DNA Privacy Policies: A Personal Reflection on AncestryDNA and 23andMe
As genetic testing becomes increasingly popular for ancestry and health insights, the
privacy policies of companies like AncestryDNA and 23andMe deserve scrutiny. These
companies collect and store some of the most sensitive data imaginable, our genetic
code. Understanding how they protect this data, how it connects to our personal
information, and how it may be shared or accessed by third parties is essential before
entrusting them with our DNA. After reviewing the privacy policies of both companies, I
found notable differences in their approaches to data protection, law enforcement access,
and user control. These differences ultimately shaped my decision about which company I
would trust with my genetic information.
Genetic Data Protection
Both AncestryDNA and 23andMe emphasize strong security measures to protect genetic
data. AncestryDNA uses secure third-party labs and separates DNA samples from
personally identifiable information (PII) by assigning unique registration codes. They also
encrypt genetic results and restrict access to authorized personnel. Similarly, 23andMe
employs ISO-certified security protocols, SSL encryption, and robust access controls.
Their infrastructure is designed to prevent unauthorized access and ensure that genetic
data is stored separately from PII. While both companies demonstrate a commitment to
data security, 23andMe’s use of internationally recognized certifications adds an extra
layer of assurance.
Connection to Personally Identifiable Information (PII)
AncestryDNA collects PII such as full birth dates, names, and addresses during kit
activation. Although they claim to store DNA separately from identity, the account-based
structure still links genetic data to PII. 23andMe also collects PII but stores it separately
and encrypts it. Users have more granular control over what is shared, and the company
avoids linking data to public databases. In this regard, 23andMe offers more transparency
and user control, which reduces the risk of re-identification.
Data Sharing with Third Parties
Both companies allow data sharing with third parties, but the terms differ significantly.
AncestryDNA may share de-identified data with affiliates and external partners, and while
they require consent for sharing identifiable data, their policy is less detailed about how
de-identification is maintained. 23andMe, on the other hand, does not sell genetic data
without explicit consent and only shares de-identified data with approved research
partners if users opt in. They also require additional consent for sharing individual-level
data. This layered consent model gives users more control and clarity over how their data
is used.
Law Enforcement Access
This is one of the most critical areas of concern. AncestryDNA requires a valid legal
process, such as a warrant or court order, before providing data to law enforcement. They
have published transparency reports and guidelines for legal requests. 23andMe goes
further: they have never voluntarily released data to law enforcement and pledge to
exhaust all legal remedies before complying with any request. Their stance is more
protective of user privacy and demonstrates a stronger commitment to resisting
government overreach.
Data Retention and Deletion
AncestryDNA allows users to delete their accounts, which permanently erase personal
data and destroys DNA samples upon request. 23andMe also allows users to delete their
data and account at any time. However, recent concerns have emerged due to 23andMe’s
bankruptcy proceedings, raising questions about whether user data could be transferred
to new owners. While both companies offer deletion options, AncestryDNA’s clearer
destruction policy may offer more peace of mind.
Research Opt-In Usage
If users opt to research, both companies use de-identified genetic and survey data for
internal and external studies. AncestryDNA allows withdrawal at any time, but their policy
is less detailed about how data is used post-withdrawal. 23andMe provides more
transparency, including separate consent for individual-level data sharing and detailed
descriptions of research partnerships. Their opt-in structure is more robust and user-
friendly.
Personal Decision and Reflection
After reviewing both policies, I would be more inclined to trust 23andMe with my genetic
information. Their commitment to legal resistance, layered consent for data sharing, and
ISO-certified security protocols reflect a deeper respect for user privacy. While
AncestryDNA also offers strong protection, 23andMe’s transparency and user control
mechanisms stand out. In an era where data breaches and surveillance are growing
concerns, I value companies that go beyond the minimum legal requirements to safeguard
personal data.
That said, I remain cautious about sharing genetic information with any company. DNA is
not just personal, it’s familial and permanent. Even with strong policies, risks remain. If I
were to participate, I would carefully review opt-in settings, monitor account activity, and
stay informed about policy changes. Ultimately, privacy is not just about trusting a
company, it’s about staying vigilant and informed.