Some testing firms share de-identified DNA data with partners, and a few sell access, usually only if you opt in.
At-home DNA kits feel simple: spit, seal, mail, wait. The hard part starts after the report hits your inbox. Your raw DNA file, your trait results, and even your saliva sample can keep value for the company long after you stop checking the app.
So are DNA companies selling data? Sometimes, yes. Sometimes they’re sharing it. Sometimes they’re getting paid without calling it a “sale.” The difference lives in the consent screens and policy wording most people click past.
What “selling” means with consumer DNA data
“Selling your information” can mean more than handing a named genetic file to a buyer. Money can still flow when your name is removed or when a partner gets controlled access through a portal.
Three common ways money shows up
- Access fees: A partner pays to run queries or studies on a dataset under contract.
- Licensing: The company licenses a dataset, a model, or findings built from customer DNA.
- Referral economics: Your results steer you toward a product or service and the company gets a cut.
Companies often label the first two as “research collaboration” or “data sharing.” That can be accurate. It can also soften what’s happening: your coded DNA record is creating revenue.
Where your DNA data can travel after you test
A kit creates layers of data: your account details, your raw genotype file, the report you see, and sometimes the stored sample. Firms can also create derived data, like inferred traits or ancestry segments. Each layer can be stored, reused, and shared under different rules.
Account data and DNA data start linked, then get separated
At signup, your name, email, and shipping info connect to your sample. Many companies later store genetic data under a code and keep identifiers elsewhere. That reduces risk, yet it does not erase it. Genetic data is uniquely identifying, and re-linking can happen when enough clues exist.
Optional research is the biggest sharing lane
Many brands run research programs you can join. If you opt in, your coded genetic data may be used in studies and may be shared with outside collaborators. If you skip it, the company still uses your data to run the service and improve its product. What can leave the company depends on its policy and the permissions you grant.
When DNA companies sell or share data for cash
The sharper question is “Under what conditions can they get paid because my DNA exists in their systems?” Four policy areas answer that fast.
Consent toggles and default settings
Look for separate choices for internal research, external partner sharing, and marketing use. A single “agree” button that bundles everything is a red flag. You want granular switches with plain language.
De-identification promises and their limits
“De-identified” usually means names and direct contact details are removed. That helps, but genetic data can still point back to a person when combined with other data or when relatives also test. Treat de-identification as risk reduction, not a magic eraser.
Retention for raw files and samples
Some firms store your saliva for retesting or product upgrades. Others keep only the digital file. Retention matters because stored material can be reused if the company changes hands or changes its policy terms.
Policy change language
Watch for clauses that let the company change terms and treat continued use as acceptance. The FTC has taken action against a genetic testing firm for unfairly changing privacy promises and for weak safeguards around genetic data. FTC case against 1Health shows how regulators view policy flip-flops.
How consumer DNA testing is regulated in the U.S.
Many people assume DNA kit data is handled like medical records. Often it isn’t. Rules depend on the company, what it offers, and which legal category it fits.
Clinical records and kit accounts are not the same bucket
HIPAA covers certain “covered entities” like health plans and many healthcare providers, plus their contracted partners. If a DNA kit company is not a covered entity or business associate, HIPAA rules do not bind it. HHS explains that organizations outside those definitions do not have to follow HIPAA’s rules. HHS overview of covered entities lays out the boundary.
FDA oversight is about test performance, not your data use
The FDA watches certain direct-to-consumer tests as medical devices, with attention on how the test works and what claims it makes. It’s useful for judging test quality, not for guaranteeing how a company will use your data. FDA direct-to-consumer tests page explains what these tests are.
Genetic discrimination laws help, yet they have limits
In the U.S., GINA blocks certain uses of genetic data in health insurance and employment. It does not cover every type of insurance and it does not stop a DNA company from sharing data you agreed to share. The National Human Genome Research Institute lays out what GINA covers and what it leaves out. NHGRI overview of genetic discrimination and GINA is a clear baseline.
| Sharing or revenue path | What may move | What to check before you agree |
|---|---|---|
| Optional research program | Coded genetic data, survey answers, derived traits | Separate opt-in, partner limits, withdrawal steps |
| External collaborator | De-identified individual-level data or summary sets | Whether individual-level data can leave the company |
| Aggregate reports and publications | Statistics from many users | How aggregation is defined, release review process |
| Product improvement | Internal reuse of coded data and derived traits | Limits on reuse after account deletion |
| Marketing and cross-promotion | Contact data, interest signals, sometimes traits | Separate marketing toggle, opt-out path |
| Partner access portal | Query access to a dataset | Rules that block small-group targeting |
| Acquisition or restructuring | Account database, raw files, derived datasets | What happens to your permissions if ownership changes |
| Law request | Account identifiers, matching data | Warrant rules and transparency reporting |
Real risks people miss when they only think about “selling”
Even when a policy says “we don’t sell,” three risks stay on the table: relatives, breaches, and re-identification.
Relatives can be pulled into the picture
Your file can reveal shared segments with parents, siblings, and cousins. A matching feature is the point of many kits, yet it also means your choice can expose family links other people didn’t ask for.
Breaches can leak what policies never would
A company can promise “no selling” and still lose data through a breach. That’s why security posture matters as much as partnership language. Look for multi-factor login, breach history, and a clean account deletion path.
Re-identification is rare, yet it’s not fantasy
Re-identification is harder when a dataset is handled well. Risk rises when genetic data meets public genealogy trees, location clues, or rare trait combos. Treat this as a low-probability, high-cost risk, the same way you treat identity theft.
What to do before you buy a DNA kit
If you want the fun parts of testing with fewer surprises, set your guardrails before you mail your sample.
Pick a company based on controls, not marketing
- Separate switches for research, partner sharing, and marketing.
- A clear option to request sample destruction.
- A clear option to download your raw file before deletion.
- Plain language on what happens if the company is sold.
Use strong login hygiene from day one
Your genetic file is only as safe as your account access. Use a unique password and turn on multi-factor auth if it’s offered. If you want less noise, use a dedicated email for the kit.
Skip optional research if you’re unsure
You can still get ancestry and trait reports without joining research in many services. If you feel torn, skip it at first. You can opt in later after reading the details with a calm head.
What to do after your results arrive
Most damage control happens after the report, not before it. Take ten minutes, then you’re set.
Audit your settings the same day
Open account settings and check every toggle. Turn off any sharing choice you didn’t mean to enable. Look for a separate switch that covers outside collaborator sharing if it exists.
Decide on sample retention
If the company lets you request destruction of the physical sample, decide whether you want that. Keeping it can allow retesting. Destroying it reduces a long-term asset the company controls.
Download your raw data, then store it safely
If you want a copy, download the raw file while the account is active. Store it in an encrypted location or a password-protected archive. Then you can delete the account without losing access to your file.
Close accounts you no longer use
Unused accounts become soft targets. If you’ve gotten what you need, request deletion and sample destruction if offered. Keep the confirmation email.
| Account action | What it usually changes | Trade-offs |
|---|---|---|
| Opt out of research | Stops new use of your coded data in research programs | Past uses may stay in completed studies |
| Turn off partner sharing | Blocks new sharing outside the company | Existing transfers may not be pulled back |
| Disable matching | Limits how others can find you through the match system | You lose cousin match features |
| Request sample destruction | Removes stored saliva for retesting later | No easy retest without a new kit |
| Delete your account | Ends access and starts deletion of stored data | Some data may be kept for legal or billing needs |
| Download your raw file | Gives you a copy under your control | You must store it safely |
How to read a DNA company policy without getting lost
Policies can be long, yet you can scan with purpose. Paste this list into a note app and tick it off as you read.
Policy checklist you can run in five minutes
- Sale wording: “Sell,” “share,” or “receive compensation.”
- Partner types: Research groups only, or commercial firms too?
- Individual-level sharing: Can data about one person leave the company?
- Deletion: Are deletion and sample destruction separate steps?
- Ownership change: What happens if the company is sold?
- Law requests: Warrant rules and request stats.
Are DNA Companies Selling Information? in plain English
Some companies earn money from partner access to genetic datasets, often after you opt in. Even when names are removed, the data still carries risk. If you want fewer surprises, your best tools are consent settings, sample destruction choices, and account deletion when you’re done.
References & Sources
- Federal Trade Commission (FTC).“FTC Says Genetic Testing Company 1Health Failed to Protect Privacy and Security of DNA Data.”FTC enforcement around privacy promises and safeguards for genetic data.
- U.S. Department of Health & Human Services (HHS).“Covered Entities and Business Associates.”Defines who must follow HIPAA rules and who falls outside HIPAA coverage.
- U.S. Food & Drug Administration (FDA).“Direct-to-Consumer Tests.”Explains what direct-to-consumer tests are and the scope of FDA device oversight.
- National Human Genome Research Institute (NHGRI).“Genetic Discrimination.”Summarizes what GINA covers and where genetic discrimination protections stop.