An illustration of genetic strands

If you’ve sent a DNA sample such as a tube of spit to 23andMe, Ancestry, MyHeritage, or one of the many other companies that offer direct-to-consumer genetic testing, you’ve sent them the essential information they need to provide you with their analysis of your genetic code.

But if you later decide that you want to remove your genetic information from the web for privacy reasons, can you? And should you?

More on genetic testing

Genetic data can reveal information about your health, your risk for certain diseases, and your familial relationships—potentially including those previously unknown or undisclosed.

But deleting your genetic data is not always straightforward, according to James Hazel, Ph.D., J.D., a postdoctoral fellow at the Center for Genetic Privacy and Identity in Community Settings at Vanderbilt University Medical Center.

The degree to which you have control over the genetic information you’ve submitted, and even your physical DNA sample, “varies widely, depending on the company,” says Hazel, who has published research on the privacy policies of genetic testing companies.

“Some companies provide a relatively high level of control over that information,” he says, making deletion of genetic data or destruction of a genetic sample easy. “On the other side of the spectrum you have companies with little to no policy in place, or policies that permit storage of your sample and the data, sometimes indefinitely.” 

We'll explain what you need to know about your genetic privacy, along with step-by-step instructions for removing your data from three of the biggest DNA-testing sites.

Is Your Genetic Data Private?

Many people may not be aware of the requirements companies need to follow when you send them your genetic data, according to Mason Marks, M.D., J.D., a visiting fellow at Yale Law School’s Information Society Project and researcher who studies health law and data privacy.

There is an “air of medical-ness that engenders trust in consumers,” he says, since these companies work with DNA. But the HIPAA privacy laws that protect patients in a medical setting don’t apply to companies that do direct-to-consumer genetic testing, says Dena Mendelsohn, senior policy counsel for Consumer Reports.

That means that as long as their terms of service don’t specifically prohibit it, these companies can conduct research on your genetic data, sell it, or share it with third parties, according to Hazel. He says there’s a real risk that somewhere along the way, this information could be used in ways that are harmful to the person who submitted their data for testing or even to their relatives.

In one worst-case scenario, “an employer or insurance company might find you have a predisposition to develop early onset Alzheimer's, cancer, mental illness, or substance use disorder, and discriminate against you based on that,” says Marks.

Current laws like the Genetic Information Nondiscrimination Act (GINA) prohibit employers or health insurance companies from discriminating against a person based on their genes, though that doesn’t mean it couldn’t happen. And GINA doesn’t apply to providers of life insurance, disability insurance, or long-term-care insurance, according to Mendelsohn.

It’s difficult to know whether any insurer or other agent is currently making use of genetic data to evaluate individuals, according to Marks. But he urges special caution around keeping genetic information private, as it’s among the most unique identifiers of any individual and their traits.

There are companies that seem to encourage testing that Hazel describes in a paper as “surreptitious,” testing DNA from hair samples and articles of clothing that may not come from the person sending them in—though the main genealogy testing companies only accept saliva or a cheek swab sample.

Law enforcement officers have also used genetic data that’s been uploaded to a genetic database like GEDmatch—where people upload results from genetic tests to find people they may be related to—to help locate suspects or suspects' relatives.

Some DNA testing companies may also continue to use your genetic data after you've sent it in and received a report. Once data has been used for research or otherwise shared with third parties, it generally can’t be called back or removed. Research using your genetic data, for example, may already be in-progress or completed.

Consumers should always read the privacy policies companies have listed to ensure they know exactly what their genetic information can be used for, advises Hazel. They should know whether their data will be shared with third parties, and if so, whether the information that’s shared will include individual-level genetic data, as opposed to aggregate data, which combines genetic information from a number of people.

Even if individual-level data has been “de-identified,” with names removed, researchers have demonstrated that in some cases a person can be “re-identified” based on their DNA along with supporting information like a zip code or birth date, which is sometimes still associated with de-identified DNA.

Also, even if a company has excellent privacy policies, there’s always the possibility that data could be exposed through a security breach.

“Consumers should go in with eyes wide open to the information they are unlocking about themselves and their family, the limits of current privacy laws, and the impact of what they might learn on their ability to access life, disability, or long-term-care insurance,” says Mendelsohn. 

How to Delete Your Data

The first three companies to appear in an Amazon search for “DNA test” are three of the biggest: Ancestry, with a DNA database of over 10 million people; 23andMe, with a DNA database of over 5 million users; and MyHeritage, with approximately 2.4 million users.

Since these companies are among the most prominent, we’ve asked them each what consumers can do if they want to remove their data from that company's database.

23andMe

How to delete your genetic data: 23andMe customers can delete their account and personal information from their account settings page, according to a representative.

How to have your test sample destroyed: When you submit your test to 23andMe’s third-party lab, unless you consent to have it stored (or “biobanked”), your saliva sample and DNA will be destroyed after it is analyzed. If you opted to have it stored but want to change that preference, you can do so from your account settings page once your sample has completed processing.

Is your data used for research, and can you revoke that permission? 23andMe and third-party researchers may use your genetic data and sample for research if you granted them consent to do so by completing a consent document. In 2018, 23andMe announced a partnership with pharmaceutical company GlaxoSmithKline to develop new drug targets and treatments from genetic data.

Additionally, 23andMe users are given the option to have their individual-level genetic data and other self-reported information (with identifying information stripped away) shared with external researchers, though this requires a separate agreement. You can withdraw consent for either type of research from the account settings page.

Will any data remain on research servers or in labs? If you consented to have your data used for research purposes, your genetic information cannot be removed from active or completed studies, but it will not be used in future research.

23andMe and their third-party genotyping lab will retain genetic information, date of birth, and sex information, which the company says is required by legal obligations.

Ancestry

How to delete your genetic data: Sign into your account, click the DNA tab, and select Your DNA Results Summary. Then click on Settings and then select Delete Test Results to delete data.

“If you request that Ancestry delete your DNA Data, we will delete all Genetic Information, including any derivative Genetic Information (ethnicity estimates, genetic relative matches, etc.) from our production, development, analytics, and research systems within 30 days,” an Ancestry representative tells Consumer Reports.

Deleting your overall Ancestry account will also result in your data being deleted.

How to have your test sample destroyed: Deleting your Ancestry account will result in the destruction of your biological sample. You can keep your account (and genetic data, if you’d like), but still request that your biological sample be destroyed by contacting Ancestry’s member services department.

Is your data used for research, and can you revoke that permission?  Ancestry and third-party researchers may use your data for research purposes if you agreed to let them do so when you opened your account or in your account settings. If you’d like to opt out of future research projects or if you can’t remember whether you opted in when you signed up, you can check or change that status from the settings page of your account.

Will any data remain on research servers or in labs? If you consented to have your data used for research purposes, that data cannot be removed from active or completed research projects, but it will not be used in future research.

At present, Ancestry says that lab regulations do not require them to retain Ancestry customer data, though a spokesperson tells us that these regulations could change in the future.

MyHeritage

How to delete your genetic data: Users can delete their genetic data by going to the Manage DNA Kits section of their account settings and then selecting the button to delete data, according to a MyHeritage representative. They can also contact the MyHeritage customer support division by phone or email to have their data deleted.

How to have your test sample destroyed: To have DNA samples discarded, users can contact MyHeritage customer support by phone or email.

Is your data used for research, and can you revoke that permission? When you signed up for an account, you were given the option to allow MyHeritage to conduct research with your DNA data. To withdraw consent for internal research, users can go to their account settings page, select Privacy, and then select My DNA Preferences. MyHeritage has never shared data with third-party researchers but may do so in the future.

Will any data remain on research servers or in labs? If you consented to have your data used for research purposes, your genetic information cannot be removed from active or completed studies, but it will not be used in future research.

The company says the lab may keep some records of data for regulatory purposes.

Other Sites

The three companies above have comprehensive privacy policies online, and offer straightforward ways to remove data that has not been used in research. But approximately 40 percent of the 90 companies Hazel looked at while surveying privacy policies had no posted policy defining what they were or weren’t allowed to do with users’ genetic data. That’s something to consider before choosing a DNA testing company.

Also, Hazel says that some of the biggest privacy concerns come from users uploading their genetic data to external sites to further analyze health information or search for relatives. Checking the privacy policies of these sites is equally important.

The fact that data could be misused doesn’t mean you should never share genetic data with a company.

“There are great potential benefits to allowing these companies to analyze genetic data and combine many other different types of data,” says Marks. “They could make new discoveries, identify new drug targets, and develop new treatments for people.”

But users of these tests should know exactly what they’ve agreed to share.

Editor's Note: This story has been updated to reflect updated feedback from MyHeritage about their data-sharing practices with third party researchers.