Are DNA tests safe? Privacy risks to know before sharing your genetic data

Millions of people have taken DNA tests to learn more about their ancestry, biological relatives, inherited traits, and possible health risks. The process seems simple: take a saliva sample, send it to a lab, and wait for your results.

But the data behind that test is unusually sensitive. DNA is permanent, deeply identifying, and connected to your biological relatives. Unlike a password or credit card number, you can’t reset it if it’s exposed.

So, are DNA tests safe? Before sending in a sample, it’s worth understanding how a company will store your DNA, protect your account, handle research and third-party sharing, and respond to law enforcement requests, as well as whether you’ll be easily able to delete your data.

Note: This guide focuses on the privacy and security side of consumer DNA testing. It does not assess the medical accuracy, risks, or benefits of genetic tests, and it should not be treated as medical advice.

How consumer DNA tests work

Consumer DNA tests usually start with a kit you order online or buy in a store. After creating an account, you collect a saliva sample or a cheek swab, seal it in the provided tube or envelope, and mail it to the company’s lab.

At the lab, the company extracts DNA from your sample and analyzes specific points in your genetic code. The results depend on the type of test you take. Some focus mainly on ancestry and family matching. Others include health-related reports, such as carrier status for certain inherited conditions, genetic traits, wellness insights, or possible medication responses.

After testing, the company may store your physical sample, your raw genetic data, your test results, and personal information linked to your account. It may also ask whether you want to join research programs, appear in relative-matching tools, or allow certain types of data sharing.

How DNA data differs from other personal information

DNA data is personal information, but it's not quite like other sensitive data, such as email addresses, phone numbers, or passwords. There are several reasons that genetic data deserves extra care and consideration.

Genetic data is unique and permanent

Your genetic data is closely tied to you as a person. A person’s set of genomic variants helps make them biologically distinct, and genetic data can’t be reset like a password, replaced like a credit card, or changed like an email address.

The risk isn’t limited to someone seeing your account today. Even if obvious details like your name or email address are removed, genetic data can still carry identifying information. It can also become more revealing as science advances, databases grow, and researchers find new links between genetic variants, health risks, ancestry, and biological relationships. That means DNA data collected today may reveal more in the future than it does now.

DNA can reveal information about relatives

DNA test results don't only reveal information about the person taking the test. Since biological relatives share parts of their DNA, one person’s results can also reveal information about parents, siblings, children, cousins, and more distant relatives. This is how consumer DNA services can suggest genetic relatives or help people learn more about their family history. But it also creates privacy concerns for relatives who never agreed to take a test or share genetic information.

Genetic data is information that can affect the family of the person tested across generations. It may reveal information about several people while identifying one person. In some cases, relative-matching results can reveal unexpected biological relationships, such as misattributed paternity, donor conception, adoption, unknown siblings, or other family information.

In other words, relative-matching tools, shared ancestry estimates, and inherited health markers can create information about family connections that other people may not expect or want revealed.

How DNA testing companies handle your data

Each DNA testing company has its own privacy policy, consent process, and retention rules. Some give you more control over sample storage, research participation, relative matching, and account deletion than others. But in general, consumer DNA testing follows the same basic path: You send in a biological sample, the company analyzes it, and the resulting genetic data becomes a part of your account.

The privacy details depend on what the company keeps after testing, how long for, how securely it stores your data, and what choices you have later. That is why you should understand the company’s privacy policy before you send in a sample.

What happens to your DNA sample after testing

After the company has received and analyzed your sample, the physical sample may be handled in different ways depending on the company and your account settings. Some companies may store your sample indefinitely unless you request destruction, while others may destroy it automatically after a set period.

The sample and the data are not always treated in the same way. Destroying a saliva sample doesn't necessarily destroy the genetic data already created from it. Deleting your account may also leave some information behind if the company needs to keep it for legal, regulatory, fraud prevention, or recordkeeping purposes.

How genetic data may be stored and secured

After testing, the company may store your raw genetic data, results, account details, consent settings, and other information linked to your profile.

DNA testing companies commonly describe security measures such as encrypted databases and strict access controls. Encryption can help protect data while it's stored or transmitted, and access controls can limit which employees or service providers can view sensitive information.

In some cases, companies may also store separate copies of certain data for backups, legal compliance, fraud prevention, or security monitoring.

Security controls reduce the risk of unauthorized access, but they don't make stored DNA data risk-free. Any company that keeps sensitive data can fall victim to a data breach, insider misuse, or accidental exposure. While those risks can’t be eliminated entirely, users can still take steps to better protect their accounts. A strong password, two-factor authentication (2FA), and careful control over sharing settings can help reduce the chance of unauthorized access.

The biggest security and privacy risks of DNA testing

The main security and privacy risks of DNA testing revolve around what happens to your genetic data after the company creates it.

Data breaches and unauthorized access

DNA testing companies store sensitive information, including genetic data, account details, family connections, and sometimes health-related reports. That makes them attractive targets for bad actors.

A breach doesn't always mean someone broke into a company’s core DNA database. In some cases, attackers may use stolen passwords from other sites to access individual accounts. This is known as credential stuffing, and it works when people reuse the same password across multiple services.

The 23andMe data breach in 2023 is a useful example. In this incident, attackers used credential stuffing to access about 18,000 user accounts, but millions of other users were also affected because they were connected to these users via certain sharing features.

According to 23andMe, the information accessed varied by account but generally included ancestry information and, for some accounts, genetics-based health information. The attackers also accessed files containing profile information about other users who had opted into the DNA Relatives feature, where users choose to share ancestry-related information with genetic matches.

Third-party sharing with researchers or partners

DNA testing companies may need to share some information with third parties to provide the basic service. For example, they may use external laboratory services and payment processors. This kind of sharing should appear clearly in the company’s privacy policy.

A separate privacy issue comes from optional data sharing for research, product improvement, or commercial partnerships. While some research programs can support useful scientific work, such as studies on ancestry, inherited traits, disease risk, or drug response, the concern is whether the company clearly explains what data it may use, whether consent is optional, who can access the data, and whether you can withdraw later.

For example, in 2023, the Federal Trade Commission (FTC) finalized an order against 1Health.io after alleging that the company failed to protect sensitive genetic and health data, misled consumers about deletion, and changed its privacy policy retroactively without proper notice and consent.

Law enforcement access to genetic databases

Law enforcement access to genetic databases is a sensitive topic, and it often creates confusion. Many people have heard about cases where police used DNA to identify a suspect and may wonder whether that means investigators can search through their personal DNA testing account. In reality, not all genetic databases work the same way. To understand the privacy risks, it helps to separate two things: DNA testing companies and third-party genetic genealogy platforms.

DNA testing companies, such as 23andMe, AncestryDNA, and MyHeritage DNA, collect and test biological samples and create a DNA profile for the customer. These companies generally say they do not give law enforcement open access to their full databases. However, like other companies that hold user data, they may be required to provide specific information if they receive a legally valid request, such as a subpoena, court order, or search warrant.

Third-party genetic genealogy platforms work differently. Platforms such as GEDmatch do not usually collect saliva samples, send out DNA kits, or test DNA in a lab. Instead, users take a DNA test with another company, download their raw DNA data file, and upload that file to the platform. The platform can then compare that uploaded file with other users’ uploaded files to find possible genetic relatives.

This distinction matters because some law enforcement investigations use investigative genetic genealogy. In these cases, investigators may upload a DNA profile from crime-scene evidence to a genealogy platform that allows this type of search.

For example, police identified the Golden State Killer using a genealogy platform, not by searching directly through a major consumer DNA testing company’s private database. Investigators uploaded crime-scene DNA data to GEDmatch, found distant genetic relatives, and then used family-tree research and traditional investigation to narrow the search. The final confirmation came later, when police compared the suspect’s own DNA with the crime-scene DNA.

What happens if a DNA testing company is sold or shuts down?

If a DNA testing company is sold, merges with another company, files for bankruptcy, or shuts down, its databases may become part of a business transaction. That can raise difficult questions about consent and ownership.

These concerns became more prominent during 23andMe’s bankruptcy and sale process. In March 2025, 23andMe filed for Chapter 11 bankruptcy protection and entered a court-supervised sale process. It was eventually acquired by TTAM Research Institute, a nonprofit public benefit corporation led by 23andMe co-founder and former CEO Anne Wojcicki.

Under the deal, TTAM acquired most of 23andMe’s assets, including its consumer genetic testing and research services. 23andMe said TTAM would follow the company’s existing privacy policies and add privacy safeguards, including customer notices, continued rights to delete genetic data and opt out of research, and restrictions on future transfers of genetic data.

The case illustrates an important limit: the buyer can’t simply ignore existing privacy commitments. Buyers may declare that they will follow existing policies, and courts or regulators may impose conditions. Still, company ownership matters because it can affect who controls the data, what business incentives exist, and how future privacy choices are handled.

How to choose a safer DNA testing company

You can’t remove every privacy risk from a DNA test, but you can limit how much data you share and how long the company keeps it. Before ordering a kit, take a few minutes to investigate the company itself. Check who owns it, where it operates, how it handles sample storage, and whether it gives you clear options to delete your account, genetic data, raw DNA file, and physical sample.

Look for plain language around research, partner sharing, relative matching, and marketing. If a company uses vague privacy terms and makes deletion hard to understand, treat it as a red flag.

How to protect your DNA data before and after testing

Before and after taking a test, consider these steps:

• Limit optional data sharing: Only opt into research, product studies, or partner sharing if you fully understand what data the company may use and who may access it.
• Turn off public matching if you don't want relatives to find you: Relative-matching tools can help people connect with biological family, but they may also reveal family links you didn’t expect.
• Use strong account security: Create a unique password and turn on two-factor authentication (2FA).
• Review your profile visibility: Check your settings to see whether your name, initials, ancestry details, or family tree information appear to matches or other users.
• Download your data carefully: If you download raw genetic data, store it securely and avoid uploading it to other services without reviewing their privacy terms.
• Request sample destruction when possible: Some companies let you ask them to destroy your physical saliva sample after testing.
• Request data deletion if you no longer want the service: Deleting genetic data, closing an account, and destroying a sample may be separate steps, so check what each request covers.

These steps don't guarantee complete privacy, but they can reduce unnecessary exposure and give you more control over your genetic information.

So, are DNA tests safe?

DNA tests aren’t inherently unsafe, but they do involve a privacy trade-off.

A DNA test may be worth it if you have a clear reason for taking one and understand what you’re agreeing to. For example, you may want ancestry estimates, family-matching tools, inherited trait reports, or health-related insights that help you ask better questions in a medical setting.

On the other hand, you may want to avoid a DNA test if you’re uncomfortable with long-term genetic data storage, research sharing, or the possibility that your results could reveal unexpected family information.

It's also important to think about your relatives. DNA can reveal biological connections, so your decision may affect more people than just you. If that possibility bothers you, or if you don't have a specific reason for taking the test, it may be safer to skip it.

FAQ: Common questions about DNA test safety