Protecting Your Privacy

Medically reviewed by:
Last updated: Mar 14th, 2019
DNA Testing Privacy

In 2018 alone, over 12 million people decided to take some kind of direct-to-consumer genetic test. We live in a fascinating time where costs of sequencing DNA are plummeting and technology is improving exponentially, giving us unprecedented data about ourselves—the "blueprint" secrets of our makeup never accessible before: we can screen for predispositions to genetic diseases and conditions in both ourselves and our future children; we can learn about our ethnic backgrounds, history, and human "backstory" in increasing detail. We can also locate living relatives whom we never knew we had. We can even learn about the more mundane, yet fun, things. For example, direct sunshine often makes me sneeze, and I absolutely can't stand the taste of cilantro; the test from 23andMe indicated that I am predisposed to having Photic Sneeze Reflex, and I do have a genetic variant that strikes the wrong chord in my taste buds, making cilantro taste like soap to me.

All benefits aside, DNA testing has also raised many concerns about privacy, mostly surrounding who else could gain access to your genetic data. We here at Innerbody are obviously fans and advocates of genetic testing in general, but we also want to ensure that customers of such testing services are forewarned (i.e., forearmed) with information regarding privacy and how to protect themselves. Below are our top 5 recommendations on how you might best protect your privacy while also taking advantage of DNA testing's many benefits.

Test only with reputable, trusted companiess

DNA Test Family Member Privacy

This may sound obvious, but your choice of your testing company is perhaps the most important choice you can make with regard to protecting your privacy. New testing companies are springing up with each passing month. Before you pay Big Bob's DNA and Lawncare, know that the largest, most established companies are the ones with the most resources to secure your data (though no data is 100% secure) and have spent years building trust with their consumers and with government agencies.

In July of 2018, seven of the most reputable testing firms agreed to adhere to a set of Privacy Best Practices, serving as their commitment to adhering to voluntary privacy standards. These standards outline strict guidelines such as detailed transparency about how genetic data is collected, used, shared, and retained, deletion rights, and strict bans on sharing your data with certain third parties such as insurance companies, law enforcement, employers, etc. The seven companies that agreed to these standards are 23andMe, AncestryDNA, MyHeritage, Habit, African Ancestry, and Living DNA.

For these reasons, if you are considering taking your first DNA test, we highly recommend starting with one of these 7 companies. And though not official signatories to these standards, in evaluating all major testing companies' privacy standards and practices, Innerbody can also recommend the following companies: Admera Health, Adx Healthcare, Mayo Clinic GeneGuide, National Geographic Geno 2.0, Orig3n, and Sema4.

Educate yourself by actually reading the privacy statements to which you are agreeing

In our daily lives, almost all of us have become accustomed to just quickly checking that box signifying that we have read all of the disclaimers, conditions, and policies. With DNA testing, though, we are really in a new arena which begs our attention. We highly recommend that you invest the ~5 minutes it takes to read over the privacy statement. True, that's 5 minutes you'll never get back, but then you can't take back your data wherever it may have been sent! We do not expect you to understand every nuance of what you are reading, nor do we expect you to be able to effectively compare one statement with another; but we do think that just taking a look at each privacy clause, seeing their complexities, and learning roughly about your rights will prove to be worthwhile first step to take. You'll also find the more you do this, the better you'll get at understanding what you're agreeing to.

For your convenience, below we have linked to the privacy statements or testing terms for each of our 12 recommended DNA test providers:

Pay close attention to your privacy options and selections

Shortly after purchasing your DNA tests, you will likely be asked to register your test kit to set up an account. This is when you will be given a number of privacy options (sometimes in disguise) which will vary depending on the test.

For health-related tests, you may be asked if you consent to "participating in research" or sharing your "de-identified individual-level" information with third-party "research collaborators." In 23andMe's case, it asks you if you would agree to answer a number of survey questions (e.g., Does glaucoma run in your family?). For ancestry-related tests, you might be asked if you if you want to be matched with potential relatives and, further, what information will be visible to said matched relatives.

For health-related tests, we strongly recommend that your default selection, at least initially, be a simple "No" to participating in research. It is not that participating in research is a bad thing; in fact, most of the researchers here at Innerbody choose to participate in research. However, unless you feel like you truly understand what you are signing up for, there are good reasons why declining this option makes sense:

  • Most of us do not mind making small sacrifices in the name of helping find a cure to certain diseases or to help others in some other way. But there are no guarantees that the research to which you are consenting will be part of the "greater good." Your data might be used for profiteering (either by the testing company itself or the third-partner researcher). You do not want your good intentions redirected toward only a profit motive, certainly not at the expense of increasing your privacy risks.
  • What's the rush? You can always give your consent any time in the future, but it is more difficult if not impossible to take back your information from third-parties once it has already been used for research. For example, 23andMe's Individual Data Sharing Consent FAQs page explicitly states: "If you withdraw your consent, any data that has been shared prior to this date cannot be reversed or undone." All reputable testing companies do, however, let you prevent your data from being shared in future studies after changing your mind. For information already distributed, it is tough to get the genie back in the bottle.
  • Lastly, while we feel that your testing data is reasonably secure when stored with our recommended testing companies (though no data anywhere is 100% secure!), there is no way in knowing how secure your data is with the third-party "partner" companies with whom the data is shared. Granted, the data is non-personally identifiable; but if the data fell into the wrong hands, it could potentially be traced back to you.

For ancestry-related testing you have two major privacy choices and considerations:

The first involves how much of your voluntary profile information you choose to share and make public. We recommend that you initially start with sharing less info than more—at least until you have a decent feel for how these communities work.

The second consideration is whether or not you want to allow your DNA-matched relatives to have the ability to contact you. AncestryDNA, for example, calls these your "Community Preferences," and 23andMe calls them your "Share and Compare" settings. Whatever they are called, you must feel comfortable with the possibility of hearing from random 3rd cousins whom you have never met—especially after you've won the Powerball. In rarer cases, you need to make sure you are prepared for long, lost close relatives. I was recently contacted by a first cousin whom I never knew existed; we were matched from a test I took in 2013. I was thrilled personally, but not everyone in my extended family shared these sentiments! Now if your primary goal for taking the test is to find new relatives or filling out missing branches for a more recent version of your family tree, then you have little choice but to share and compare. This consideration is less of a privacy risk per se, but it is something that you need to think about beforehand. Remember, this isn't Facebook; you can't unfriend them.

Understand that others in your family may be impacted by your test taking decisions

Since you share relatively large percentages of your DNA with your relatives (by the very nature of being related), taking even a single genetic test, in a certain sense, is like taking a test for your entire family. When I had taken the DNA test mentioned earlier, an aunt of mine also involuntarily "had taken" the test as well. As a result, that long-hidden family secret—my newly discovered first cousin, came to light after she had contacted me. I treasured my new blood relative, but your situation may vary, as was the case with some of my family members. Other scenarios that occur more frequently than one realizes involve some real life-disruptors—learning of relatives connected to you genealogically from long ago, "anonymous" sperm donations, and learning that one of your parents is not actually your biological parent.

For DNA tests that have a health component, similar situations can arise. Suppose, for example, that you learn you carry an abnormal version of your BRCA1 or BRCA2 genes—genes associated with a higher risk for breast cancer, ovarian cancer, and GI cancer. Armed with this information, you can get advice from your doctor and plan out proactive steps that could decrease your risks by increasing your screening frequency so that any signs of cancer developing are caught very early. That's a good thing. But what else have you learned? You learned that at least one of your parents must have this gene variant as well; you had to get it from somewhere. Do they want to know the results of the DNA test? What about your genetic siblings? Many people are peculiar about what they want to know health-wise, from all-access to sticking their heads in the sand. Similar logic plays out to children and grandchildren in that not everyone wants to know. Do you tell your family members regardless? If knowledge is concerning, are you obligated to tell them no matter what? Is it morally acceptable to keep it from them if they don't want to know, and live with the consequences?

If you have concerns or are troubled about situations similar to these (and keep in mind that there are countless many more), talk with your family before choosing to take a DNA test. And if you want to take a test primarily to learn about your ethnicity and/or health factors but are afraid of what skeletons may be found in the family closet, then by all means take the test only if you can prepare yourself beforehand for any life-changing news, especially news that conflicts you about sharing or keeping it to yourself.

Hold off uploading your DNA data to third-party databases

Getting your first set of DNA test results can be an exciting experience. Your immediate reaction after analyzing your reports from AncestryDNA, 23andMe, or another service might be—like mine was—I want more! I wanted more data and more perspectives on my ancestry. As such, an increasingly popular and relatively inexpensive option you have is to upload your genetic data to a third-party databases such as GEDmatch, which focuses on ancestry, or Promethease, which focuses on health and wellness traits. These databases pool together the results from very large communities to give you even more insights derived from your DNA and original test results. While popular database companies can be wonderful tools for experienced users, they are not that user-friendly for novices and can further expose you to increased privacy risk. This is not meant to say they are insidious, just a bit more cumbersome.

The popular example that the media loves mentioning is how the alleged Golden State Killer, Joseph James DeAngelo, Jr., was finally apprehended in the fall of 2018, a case that had been cold for over 40 years. In short, law enforcement created a fake profile on GEDmatch and uploaded DNA data taken from the crime scene. Investigators found a relative match who was a distant 3rd cousin of the suspected perpetrator. From there, they were able to eliminate potential suspects until they got to Mr. DeAngelo, who was an original person of interest at the time of the killings.

The bottom line is that third-party databases have less privacy controls and are easier for others, good guys and bad alike, to infiltrate. And though we admit that we do not have proof this is the case, we think it is reasonable to assume that these companies have less resources dedicated to protecting data from hackers. We are big fans of these services, but just use them at your own risk.

So there you are—our top 5 recommendations we have for you to better protect your privacy after deciding to take a DNA test. With so many rapid changes in direct-to-consumer DNA testing access, other associated aspects of life (laws, guidelines, outlooks, societal norms, tough family conversations, etc.) are having a very tough time keeping up. Bureaucracy always lags behind capitalism. However, by taking a few extra precautions and proactively learning about your privacy options, you can take advantage of some of the most exciting scientific advances of our time while at the same time minimizing the privacy risks to you and your family at the same time.

If you have any questions, legal, scientific, or otherwise, please send them to