AncestryDNA is generally safe to use, but “safe” means different things depending on what concerns you. Your physical DNA sample is processed in secure labs, your genetic data is encrypted, and you retain ownership of both. That said, real risks exist: a credential-stuffing attack exposed account information in 2023, federal law doesn’t protect your genetic data from all types of insurance discrimination, and the results themselves can surface family secrets with serious emotional consequences. Here’s what you should weigh before spitting in the tube.
Who Owns Your DNA Data
You do. Ancestry’s privacy statement is explicit: you maintain control of your biological samples and DNA data, and you can manage, delete, or destroy them. When you send in a saliva kit, a partner laboratory extracts your DNA and converts it into machine-readable genetic data. That data is linked to your account, but Ancestry states it gives you control over how your personal information is used, shared, and retained.
Ownership on paper matters, but what you agree to in the terms of service matters more. By using the service, you grant Ancestry certain rights to process your data in order to deliver results, improve their product, and run their matching algorithms. If you’re uncomfortable with any of that, you can request that your sample be destroyed and your data deleted. Consumer Reports notes that its Permission Slip data-deletion app works with some genetic testing companies but does not currently support Ancestry, so you’ll need to go through Ancestry’s own account settings or contact their support directly.
How Your Data Is Protected
Ancestry separates your DNA sample from your personally identifiable information by assigning a unique registration code at the lab. This means the technicians processing your saliva don’t see your name, email, or address. Your genetic results are encrypted, and access is restricted to authorized personnel.
These are solid baseline protections, but no system is bulletproof. Between approximately April and September 2023, a threat actor carried out a credential-stuffing attack against Ancestry. Credential stuffing isn’t a traditional hack of Ancestry’s servers. It works by taking usernames and passwords leaked from other websites and trying them on Ancestry accounts, succeeding whenever someone reused a password. The incident was serious enough that Ancestry filed a notification with the California Attorney General. If you use AncestryDNA, enabling two-factor authentication and using a unique password are the most effective steps you can take to protect your account.
Law Enforcement and Third-Party Access
One of the biggest concerns people have is whether police can access their DNA. Ancestry has historically stated that it requires a valid court order or search warrant before handing over genetic data, and that it does not voluntarily cooperate with law enforcement requests. The company has published transparency reports in the past showing it has challenged or rejected the majority of requests it received.
That said, the legal landscape is evolving. Several states, including Montana, Tennessee, Texas, and Virginia, passed new genetic privacy laws in 2024 that set stricter requirements for how companies handle genetic data. These laws vary by state, so the protections you have depend in part on where you live. Ancestry’s internal policies offer a layer of defense, but they are company policies, not legal guarantees, and they can change.
What Federal Law Does and Doesn’t Protect
The Genetic Information Nondiscrimination Act, known as GINA, prohibits health insurers and employers from using your genetic information against you. If a DNA test reveals you carry a gene variant associated with a higher risk of breast cancer, for example, your health insurance company cannot raise your premiums or deny you coverage because of it.
The gap in GINA is significant, though. It covers only health insurance. Life insurance, disability insurance, long-term care insurance, auto insurance, and property insurance are all free to use genetic information in their underwriting decisions. If you’re planning to apply for life insurance or long-term care coverage, it’s worth knowing that some insurers ask whether you’ve had genetic testing done. A handful of states have passed their own laws extending protections beyond health insurance, but most have not.
FDA Oversight of Ancestry Kits
The FDA does not review genetic ancestry tests before they go to market. The agency classifies these as non-medical, general wellness products and considers them low risk. If a company offers direct-to-consumer tests that assess genetic health risks (like predisposition to certain diseases), those tests do require FDA clearance. But the core AncestryDNA product, which estimates your ethnic background and connects you with genetic relatives, falls outside that review process.
This means no federal agency is independently verifying the accuracy of your ethnicity estimates. Those percentages you see in your results are based on Ancestry’s proprietary reference panels, which the company updates periodically. Your results can shift slightly with each update. The matching feature that connects you with relatives is based on shared DNA segments, which is scientifically straightforward, but the ethnicity breakdown is more of a statistical estimate than a medical-grade finding.
Unexpected Family Discoveries
The risk that catches most people off guard isn’t technical at all. DNA testing can reveal that a presumed parent isn’t biologically related to you, that you have half-siblings you never knew about, or that family stories about your heritage were wrong. These discoveries, sometimes called non-paternity events or NPEs, are surprisingly common in large DNA databases.
Research published in Psychiatry Research found that people who independently discovered through direct-to-consumer DNA testing that their presumed father was not their biological father showed increased levels of depression, anxiety, and panic symptoms compared to control groups. Some experienced suicidal thoughts. The study also found that a worsening relationship with or attitude toward the mother was a risk factor for worse mental health outcomes, while the ability to openly discuss the discovery and accept it served as a protective factor.
This is not a hypothetical edge case. With millions of people in Ancestry’s database, these matches surface regularly. If there are family secrets that might come to light, it’s worth having a realistic conversation with yourself about how you’d handle that before testing. The emotional fallout from an unexpected discovery can be far more disruptive than any data privacy concern. Mental health professionals are increasingly recognizing this as a distinct type of psychosocial stressor, though specialized support resources are still limited.
Practical Steps to Minimize Risk
- Use a unique, strong password and turn on two-factor authentication. The 2023 credential-stuffing incident targeted people who reused passwords from other sites.
- Opt out of research if you don’t want your anonymized data used to improve Ancestry’s algorithms or contribute to studies. This option is in your account settings.
- Request sample destruction after receiving your results if you don’t want your physical saliva sample stored. You can do this through your Ancestry account.
- Delete your DNA data entirely if you decide you no longer want it on file. Be aware this is permanent and will remove your matches and ethnicity results.
- Think through the personal implications before testing. Consider whether surprise family connections could affect your relationships or mental health, and whether you’re prepared for that possibility.