claims to use secure software to encrypt all user data including personal and genetic information. However, they don’t mention any specifics about de-identifying the data stored at all. It can be implied that PII and genetic information are linked in their records. 23 and me outwardly states that all data including personal information can be sold in the case of mergers or bankruptcy. Ancestry also states that the information in their databases can be sold under those circumstances as well as sold to analytics and advertising companies for targeted ads. They state that de-identified data is shared with research partners with user consent. 

With the rise of these genomic databases there have been plenty of news stories about law enforcement using them to match forensic DNA to website users. There has also been some concern that these websites will share data with health insurance companies, causing higher rates for those with an increased likelihood of illnesses. Both websites have the same stance on sharing information in these cases. Law enforcement needs a search warrant, a subpoena, or a court order to access their databases. As for health insurance companies, information will not be shared unless there is expressed consent from the user. When it comes to data retention and deletion, things get kind of murky in the privacy policies. 23 and Me gives users the option to either have their sample stored or destroyed after analysis. Users can also delete their account however there is no guarantee of data removal after you do so. They state that they have a legal requirement to retain all information for an unspecified period of time before it can be removed. Ancestry DNA has a more cut and dry answer, DNA samples are kept for seven years after which they can be destroyed, and genetic/personal information will be removed from their database. However, ‘usage’ information is retained seemingly indefinitely even after account deletion. If one chooses to opt into having their information used for additional research, it is used about the same for each company. Genetic information can be used for research into diseases, traits, and population history both by the company itself and third-party collaborators. 

Personally, I would be hesitant to fully entrust my genetic information to either company. With that being said, I would be more inclined to use 23 and Me. Both companies allow the sharing or sale of data under specific circumstances. Even if data is de-identified, there is a risk that advancements in technology could allow for re-identification. The fact that both companies retain data even after account deletion, with Ancestry DNA keeping usage data and 23 and Me holding data for an undefined “limited period,” limits control over your personal information once shared. 23 and Me has better de-identification measures when it comes to research, which suggests a stronger emphasis on privacy for research purposes. Ancestry DNA has a lack of clear separation between PII and genetic data, which is a potential vulnerability. They also explicitly mention that they share data with advertising and analytics companies. Neither company offers complete protection but 23 and Me seems to have better policies when it comes to protecting your data. However, I personally wouldn’t use either website due to the inherent risks of putting personal information out there.