The Privacy Problems of Direct-to-Consumer Genetic Testing
We investigated the privacy policies and practices of 23andMe, AncestryDNA, CircleDNA, GenoPalate, and MyHeritage to learn more about what they do with the data they collect
When it comes to the privacy of the intimate DNA data you share with them, direct-to-consumer (DTC) genetic testing companies make promises such as, “your privacy comes first,” and, “protecting your privacy is at the core of what we do.”
But when you use their services, genetic testing companies collect more than just your DNA. They, like many other companies, collect a wide variety of other personal data, including information you share with them such as your name, basic identifiers like your address and email address, and, in some cases, facts about your family and your health.
When it comes to this kind of non-DNA data, an investigation by Consumer Reports has found that direct-to-consumer genetic testing companies employ policies and practices that our experts think unnecessarily compromise consumers’ privacy. While our analysis suggests that for the most part, these companies do a relatively decent job of protecting your DNA data (at least according to their stated privacy policies), we found that the many types of non-DNA data they gather are not treated with the same care. The companies’ services over-collect personal information about you and overshare some of your data with third parties. CR’s privacy experts say it’s unclear why collecting—and then sharing—much of this data is necessary to provide you the services they offer.
To shed some light on the privacy practices of these companies, researchers from Consumer Reports’ Digital Lab evaluated five direct-to-consumer genetic testing companies’ websites and/or Android apps to find out what happens to the non-DNA information collected while using them: 23andMe, Ancestry, CircleDNA, GenoPalate, and MyHeritage. (We looked at Android apps and not iOS (iPhone) apps because Android allows us greater visibility into how apps handle data.) Unfortunately, we can’t peek behind the curtain to see what companies actually do to keep your DNA safe, so we also carefully reviewed their privacy policies to see what they say happens to your genetic information. We initially conducted our testing and review during the spring and summer of 2021, and we reconfirmed several of our key insights from our review of companies’ privacy policies with the wording in their current policies. We also reached out to all the companies again in the fall of 2021 to ask about any recent relevant changes to their privacy policies or practices.
How We Tested for Privacy
To get our testing started, we employed the help of one of our Digital Lab experts’ canine companions, a rescue hound named Door (shown below). This worked because we did not need any actual human genetic testing results. Using Door’s generously donated DNA sample allowed us to undertake this data privacy research without having to turn over any human’s genetic information (and allowed Door to receive multiple extra treats of cheese for being a very good girl).
We bought a test kit from each company and used a sample of Door’s saliva or a jowl swab to register and mail in the test kits, allowing us to create an account with each company and gain access to the parts of each of their websites and Android apps that consumers typically see in the course of using these services. (In case you’re curious: It seems the companies were not fooled by the dog saliva. None of the kits returned a successful result; all said that the samples couldn’t be processed.)
Working with AppCensus, a privacy research company with whom we’ve collaborated on other investigations, we used specially programmed Android phones to watch which outside companies received data from the apps as we used them, and checked to determine which privacy permissions were declared in each app. We also ran a static analysis of each app—meaning we ran automated tests that examined selected parts of the source code. We also conducted an analysis of the network traffic occurring while we accessed the websites of each service while buying the DNA kit and while logged in to the service. Based on observations across these analyses, we then evaluated how well the apps’ privacy policies matched what we observed while testing.
Again, our analytical tools can’t reveal what companies are doing behind the scenes to store and protect the actual genetic information you give to them, and the additional information they collect. Still, along with analyzing companies’ stated practices around safeguarding DNA data, our analysis of app and web traffic and permissions can provide a sense of how companies handle all the other kinds of personal and sometimes health-related data that consumers share.
What Our Testing Found
Our findings fall into three main categories: expansive permissions granted to companies regarding DNA (and non-DNA) data when consumers opt in to research, overcollection of non-DNA data, and oversharing of non-DNA data.
Expansive Research Permissions
The five companies whose apps we evaluated say they provide customers the option to opt into “research” conducted with the use of customers’ de-identified or aggregated DNA and other data. But our experts say that this research may in some cases not be the kind of altruistic research customers imagine, and that opting in can mean sharing with third parties more than just your de-identified DNA. While our analysis found that the protections for a person’s DNA data for the most part appeared relatively solid, opting into research opens up potential vulnerabilities.
We closely evaluated the policies regarding research and the informed consent forms for four of the five companies in our study: 23andMe, Ancestry, GenoPalate, and MyHeritage. (We excluded CircleDNA from this part of the analysis because its platform does not allow access to the full user interface without valid DNA test results; therefore we were unable to view the company’s research consent form or evaluate the user experience of a typical customer.)
23andMe told CR that more than 80 percent of its customers do opt in to allowing their data to be used for research. “While customers have different reasons to opt into research, many are doing so out of a desire to contribute to and accelerate scientific and medical discovery,” says Jacquie Haggarty, vice president, deputy general counsel, and privacy officer at 23andMe .
All four of the companies ask their customers to proactively opt in to such research, rather than including them in research by default and requiring them to opt out, which is a plus for consumers. However, what consumers are opting into isn’t always as clear as it could be, says CR’s Fitzgerald. For instance, “research” could mean scientific studies conducted by third-party academic institutions, which people may view as a way to contribute to the common good. “They understand the advances that can be made in science through the sharing of genetic information. And people want to help with that,” says Jennifer Lynch, surveillance litigation director at the Electronic Frontier Foundation (EFF), who wasn’t involved in our study.
Our experts say that the permissions granted when consumers opt into research are likely more expansive than consumers may realize, since they often include permission for third-party researchers to receive not just de-identified DNA information, but any other information you share or that the company collects about you, which can include self-reported health information and information about relatives. Ancestry’s research permissions include the use of any data shared with the company, including data shared in the future. 23andMe notes that ongoing analysis using your data could occur.
As MyHeritage’s research consent form is particularly careful to point out, because of the unique nature of the information you share, there will always be a risk of you being reidentified by the DNA info you provide—even if it is de-identified.
While consumers may willingly share a great deal of information with these companies, we found that the companies collect additional data, too, in some cases giving them a detailed profile of individual users that goes far beyond their DNA.
During our testing in 2021, the Android apps we evaluated all declared broad permissions that could support data overcollection. Specific permissions included the ability to read contacts, the ability to track a person’s precise location, and the ability to collect precise information about a person’s phone, among others.
By themselves, each of these permissions is not a sign of a company doing something nefarious. For example, when we asked 23andMe why their Android app requests the use of your biometric data, the company told us that this allows consumers to unlock the app using the fingerprint stored with their phone, and that 23andMe never accesses the actual fingerprint.
And some apps may include permissions that are never actually used. GenoPalate, for example, told us that several permissions we asked about, including the use of fingerprint and biometric data and access to a user’s contacts, aren’t ever actually requested from the user. “Some software libraries we use declare those permissions by default, but they are never requested nor used,” GenoPalate’s CEO Sherry Zhang, PhD, told us.
Still, CR’s experts say customers’ privacy would be better protected if permissions never used by an app weren’t declared in the first place. “Collectively, looking at the sum of what’s allowed by these permissions, and the way data are handled as defined by privacy policies, overly broad permissions create the potential for data collection that does not directly benefit consumers, and is not necessary for the service,” says CR’s Fitzgerald.
We asked the companies we evaluated to tell us which sources they use to augment customer data. Ancestry told us they incorporate demographic data from credit reporting company Experian. The purpose, a spokesperson told us, is “for analysis and understanding of purchase and usage trends, which help Ancestry improve our product and marketing. Ancestry does not use Experian data for any targeting of individual users across the web.”
23andMe told us that while it may receive voluntarily provided data from users’ social media accounts, “in the spirit of data minimization and purpose limitation principles, we limit the use and retention of such data.”
Both Ancestry and 23andMe pointed out that customers can download all the data each company has on them, including from data augmentation sources. CircleDNA and GenoPalate told CR that users can request records of the personal data collected on them, though this isn’t spelled out in the companies’ privacy policies (except in the case of GenoPalate, which outlines the ability to request data only for California residents).
Through our tests, we found that these companies routinely share customer data with third parties—although we cannot know exactly what kinds of data are being shared. Companies say they use third-party tracking to improve their products. For instance, CircleDNA told us, “We utilize technology to analyze and improve our services to ensure we provide customers with the best and most relevant experience. Even after they have already purchased a product from us, we like to engage with our consumers to provide them with relevant health information.”
All five of the companies in our study disclose in their privacy policies that they allow third parties to track consumers’ activities as they use the services, and of the five companies we tested, only one—CircleDNA—provided a reasonably accurate list of third parties that collect data about their users. Based on our analysis, the companies that receive this data include well-known ones such as Google, Microsoft, Facebook, Yahoo, Pinterest, Adobe, and Oracle, as well as lesser known but well-established data collecting companies. Such tracking can be used to build profiles of individual consumers and to target them with advertising, a practice common with many types of apps, as CR has shown in other investigations. Few obvious tools are available to consumers to limit or control what is shared or how it’s used.
“Based on our analysis of network traffic collected while a paying customer used these services, it would be somewhere between difficult to impossible to use these services and not have usage patterns shared with multiple third parties,” says Fitzgerald. In our analysis, when using these companies’ websites to log on or to purchase a DNA kit, we saw numerous calls to—in other words, connections made, generally to exchange information with—third-party domains, including numerous companies that harvest data for use in targeting users with ads. (Note that we can’t see what information was shared in these instances, just that a call was made to a third-party domain.) CircleDNA’s site made 17 calls to third-party domains on the low end, while GenoPalate’s site made 68 calls to third-party domains on the high end.
Once those third parties potentially have data about your usage of a site, it’s the third party’s privacy policies and practices that protect your information, not the site that you were originally intending to visit, notes Augustine Fou, PhD, an independent ad fraud researcher. So while you may trust the way that Ancestry or 23andMe handle your data, you have little to no way of knowing what protections those third parties provide. “Are you going to rely on every single one of those third-party ad tech companies to do the right thing and not violate the consumer’s privacy?” he says. “I would not, because their job is to sell the data they collected and make money on it.”
Even if data collected about you is shared without personal identifying information like your name, phone number, and email address, re-identification is possible. A 2019 study in the journal Nature Communications, for example, found that almost every American could theoretically be re-identified from any dataset containing at least 15 demographic attributes (such as Zip code, gender, or number of children).
Why Protecting Your Non-DNA Data Matters
Consumers’ primary privacy concern when using a direct-to-consumer genetic testing service is likely how well their DNA data is protected, and how private it is kept. And rightfully so. “Our DNA can reveal things about us that we don’t even know yet,” says EFF’s Lynch. “So in addition to all of the health information and the ancestry and biological familial relationship information that we know about now, researchers are finding new things in our DNA every single day. And all of that information is going to a private company.”
Still, what companies (and not just genetic testing companies) do with all the other personal information they collect about you matters, too. What is clear from our testing is that direct-to-consumer genetic testing companies, like many other companies doing business online (including CR), collect and share a wide variety of non-DNA information about you. And while the companies whose services we analyzed say they don’t sell your information, it’s still possible that some non-DNA data ends up in the hands of data brokers.
“Third-party data brokering is a huge business,” says Kirsten Ostherr, PhD, director of medical humanities and the Medical Futures Lab at Rice University. Companies compile profiles of individuals based on all kinds of online activity, including information you may have shared about your health. She says there’s a real risk that such a profile could then be sold to other companies looking to set a life insurance rate or a home loan interest rate for you, or to a potential future employer looking for background.
“There’s such a wide range of impacts that come from the sheer fact that we all have these digital selves that are out there kind of hovering around our physical selves and following us everywhere,” she says. “We have no ability to evaluate, correct, modify any of those sorts of things, yet they do affect our daily lives in very material ways.”
What Companies Should Do
Three companies we evaluated—23andMe, Ancestry, and MyHeritage—are public supporters of the Future of Privacy Forum’s Privacy Best Practices for Consumer Genetic Testing Services, published in 2018.
The best practices include items such as banning the sharing of genetic data with employers or insurance companies without consent, providing consumers a way to delete the genetic data stored with the company and to have their saliva samples destroyed, and requiring that if the company is bought, that the same privacy commitments will still apply.
“These best practices really at a high-level focus on promoting transparency, providing consumers with choices, and also offering enhanced protection for consumers that engage with the company,” says Rachele Hendricks-Sturrup, DHSc, former health policy council and lead at the Future of Privacy Forum.
Still, Consumer Reports’ experts say companies can do even better.
Craft More Specific, Limited Research Permissions
When it comes to consumers’ ability to consent to allowing their genetic data to be used for research, the informed consent forms we encountered while using these services generally give wide latitude for research projects. Instead, consumers should be able to exercise much more control over what specific research uses they would like their data to support, and more detailed information about the exact nature of the research being conducted using their data. One option is that consumers could be given the ability to opt in project by project, CR’s Fitzgerald says, and be provided a clear outline of each research project’s process and goals before they decide. It’s possible, of course, that this could become onerous or frustrating, if consumers receive dozens of such options in a month, for example. Still, companies should find ways to provide much greater transparency and control regarding the research conducted with customers’ data.
In addition, research consent forms should either exclude product development or explicitly state that the person is opting into a narrowly defined product development project for a specific time period.
“Most consumers don’t know the business model, don’t know what part of their information is the most valuable to them, what’s not, and what’s happening to that data, and how money is being made,” says Masooda Bashir, PhD, an associate professor in the school of information sciences at University of Illinois at Urbana-Champaign. “I think education and consumer rights will have to take precedence over some of these corporations that are making enormous amounts of money from these data." CR’s experts say greater transparency is needed about what specifically customers are opting into and out of, and whether the data they’re donating is funding academic research or going into product development.
Practice Greater Transparency in Data Sharing
When it comes to the protections of non-DNA data, the protections we found are much weaker. Again, this isn’t unique to direct-to-consumer genetic testing companies, and Consumer Reports also uses some of these tools. Still, given the relatively strong protections of DNA data (with the exception of research permissions), consumers may not realize this difference, and might assume that these companies protect all personal data as well as they do DNA data. But this isn’t the case, and this may give consumers a false sense of security when navigating these apps and sites, Fitzgerald says.
The pervasive use of tracking and sharing is an internet-wide problem. Still, CR believes these companies could, for example, provide greater transparency to consumers by fully disclosing all the third parties with whom they share data. The privacy policies we reviewed tended to disclose some but not all of the third parties that companies share data with, at least according to what we observed in our testing.
What Consumers Should Know
Privacy policies can change. Companies are at liberty to change their privacy policies at any time, though courts and regulators have said those changes cannot apply to previously collected data. Also, it’s companies’ responsibility to inform you when that happens, notes Hendricks-Sturrup. Still, keep in mind that the terms you agree to when you first sign up can change.
HIPAA doesn’t protect your data. The health information privacy law many are at least somewhat familiar with typically doesn’t apply to direct-to-consumer genetic testing companies. The Genetic Information Nondiscrimination Act does prevent employers and health insurance companies from using the results of a genetic test to discriminate against you, but not other entities or types of insurance companies. And only some state laws’ protections go further, such as Florida’s prohibition against the use of genetic information in life, disability, or long-term-care insurance underwriting.
Opt out of research. CR’s experts caution against opting into research, at least via a direct-to-consumer genetic testing service. Opting in means, in some cases, sharing everything you do on the service’s site, not just your DNA info. And given the nature of DNA, it also means sharing intimate information about your relatives, undermining their privacy as well.
Keep your DNA results off social media. Rice University’s Ostherr studies health-related online communities and understands how powerful it can be for people to share their stories and create community around health conditions. Still, she recommends finding a more secure way to share health information, including the results of DNA tests, instead of online forums like Facebook groups (even private ones) and other social media. Even if a data-brokering company didn’t receive DNA or health information about you directly from a direct-to-consumer genetic testing company, they could certainly collect health information that you share publicly on the Internet.
Consider deleting your data. If you’ve taken a direct-to-consumer genetic test, you may want to consider deleting your data. This isn’t always straightforward, but you can check out our guide to deleting your genetic data here.
Protect yourself from tracking. Several of the companies that we included in our evaluation provide a way for consumers to block the company from tracking their activity using cookies. But this is an imperfect solution, since it requires blocking cookies site-by-site. Also, regularly clearing one’s cookies is an important privacy habit—but once you do, any site you individually told to stop using cookies will resume, until you block them again. A more elegant solution is to use a service that protects your Internet activity from being tracked, such as uBlock Origin, or the web browser Brave.
Clarification: This article has been updated to reflect that data from social media accounts received by 23andMe is voluntarily provided by users. It was originally published on January 11, 2022.