Are Websites That Use DNA Protecting Customers?

Millions of people every year mail their DNA, eagerly waiting for information about their ancestral roots. Most individuals do this through genetic testing websites like Ancestry.com and 23andMe.com. Such platforms provide stunning insights into potential health risks, inherited traits, and large family trees. However, once someone agrees to their lengthy terms of service, a person’s genetic information is now owned by the company. Such information raises a critical question if websites that utilize DNA are protecting their consumer. Many companies claim that their priority is privacy, but current legal frameworks, terms of service loopholes, and third-party data show how consumers are left unprotected. A majority of consumers believe that because a company asks them to check a box, their data is secure. Although this consent is often misleading, meaning consumer data is not secure. DNA websites rely on long legal contracts, which the average adult does not read. These terms of service frequently grant companies broad rights to use genetic data. Most companies ask for explicit consent to utilize the DNA of a consumer for scientific research, although the wording surrounding it is quite confusing. Furthermore, such digital contracts usually contain clauses allowing the website to alter its privacy policy at any time without notifying the user. This means the rules protecting your DNA today could vanish tomorrow with a website update. 

A majority of such DNA companies argue that they protect the privacy of their consumers by removing identifiers such as names, birthdays, and addresses. They claim that this makes the data collected anonymous. However, scientific evidence contradicts this legal defense. DNA is an identifier; scientists and geneticists have proven that genetic data can be re-identified. By referencing anonymous genetic databases with public records, voter registration lists, and social media, researchers can find the identity of a DNA contributor. Therefore, when websites sell or share "anonymous" DNA data, they are essentially selling identities. Legally, the United States does not have a federal law that fully protects consumer genetic privacy. Many Americans mistakenly believe that HIPAA (the Health Insurance Portability and Accountability Act) protects their DNA test results. However, HIPAA only applies to traditional healthcare providers, hospitals, and medical insurance companies. It fails to apply to such DNA websites.  The only federal law targeting genetic data is GINA (the Genetic Information Nondiscrimination Act), which was passed in 2008. GINA prohibits employers and health insurance companies from discriminating against individuals based on their genetic information. However, GINA has major problems; it does not apply to life insurance policies, disability insurance policies, or long-term care insurance policies. While states such as California and Utah have passed specific genetic privacy laws, the lack of a national standard leaves millions of Americans vulnerable depending on where they live.

Another major area in which the customer is not protected is when law enforcement utilizes the DNA from such websites. The most prominent example of this is the arrest of the Golden State Killer in 2018. Investigators utilized a public genealogy website called GEDmatch to upload crime scene DNA, track down distant relatives of the killer, and eventually find the suspect. While catching violent criminals is a good outcome, the methods used raise serious Fourth Amendment concerns regarding unreasonable searches and seizures. Essentially, a person who has never taken a DNA test can now be identified because their relative decided to take an ancestry test. Although prominent DNA websites have fought against warrants, the pressure faced from law enforcement is immense. 

DNA testing websites provide incredible insight into a person’s ancestral roots and potential health problems. Yet, such websites fail to protect the privacy of their consumers. The confusing terms of service and massive gaps in the law keep consumers at risk of being exposed. To protect customers fully, Congress needs to pass a highly comprehensive federal genetic privacy law that expands on  HIPAA protections to commercial companies. This will need to fix the loopholes in GINA and limit the powers of law enforcement in this matter. Consumers must be informed properly of what they signed up for, and companies need to be more transparent with their consumers.


Bibliography

“Cold Case Killer — FBI.” n.d. FBI. Accessed June 29, 2026. https://www.fbi.gov/news/stories/help-us-catch-the-east-area-rapist.

“Genetic Information Discrimination | U.S. Equal Employment Opportunity Commission.” n.d. EEOC. Accessed June 29, 2026. https://www.eeoc.gov/genetic-information-discrimination.

“Health Information Privacy.” n.d. HHS.gov. Accessed June 29, 2026. https://www.hhs.gov/hipaa/index.html.

Wickenheiser, Ray A. n.d. “Forensic genealogy, bioethics and the Golden State Killer case.” PMC. Accessed June 29, 2026. https://pmc.ncbi.nlm.nih.gov/articles/PMC7219171/.

Previous
Previous

The Price of Crime

Next
Next

Betting on the Future: Should Prediction Markets Be Regulated as Gambling or Financial Markets?