I sent my spit sample to a consumer genetics company once — out of curiosity, a little nostalgia hunt for ancestors, and a desire to know if there was anything actionable about my health. The results landed in my inbox weeks later and opened up more questions than answers. Since then, I’ve thought a lot about what I wish I had asked before I uploaded my DNA. If you’re considering services like 23andMe, AncestryDNA, MyHeritage, or newer entrants, here are the practical, ethical, and legal questions I now think everyone should ask themselves first.
What exactly will the company do with my DNA?
Start with the basics: read the terms of service and the privacy policy (yes, really). Ask how the company stores your genetic data, whether it retains the physical sample, and for how long. Some companies keep the saliva or DNA sample after analysis; others say they discard it. Ask whether they keep just your genotype data (the digital file) or also sequence-level data — the latter is more sensitive.
Who can access my genetic data — now and later?
Companies vary widely about third-party sharing. I insist on knowing whether my data can be shared with:
Many services allow you to opt in or out of research programs; some provide broad language that lets them share de-identified data widely. But “de-identified” is not absolute — genetics is inherently identifiable, and re-identification is possible. If you care about commercial uses, look for a clear, user-friendly opt-out for research and data sharing.
Can law enforcement access my data?
This is one of the most important practical questions. Policies differ: some companies will comply with legal requests like warrants; others have stricter procedures or say they only respond to court orders. Also ask if they’ve ever voluntarily cooperated with law enforcement, and whether your data could be part of investigations into relatives (because it often will be). If there’s a chance a family member’s DNA could implicate you, that’s a decision you should weigh deliberately.
What happens to my data if the company is sold, merges, or goes bankrupt?
Corporate change is common in tech. Ask about data portability and company obligations in a sale. Some privacy policies allow data transfer as part of a corporate transaction; others promise to notify users. In practice, that notice might be buried in legalese.
Can I delete my data, and how permanent is deletion?
Deletion policies matter. Some services promise to delete your account and genetic data upon request; others keep anonymized copies for internal use. Ask whether deletion removes physical samples, genotype files, and any data that has been shared with third parties. Also find out how long deletion requests take to process.
Is the genetic information clinically validated and actionable?
Genetic testing for ancestry is different from clinical genetic testing. Consumer tests may report health risks (like BRCA variants) but they’re not a substitute for medical-grade testing. I always ask whether results are clinically validated, whether the company offers genetic counseling or referrals, and how they handle potentially serious findings. If a company offers health reports, check whether they have regulatory approvals (e.g., FDA clearance) for those reports.
Will I get raw data, and can I download it?
Raw data export is important if you want to move your results elsewhere or run your own analyses. Most major services let you download raw genotype files, but formats vary. If you plan to upload to third-party analysis services (for deeper health reports or trait predictions), check compatibility and the privacy practices of those third parties.
How accurate and comprehensive are ancestry results?
Ancestry reports depend on reference populations and algorithms, both of which evolve. Expect that results will change as databases grow. If you have a specific genealogical question — e.g., potential Indigenous ancestry or very recent admixture — know that accuracy can be limited or biased depending on how well the company’s reference panels represent those populations.
Will my relatives be affected?
Your DNA isn’t just yours. Uploading your data can reveal relatives to others and may surface unexpected family relationships — adoptions, misattributed parentage, or relatives you didn’t know existed. Consider discussing your plans with close family members, especially if you’re in a close-knit family or concerned about revelations that could be disruptive.
What security protections are in place?
Ask about encryption (at rest and in transit), authentication options (two-factor authentication is a must), breach notification policies, and any history of hacks or data exposures. Genetic databases have been targets for criminals and for misuse. Robust operational security matters.
How do they price and what’s the long-term cost?
Beyond the initial test price, consider subscription models or paid upgrades for health reports, enhanced ancestry features, or access to new analyses. Some companies later introduce fees for features that were initially free. Also ask about refund policies if you change your mind before or after sending your sample.
Do they offer support from genetic counselors or experts?
Receiving unexpected disease-risk information can be stressful. I value companies that provide access to trained genetic counselors (even for a fee or referral) and clear, plain-language explanations of what a result means and doesn’t mean. If a company doesn’t offer counseling, plan how you’ll get follow-up support from a clinician who understands genetics.
Are there restrictions on where I can use the service?
Some genetic services limit their health reports by country because of local regulations. If you travel a lot or live overseas, confirm whether the company will provide the full suite of services in your jurisdiction and whether cross-border data transfer is involved.
How will updates and reinterpretations be handled?
Genetics is fast-moving. Companies sometimes reanalyze data and provide new insights or revised risk estimates. Ask whether updates are automatic, whether they require re-consent, and how you’ll be notified. Also find out whether reinterpretations might rely on new external partnerships.
What are the limitations and known risks?
No test is perfect. False positives and negatives happen. Consumer tests often capture single-nucleotide genotypes, not whole genomes, and miss structural variants. If you have a family history suggesting inherited disease, a clinical-grade test ordered through a healthcare provider is usually the safer route.
How transparent is the company about research and publications?
I look for companies that publish methodology, validation studies, and transparent research collaborations. Public-facing science shows a level of accountability. If the company is involved in drug discovery or partnerships with pharma, I want clear explanations of how participants benefit (if at all) and what consent processes exist for research participation.
| Question | Why it matters |
|---|---|
| Data sharing with third parties | Impacts privacy and commercial use of your DNA |
| Law enforcement access | Can affect you or relatives even without criminal involvement |
| Deletion policy | Determines control over your data life-cycle |
| Clinical validation | Affects medical usefulness and follow-up steps |
| Raw data export | Enables portability and further analysis |
When I weigh these questions, I balance curiosity with caution. For some people, ancestry and community-building are worth the trade-offs; for others, the privacy and legal uncertainties are deal-breakers. If you decide to go ahead, choose a service whose policies you understand and whose values align with your own. And keep copies of the terms and privacy policy at the time you sign up — companies change, but your original consent matters when disputes arise.