Consumer genetic testing was sold as recreational: ancestry pie charts, distant-cousin discovery, a few wellness reports. The privacy analysis was always darker, because genetic data breaks the assumptions the rest of privacy practice rests on. You can rotate a password. You can get a new phone number, a new email address, even a new legal name. You cannot rotate your genome, and you cannot revoke your siblings' copy of half of it.
The 23andMe Object Lesson
Three events, in sequence, mapped the failure modes of centralized genetic databases better than any hypothetical could.
The breach (2023). Attackers used credential stuffing — passwords recycled from other sites' breaches — to log into thousands of 23andMe accounts. The direct compromise was small; the blast radius was not. Because of the DNA Relatives feature, which shows matched relatives' profiles, those few thousand accounts exposed profile data linked to roughly 6.9 million people. Lists of users with Ashkenazi Jewish ancestry were compiled and offered for sale. The amplification is the lesson: in a relational database of relatives, compromising one node reads the neighborhood.
The bankruptcy (2025). 23andMe filed for Chapter 11 in March 2025, and its genetic database — the company's principal asset — went to auction. More than two dozen state attorneys general raised objections or sued over the prospect of genetic data changing hands, and users were publicly urged to delete their data while they still could. The assets ultimately went to TTAM Research Institute, a nonprofit led by 23andMe co-founder Anne Wojcicki, with privacy commitments attached — a comparatively benign outcome that nobody who submitted saliva in 2015 had any contractual guarantee of.
A privacy policy binds a company. It does not bind a bankruptcy court, an acquirer, or the market for distressed assets. Any data you hand to a company should be evaluated against the question: am I comfortable with whoever buys this database in ten years?
The precedent that predates both. In 2018, investigators identified the Golden State Killer by uploading crime-scene DNA to GEDmatch, a public genealogy database, and triangulating through the suspect's distant relatives' voluntary uploads. The technique — forensic genetic genealogy — has since closed many cold cases. Whatever you think of those outcomes, notice the mechanism: the suspect never took a DNA test. His relatives' choices were sufficient. A 2018 study in Science estimated that roughly 60% of Americans of European descent could already be identified through a third-cousin-or-closer match in genealogy databases, and coverage has only grown since.
Why Genetic Data Breaks the Consent Model
Privacy law and privacy products are built around individual consent: you agree, you share, you can (in theory) delete. Genetics violates each pillar:
- Consent is collective, granted individually. Your test discloses ~50% of each parent's, child's, and sibling's genome, ~25% of each grandparent's and half-sibling's, and usable fractions of hundreds of cousins'. They get no veto and usually no notice.
- Disclosure is permanent. Deletion removes a record from one database. It does not undo downstream sharing, research transfers, breach copies, or the inferences already drawn.
- The data appreciates against you. A genome sampled today will be more interpretable in twenty years than it is now, as research links more variants to health conditions and traits. You are disclosing not what the data reveals today, but everything it will ever reveal.
What the Law Covers — and the Holes
The main US federal protection is the Genetic Information Nondiscrimination Act of 2008. GINA prohibits health insurers and employers from discriminating based on genetic information. People routinely assume it goes further than it does.
| Use of your genetic data | Covered? |
|---|---|
| Health insurance underwriting | Protected by GINA |
| Employment decisions | Protected by GINA |
| Life insurance underwriting | Not covered federally |
| Disability & long-term-care insurance | Not covered federally |
| Law enforcement / genealogy searches | Largely unregulated; varies by state & database policy |
| Sale of the database in bankruptcy | Contested case-by-case — as 23andMe showed |
Note also what doesn't apply: HIPAA covers healthcare providers and insurers, not direct-to-consumer testing companies — your hospital lab results have stronger federal protection than the genome you mailed to a startup. A few states go further (Illinois' GIPA and California's GIPA add consent and deletion rights, and CCPA-style laws classify genetic data as sensitive), but the floor in most of the US is the company's own terms of service.
A Decision Framework, Not a Lecture
Millions of people have found real value in these services — unknown parents found, health risks caught early, family histories recovered. The point is not "never test." The point is to make the decision with the actual price tag visible:
- If you haven't tested: know that the marginal anonymity you're protecting is partly gone already if several relatives have tested — and that what remains is still worth something. Consider testing under the minimum identity the service allows, and opt out of research sharing and relative matching at signup, not after.
- If you have tested: download your raw data, then use your deletion rights (and ask for sample destruction explicitly — stored saliva is re-sequenceable). Deletion is imperfect; it is still strictly better than not deleting.
- Decide about genealogy uploads separately. Uploading raw DNA to open matching databases like GEDmatch is the single highest-leverage act, because it's what makes you findable from a stranger's sample. Some databases let you opt out of law-enforcement matching — check the default.
- Talk to your family. Genuinely. A test is a household decision wearing the costume of a personal one.
The genetic database problem is the general data problem with the dial turned to maximum: identifying, immutable, collectively owned, and concentrated in entities whose lifespan is shorter than the data's. The defenses that work elsewhere work here too — minimize what's collected, distrust retention promises, prefer architectures where the operator can't hand over what matters. That last principle is why we built Haven so that message content never exists on our servers in readable form, and it's the standard worth applying to every service holding something about you that can't be changed. Your genome is the least rotatable secret you have. Price it accordingly.