Who Owns Your DNA Data? Privacy, Consent, and What Happens When a Testing Company Changes Hands

Direct-to-consumer DNA testing can feel like a small, contained choice: you buy a kit, you spit in a tube, and a few weeks later you learn something interesting about your ancestry or potential health traits. But the data created by that simple act is not like a credit card number you can replace if it’s compromised. Genetic data is uniquely personal, uniquely durable, and uniquely shared. It does not just describe you; it describes the people you are related to, too. That is why the question who owns your DNA data keeps coming up, especially when headlines remind the public that companies can be acquired, reorganized, or even sold in bankruptcy.

For families navigating loss, these questions can show up in unexpected ways. Sometimes a DNA test is part of genealogy and storytelling. Sometimes it’s tied to health questions that matter to children or siblings. And sometimes, after a death, a family is faced with urgent, practical decisions about preserving biological material for answers that could protect the living. Funeral planning usually starts with what is immediate and visible, but privacy and long-term data control deserve a place on the list, too.

What “ownership” really means in consumer DNA testing

When people ask about ancestry DNA data ownership, they often mean, “Do I control it the way I control my property?” In the U.S., the answer is usually more complicated. In many consumer contexts, your relationship to your genetic information is governed by a mix of contract terms (what you agreed to when you clicked “accept”), privacy policies (which can change), and a patchwork of laws that differ by state. The practical result is that “ownership” often matters less than “rights”: what you can access, what you can delete, what you can opt out of, and what can be transferred if the company changes hands.

It also helps to separate three things that consumers often bundle together as “my DNA.” First, there is the physical sample you send in. Second, there is the raw or processed genetic data extracted from that sample. Third, there are the interpretations and reports generated from that data. Different laws and policies may treat those differently, and different companies may offer different controls over each one. That is why consumer DNA testing privacy starts with reading the fine print, even when you would rather not.

Genetic data is personal, but it is also shared

Genetic information is not only about identity; it’s also about relationships. That is one reason DNA database risks are hard to reduce to a single person’s decision. A DNA profile can help match relatives. It can reveal unknown family connections. It can sometimes expose misattributed parentage, donor conception, or other deeply personal family truths. And on the health side, genetic findings can be relevant to siblings, parents, and children who share inherited risks.

This “shared” quality changes the ethics of consent. You may be able to click a button to participate in research, but your decision can have ripple effects. That is part of what makes genetic data consent different from consent for most other consumer data practices.

The privacy gap: why HIPAA is not the safety net many people assume

Many families assume genetic data is protected like medical records. In reality, U.S. health privacy law (HIPAA) is focused on “covered entities” such as health care providers, health plans, and health care clearinghouses, and on certain “business associates” working with them. The U.S. Department of Health and Human Services explains who is covered under HIPAA, and direct-to-consumer testing companies are often outside that definition because they are not acting as your doctor or your hospital. That means your consumer genetic test data may not receive the HIPAA protections you expect.

Other federal protections exist, but they are narrow. The Genetic Information Nondiscrimination Act (GINA) prohibits certain kinds of discrimination in health insurance and employment based on genetic information, but it has meaningful limits, including that it does not cover life, long-term care, or disability insurance. National Human Genome Research Institute

So when people talk about DNA privacy rights and genetic privacy law, what they are often describing is a landscape where protections depend heavily on state law, company policy, and your own decisions about opt-in consent, data sharing, and deletion.

State laws are evolving, but the U.S. still looks like a patchwork

In the absence of a single comprehensive federal genetic privacy law, states have taken different approaches. Washington’s My Health My Data Act is one example of a consumer health privacy framework that explicitly defines “genetic data” broadly and gives consumers rights to access, withdraw consent, and request deletion. Washington State Legislature 

California has also emphasized consumer controls for genetic information. During the public scrutiny around 23andMe’s financial distress and bankruptcy process, California’s attorney general highlighted rights under the state’s Genetic Information Privacy Act (GIPA), including the ability to delete genetic data, destroy a biological sample, and revoke consent for collection, use, and disclosure. California Department of Justice

For families, the practical takeaway is not to memorize every statute. It is to recognize that your rights may depend on where you live, where the company operates, and what you agreed to. If you are asking yourself whether a delete dna data request will actually be honored, the answer often depends on those details.

The three consent questions that shape almost everything

When people raise 23andMe privacy concerns or worries about other testing companies, the heart of the issue usually falls into three consent buckets: research, sharing, and retention.

Research consent is a major one because consumer genetic companies often rely on aggregated data for scientific and commercial research partnerships. For example, 23andMe has publicly stated that a large share of its customers opted in to participate in its research program. 23andMe Media Center

Data sharing consent is the second bucket, and it is broader than most people think. It can include sharing with research partners, service providers, and sometimes integration with other tools or platforms. Many companies also disclose that they may respond to lawful requests from governments or law enforcement, or that certain uses may be permitted or required by law. If you want to understand dna testing data sharing, don’t stop at a marketing page. Look for the actual language about “third parties,” “service providers,” “affiliates,” and “change of control.”

Retention consent is the third bucket: how long the company keeps your sample and data, whether you can request destruction, and what happens to backups, archives, and derivative datasets. Even when deletion is offered, policies often explain that some information may be retained for legal compliance, fraud prevention, or operational reasons, and that de-identified or aggregated data may not be retrievable in the way you imagine.

What happens when a company is sold, acquired, or goes bankrupt

This is the moment when “ownership” becomes a real-world question. In many corporate transactions, databases are assets. A buyer may acquire physical equipment, patents, and customer information as part of a deal. That reality is one reason legal scholars and privacy advocates have worried about what happens when consumer genetic databases are part of a sale process.

The 23andMe bankruptcy and sale process became a public example of that anxiety. Reuters reported that Regeneron announced an agreement to acquire 23andMe through a bankruptcy auction, emphasizing ethical use and privacy commitments while lawmakers and observers raised concerns about the fate of sensitive genetic data. Reuters

In bankruptcy, courts sometimes appoint a consumer privacy ombudsman to evaluate how personal data is treated during a sale. That oversight can matter, but it is not the same thing as you controlling the outcome. A Harvard Gazette interview about the 23andMe situation emphasized that, because direct-to-consumer genetic data is often outside HIPAA, consumers may have limited say over what happens if a company is taken over or its assets are sold. Harvard Gazette 

Another risk in these transitions is policy drift. A company might promise continuity, but privacy policies can be updated, and corporate restructuring can change incentives. The Federal Trade Commission has also made clear that retroactive privacy policy changes and misleading deletion promises can trigger enforcement. In a 2023 action involving genetic testing company 1Health.io, the FTC alleged, among other things, deception about deletion and unfair retroactive changes to privacy policies without adequate notice and consent. Federal Trade Commission

None of this means that using consumer DNA testing is inherently unsafe. It does mean that if you want durable control, you have to plan for corporate change as a normal possibility, not a rare worst case.

The practical privacy questions to ask before you test

When families want a clear way to evaluate a testing company, the best approach is to treat it like any other high-stakes data relationship: ask what is collected, what is shared, what is retained, and what you can revoke. If you are trying to make sense of DNA privacy rights in everyday language, these questions tend to reveal the true shape of the relationship:

• What exactly will be stored: sample, raw data, reports, or all of the above?
• Is research participation opt-in, and can you withdraw later?
• Does the company share data with partners, and do you have separate controls for different types of sharing?
• What happens to your data if the company is sold, merges, or enters bankruptcy?
• Can you submit a delete dna data request, and does that include sample destruction?
• Do they explain how deletion applies to backups, archives, and de-identified datasets?
• Do they have a track record of transparency about security incidents and policy changes?

If the answers are vague, that is also an answer. Vague policies are where “consent” can quietly become something you would not have agreed to if the language were plain.

What to do if you already tested and you are reconsidering

If you already have results and are feeling uneasy, the goal is to regain as much control as the platform allows. Start by downloading any data you want to keep, because deletion may be irreversible. Then review your settings for research participation, sharing preferences, and account status. The California attorney general’s consumer alert during the 23andMe bankruptcy process specifically highlighted deletion, sample destruction, and revoking consent under California law. Even if you are not in California, that alert is a useful illustration of the kinds of controls some consumers may have. California Department of Justice

It is also wise to treat your genetic testing account like a high-value account: use a unique password, enable any available security features, and pay attention to breach notifications. If your concern is not just privacy but your family’s emotional stability, consider having a calm, explicit conversation about what you would want done with the data if you died unexpectedly. That single conversation can prevent conflict later.

Why this belongs in end-of-life planning and family preparedness

For Funeral.com readers, this topic is not abstract. After a death, families often discover that “data” is part of the estate, even when no one used that word. Families close bank accounts, manage subscriptions, and memorialize social media profiles. The same framework applies to genetic accounts: access, authority, consent, and closure.

If you want a practical starting point, Funeral.com’s guide to digital legacy planning can help you think about passwords, account access, and how to leave clear instructions without putting security at risk. And if you are handling logistics after a loss, Digital Accounts After a Death explains why many platforms require proof of death and proof of authority, such as executor documentation, when families request deletion or access. Notifying Banks After a Death is another reminder that “authority” is often a document, not just a relationship.

There is also a uniquely sensitive intersection between genetics and funeral planning when a death is unexpected or medically unclear. Families sometimes consider preserving genetic material for future answers that could protect living relatives. Funeral.com’s guide to DNA banking after death explains why early collection matters and how disposition choices such as cremation can affect later options.

In other words, the question is not only who owns your DNA data while you are alive. It is also what you want to happen to it when you are not here to click the buttons yourself. Families who plan for this reduce the chance of rushed decisions, misunderstandings, or irreversible choices made under stress.

A calm way to think about control

If you want a single mental model, think in layers. Your strongest control usually exists before you test, when you can choose whether to participate and which company to trust. Your next-best control is in your settings: research opt-in, sharing preferences, and security. Your third layer of control is legal: what your state allows you to access, delete, or revoke, and what must be disclosed. And the final layer is preparedness: leaving instructions so your family knows what you wanted, and so your executor is not guessing.

Genetic data is powerful, and it can be meaningful. It can also be sensitive in ways that don’t show up until years later, especially when a company’s incentives change. If you treat genetic privacy law as a moving landscape, and treat your consent decisions as something you can revisit, you will be far closer to real control than the word “ownership” suggests.