A ranking of direct-to-consumer DNA testing


Private companies offering direct-to-consumer (DTC) DNA services have increased their market significantly in recent years. It was estimated that by 2021 more than 100 million people would have provided their DNA to four leading commercial ancestry and health databases.

Even though the construction of a DNA profile and its analysis is standard procedure (it can largely be automated), the accurate interpretation of the results is very challenging and requires significant expertise.

Spotting PRIVACY & ethical IMPLICATIONS:

The business of DNA testing services is on the rise, but are the customers aware of the privacy and ethical implications? After analyzing their data treatment and policies, we rank the main 6 DNA testing companies.

⸻ Highlights

Many DNA banks do not have explicit policies regarding genetic data protection

One of the first legal concerns that arises is when DNA banks customers share not only sensitive personal data but that of their families, thus exposing a third party’s information. To add to this, some DNA testing entities do not perform the whole data management system in-house. Addressing these risks, all DNA banks should have internal data security policies, including training for team members. 

According to data protection regulations, information about privacy should be provided to data subjects prior to performing any tests, and they should be informed of the parties that would be provided access to their information. However, many data banks still do not have explicit policies. 

Many of the legal implications mirror ethical dilemmas, like the sharing of relatives’ information and the right to anonymity, or the impact of an imprecise or incorrect genetic assessment, especially on the user’s psychological well-being. The lack of genetic council is also a concern, leaving users without proper guidance about their results.

The use of genetic data for forensic, ancestry, and research purposes have benefits, but also entail accuracy and privacy risks

One of the uses of genetic data that pose the biggest challenge to privacy and security are the forensic purposes, and the questionable legality and ethical promise of extracting genetic data as a means to solve a criminal case. For instance, there is a long history of conviction cases being made based on wrong interpretations of DNA results (Gabel and Wilkinson, 2008; Walsh et al., 2016). In 2022, Scotland became the first country to publish a Code of Practice for the use of DNA and other biometric data by law enforcement.

Also, data testing to identify relatives or find links within a family tree, is the primary offering for several data banks. While this can be a helpful tool to reunite families, it also entails a risk when customers give their DNA to a company that may not be able to guarantee data security and privacy.

The use of genetic data for research purposes is another challenging field. Important medical benefits may be obtained by profit-motivated uses of genetic data, but they can involve improper research purposes and protocols that place data subjects at risk for stigmatization and privacy violations.

We analyze one of each examples in our full report, that you can read to better grasp both the legal and ethical implications of genetic data handling.

None of the analyzed DNA banks meet all the data management variables, and only 2 of them are ISO compliant

For those who are interested in using these services, we examined the data management of six major international DNA databases. We ranked them according to three main dimensions, data management, data sharing policies, and your rights vs their terms. The ranking is based on a review of their Terms and Conditions and Privacy Policies to extract indirect evidence concerning each variable.

All studied DNA banks follow basic standard policies concerning data protection, such as ensuring users’ rights to access, rectification and cancellation of their personal data. However, differences can be found concerning their capacity to provide information or enable other relevant policies.


people provided a sample to DNA testing services


order of relatives can be identified through genetic analysis


people’s genetic data was risked at Massachusetts General Hospital in 2019


of DNA banks analyzed adhere to ISO/IEC 27001 standards

In numbers