No, not all DNA companies share your results the same way. Policies on data sharing vary dramatically across the industry, from companies that have never handed over customer data to law enforcement to those that actively collaborate with police on cold cases. What happens to your genetic information depends on which company you used, which settings you chose, and in some cases, which state you live in.
How Companies Share Data With Law Enforcement
The major consumer DNA companies fall into two distinct camps when it comes to police access. 23andMe and AncestryDNA have historically resisted law enforcement requests. 23andMe received four requests for user data from law enforcement and successfully fought off all of them. Ancestry has cooperated in at least one case under court order, providing genetic information about a customer’s relative to police, but has generally stated it provides “only the specific information requested” when compelled by a court.
GEDmatch and FamilyTreeDNA operate very differently. These are open databases where users upload raw DNA files, and both allow law enforcement searches under certain conditions. GEDmatch gives you four privacy tiers to choose from when you upload your data. At the most open setting (“Public + Opt-In”), your DNA can be compared against kits submitted by police trying to identify perpetrators of violent crimes. At the “Public + Opt-Out” level, police can still search your kit for identifying unidentified human remains, but not for solving violent crimes. The most restrictive settings hide your kit from law enforcement entirely. GEDmatch’s database was famously used to identify the Golden State Killer in 2018, which is what prompted the company to add these opt-in controls.
The key distinction: companies like 23andMe and AncestryDNA don’t voluntarily open their databases to police. GEDmatch and FamilyTreeDNA do, but with user consent controls. If you never uploaded your data to an open database, police generally can’t search it without a court order.
Pharmaceutical and Research Partnerships
Sharing with drug companies is a separate issue, and 23andMe became the biggest example. GlaxoSmithKline invested $300 million in 23andMe as part of a collaboration to discover new drug targets. The company provided 250 Parkinson’s patients who had agreed to be re-contacted for GlaxoSmithKline’s clinical trials. The goal was to use the massive genetic database to speed up drug development.
23andMe does obtain consent from customers before using their data in research. But as Yale Law School privacy fellow Tiffany C. Li pointed out, “the problem with a lot of these privacy policies and Terms of Service is that no one really reads them. You are paying to help the company make money with your data.” Most customers signing up for ancestry reports or health screenings aren’t thinking about pharmaceutical partnerships when they check the consent box.
One important detail: if your data was already used in research before you opted out or deleted your account, 23andMe’s policy states that “any research involving your data that has already been performed or published prior to our receipt of your request will not be reversed, undone, or withdrawn.” Once your anonymized data enters a research pipeline, there’s no pulling it back.
What Happened in the 23andMe Data Breach
The risk isn’t limited to intentional sharing. In 2023, 23andMe experienced a data breach that exposed genetic information from over seven million customers. Hackers specifically targeted data from particular ethnic groups, including individuals of Chinese and Ashkenazi Jewish heritage. This breach highlighted a reality that separates genetic data from other personal information: you can change a stolen password, but you can’t change your DNA. Once genetic data is exposed, the damage is permanent.
The breach also revealed gaps in how genetic data is regulated. While California’s privacy laws gave affected residents the right to delete their genetic data and destroy their biological samples, customers in most other states had far fewer protections.
Legal Protections and Their Gaps
Federal law offers less protection than most people assume. The Genetic Information Nondiscrimination Act (GINA) prevents health insurers and employers from using your genetic data against you. But GINA does not cover life insurance, long-term care insurance, or disability insurance. Companies offering these products can legally access your medical records as a condition of providing coverage, and there’s no federal law stopping them from using genetic information to charge higher rates or deny coverage outright.
Some states have stepped in to fill these gaps. California’s Genetic Information Privacy Act requires direct-to-consumer testing companies to destroy your biological sample within 30 days if you revoke consent. Montana passed its own version that goes further, prohibiting the storage of genetic data in countries sanctioned by the U.S. government or designated as foreign adversaries, and requiring explicit consent before companies can transfer or store data outside the United States. But these protections are patchwork. If you live in a state without dedicated genetic privacy legislation, your options are more limited.
How to Delete Your Data
If you’ve already tested, you have some control over what happens next. On 23andMe, you can log into your account, go to Settings, scroll to the “23andMe Data” section, and select “Permanently Delete Data.” You’ll receive a confirmation email to finalize the request. If you previously opted to have your saliva sample stored, you can request its destruction separately from your account settings under “Preferences.” California’s Attorney General issued an urgent consumer alert specifically recommending that 23andMe customers take these steps.
Before deleting, consider downloading a copy of your raw genetic data to your own device if you want to keep it for personal use. Once the deletion is confirmed, the company won’t be able to provide it to you again.
It’s worth noting that even after deletion, federal lab regulations require genotyping laboratories to archive de-identified genetic information for a period of time, often two years, for regulatory compliance. So while your identifiable data gets removed, a stripped-down version may persist temporarily in lab archives.
How to Protect Your Privacy Before Testing
The most effective time to control your data is before you spit in the tube. Read the consent forms carefully, particularly the sections about research participation and third-party sharing. Most companies separate the basic testing consent from the research consent, so you can get your ancestry or health results without opting into broader data use.
If you’re uploading raw DNA files to third-party sites like GEDmatch, choose your privacy settings deliberately. The default tier matters. Selecting “Research” or “Private” keeps your data out of law enforcement searches entirely, while “Public + Opt-In” makes it available for criminal investigations. You can change these settings at any time, but you need to actively manage them.
Different companies store data in different jurisdictions, which affects which privacy laws apply. If data protection is a priority, check where the company is headquartered and where its servers are located. A company based in the EU, for instance, falls under stricter data protection rules than one based in a U.S. state without genetic privacy laws.