You are here

DNA test kits: Consider the privacy implications

Share this page

Companies are advertising at-home DNA test kits that promise intriguing insights into your past (“Where did my forebears come from?”) – and your future (“Do I have the genetic markers for certain medical conditions?”). If you’re thinking about buying a kit for yourself or a family member, the FTC has advice about protecting the privacy of the sensitive information that DNA tests reveal.

Although most tests require just a swab of the cheek, that tiny sample can disclose the biological building blocks of what makes you you. The data can be very enlightening personally, but a major concern for consumers should be who else could have access to information about your heritage and your health. If you’re thinking about buying an at-home DNA test kit, you owe it to yourself – and to family members who could be affected – to investigate the options thoroughly.

Comparison shop about privacy. A number of companies offer similar services, but price and performance are only two of the comparisons you should draw before making a purchase. The other key comparison is privacy. Scrutinize each company’s website for details about what they do with your personal data. Rather than just clicking “I accept,” take the time to understand how your health, genetic, and other sensitive information will be used and shared. Hold off on buying a kit until you have a clear picture of the company’s practices.

Choose your account options carefully. Most testing companies offer an array of options about how public – or how protected – users want to keep their personal information. Will your profile be available to others online? Can users send you personal messages? A company’s out-of-the-box defaults often aren’t the most private options, so it’s unwise simply to accept a site’s automatic settings. A more prudent approach to consider is to select more protective options initially and revisit your choices once you’ve become familiar with how the site operates.

Recognize the risks. Hacks happen. Before deciding to use a DNA test kit, reflect on your personal approach to the risk of unauthorized access that accompanies the use of any online service (or, for that matter, any brick-and-mortar business) that maintains sensitive information about you.

Report your concerns. If you think a genetic testing company isn’t living up to its promises, let the FTC know. We’ve brought dozens of cases challenging deceptive or unfair practices related to consumer privacy and data security – including a settlement with a business that sold products based on at-home genetic testing, but allegedly failed to provide reasonable security for consumers’ personal information.

Giving a test kit as a gift? Print this post for the recipient and share other consumer information from FTC about DNA test kits.


Are there specific companies that the FTC is concerned about?

I used Family Tree DNA to assist me in my Genealogy research of my family. Is Family Tree DNA a reputable company as to their security of my DNA sample and information? Thank you for your information. It had not occurred to me DNA was a security risk. What should I do now, to minimize risk?

This blog post is about at-home DNA test in general, not about specific companies.

When you have an account, choose your account options carefully. Most testing companies offer options about how public – or how protected – you want to keep your personal information. You might have choices about whether your profile will be available to others online. Or whether other people can send you personal messages.

A company’s out-of-the-box defaults often aren’t the most private options, so it’s unwise to accept a site’s automatic settings. It's better to select more protective options at first, and then look at your choices again after you are familiar with how the site operates.

Even when you opt out of public sharing the DNA company owns the data and can sell or share it with anyone they want (including law enforcement, insurance companies, even credit bureaus if they want)

I am glad I read this ftc email. I was going to buy them as gifts. I'll do my digging on all of the available company's out there before purchases. There is a large probability of deceptive P.R and 3/4/5 party outsourcing of folks info in exchange for corporate payouts. Thanks again for the article very insightful.

My DNA test was stole before I could use it. What can the thieves do with it. Was bought from ancestry.

If your information was stolen from the company, you could contact the company.

Thank you for informing the general public concerning DNA tests! Personally I would like to see a PUBLIC GOVERNMENT COMMERCIALS DONE ON EVERYTHING YOU POST! Too many consumers , especially rural and elderly are not receiving emails. Americans would welcome commercials from their government. All Departments Do An Outstanding Job ! Be far the very best information emails from Government I have Every Recieved! I hope you get funding for communication through Commercials on Satellite,Cable and Radio.

I agree with your comment! These US Government websites are outstanding and continually exceed my expectations. Our citizens really need to continue to cultivate a sincere "attitude of gratitude" in regards to the continual scrupulous efforts of these employees to inform the public.
I also agree with your comment about "rural and elderly" that may not be receiving emails currently and would certainly support any effort by our government and/or funding from other organizations to alert the public, in any way, with such useful information.

A timely column. I had one done with my physician, and I first inquired about the company, and that my results were to be delivered by postal carrier, and absolutely not to be stored on the internet at any point in time. I was assured that I would have my right to choose how my private information would be honored. When I moved away, and even before that, I was given the results that were indeed posted from the company for my own health information that was solely my own.

I am the patient who insists that my insurance for my health especially, is never on the internet; and I always say to any new physician that I have every intention to sue anyone who does not honor my choice. Surprisingly, to a doctor, I am always being treated with the respect from my physician(s), and they applaud my speaking out for myself, because they insist on this choice for themselves too!

I'll add to this something I've recently learned is that almost all of my medical records have been destroyed by the Drs. who did the work. There seems to have been a 7 year rule? Since it's taken 20 years of idiots missing certain things on the testing that's been done, now what? I can't sue without records!

If you can't get copies of the medical records you want from your doctor, you could ask other sources. For example, you could see if there are any hospital treatment records, lab result records or records held by your health insurance company.

Right now, you could ask your current doctors to make copies of your medical records. You could keep copies of your records yourself. You may have to pay a fee to get the copies.

If Tidwell needs records back 20 years and they are destroyed after 7 years then how would his current doctor have them?

My answer wasn't clear. I'll fix it.

Its also probably worth while to make clear that the requirements to destroy medical records come mainly from the states and each one has its own rules. A Google of "medical record storage laws" shows a range of at least 3 to 10 years.

I'm actually more afraid of the medical healthcare system in general having access to my DNA information than I am of anyone else! Insurance companies can use it to increase premiums, deny coverage, etc. I agree that the government needs to put stringent laws in place to protect us from abuse.

Amen to that. My local hospital had thousands of records hacked . They have not only my records at the hospital but also my Primary Care Doc, several specialties and all my labs.

And of course they have an abundance of financial info starting with my social security number. A hackers dream to try to break into any of my financial accounts.

I find the FTC's first suggestion on this page "Comparison shop about privacy" to be a joke. We already have plenty of examples of corporations violating their privacy statements, so who do you trust? The only way I would get DNA testing is if after they sent me the results, the lab was required to immediately destroy all of the data with a strong trustworthy over-site agency.

I have always said I wish health care providers (and others) would use something other than a SSN for record keeping.

On a sidetone please be ready for the DNA information that you will receive once the results become available. There are instances where people (like myself) opened up a huge can of worms and exposing a lifetime of lies.

Or someone in family expose something you didn't want known and destroys you totally. Should not be allowed but great for law enforcement. Change it now. Some will commit suicide over this.

Unfortunately, personal information of any type is sought by marketers, identity thieves, health insurance providers, etc. for business or personal gain. Advisory doesn't mean all providers of at-home DNA tests are lax in protecting information, but wording in "privacy and rights" statements are many times written in legal speak. I would email or call the company providing the service for answers. If no response, go to your next option.

I wonder if these DNA Kits marketed by companies are subject to the same medical privacy laws ruled, and regulations that affect all consumers in the USA...

Are DNA samples provided by a DNA Kit Buyer to the company selling/testing the DNA Kit subject to the Health Insurance Portability and Accountability Act (HIPPA) passed by Congress in 1996 that regulates the privacy of consumer's medical records?

Are companies that sell the DNA Kit required to register that sales transaction and/or DNA sample provided by the Buyer of the Kit with the Federal Government?

Since a medical DNA sample has to be provided to the company selling/testing the DNA Kit, what happens to the DNA sample after testing is completed?

You can review a company’s website for details about what they do with your personal data. Rather than just clicking “I accept,” take the time to understand how your health, genetic, and other sensitive information will be used and shared. Hold off on buying a kit until you have a clear picture of the company’s practices.

Pleas post companies that misuse DNA information.

thank you for bring us this information. It is critical.

These DNA kits are nothing but a clever and deceptive way to build a NATIONAL DNA data base. Think before you act.

I agree with Fred 100%

If you have ever been in the military , your DNA , finger prints , everything is saved by the Government , what would or why would the Gov want Millions of millions of records and data on “Joe Smo” working at the mill? All of your information is already out there in some way or form. The IRS and others can’t even keep up with what they have now!! How do you expect the Gov to handle all that??Again! Unless your doing something illegal or plan to, why worry?? If someone wants your info they will get it!!

This is what I was waiting to read. IF THEY WANT YOUR INFO THEY WILL GET IT. Unless you are a "bad" person what does the privacy of your info matter. Eventually it's out there when you die, make sure you dont regret your life.

A privacy policy can contain confusing or difficult to understand words and phrases. Are there specific words or phrases to watch out for in these documents? How can we recognize those companies that say they can share the info where and when they want but hide that in the jargon?

Privacy policies may be long or complex, but they are important to read. When you read a privacy policy, find out what information a company will collect and why; how the company will control the personal information it collects;  how it will use the information, and whether it provides information to third parties. If you have questions or concerns about a company's privacy policy, contact the company.

Perhaps it would be helpful to focus on rules to make privacy policies shorter and clearer so the average citizen can read and understand them.

It is also not helpful to learn that these companies are free to change their privacy policies at-will without any obligation to inform you or to re-authorize your permission before those policies are changed. Where is HIPPA in all this?

I have a family member who wanted to look into doing this. I forward her this link to read before she makes a final decision.

Good information-I'll check my supplier

My elderly Sister was given a free DNA test forms from a supposed genealogy website by her nephew, but with no data about where/who sold it or who it came from. She is pretty net-savvy, but I know she doesn't read all the information that comes with such things, and besides, a criminal is going to claim they are legit anyway with stolen policies and statements.
She is in her mid 80's and serious about genealogy.

Is there any possibility it could have hurt her?
What are indications that something nefarious is going on?

Personally I won't do it myself, because to be useful for genealogy, it depends on relatives also having used the same kit, so in essence it's useless anyway.In reality the only thing it seems to have given her was the countries around the world her 'relatives' came from and not much else. She has gotten zero actual information from it.

You may be able to learn the name of the company your sister used and find out how the company manages data and privacy.

Your sister could look at the account options the company offers: is her information accessible to other people online? Can people contact her? Does she prefer more protective settings?

If your sister shared personal or financial information on the applicatioin, and she's worried about possible identity theft, she can read about warning signs of identity theft.

Any company's policy is just that; its a policy - nothing more. It is not contractual in any way with any one at any time. Policies can be changed, and do change like the wind.
Don't be fooled by all this talk of policy - it means nothing other than a stated procedure or intent at the time of the statement.

The reason that people would contact you is if they are doing their family tree and you show up as related to them. You are only given the ability to email them if they are a dna connection. It's not like these companies sell a list of names to advertisers.

If its for a family tree info.maybe do it. But as a dad and a great husband too be.i been having a bad no the worst 3 mouths of my life. And i truly believe if its going to effect the kids life and a wonderful marriage to be sooon! They shoulnt do it. Cant lose there family again ever, Like earlier someone seed private,they should in there closed door of there bathroom talk about it.because your parter doesnt want to lose his family just get thing put away for both troubles, look to the future on how they going to make money together and only look to the future with a pinky promise in it, then handle up on 90 days of honor he has gave her, well she was away on business.but if its for the family tree ont o it ether .he or she is for us, now if the 1st child isnt his then , they can talk about it a Lil husbanf and wife, hes 100 behind her , and ready to take on the other one rite the hel1 now to show her, come home

Consumers are being coerced and scammed into giving up genetic and lifestyle information, much of which is sourced overseas to countries such as China -- which has a terrible human rights record.

thanks for giving a blogs

Leave a Comment