Our findings fall into three main categories: expansive permissions granted to companies regarding DNA (and non-DNA) data when consumers opt into research, overcollection of non-DNA genes test data, and oversharing of non-DNA data.
Expansive Research Permissions The five companies whose apps we evaluated say they provide customers the option to opt into “research” conducted with the use of customers’ de-identified or aggregated DNA and other data. But our experts say that this research may in some cases not be the kind of altruistic research customers imagine and that opting in can mean sharing with third parties more than just your de-identified DNA. While our analysis found that the protections for a person’s DNA data for the most part appeared relatively solid, opting into research opens up potential vulnerabilities.
We closely evaluated the policies regarding research and the informed consent forms for four of the five companies in our study: 23andMe, Ancestry, Geno Palate, and Meritage. (We excluded Circled from this part of the analysis because its platform does not allow access to the full user interface without valid DNA test results; therefore we were unable to view the company’s research consent form or evaluate the user experience of a typical customer.)
23andMe told CR that more than 80 percent of its customers do opt into allowing their data to be used for research. “While customers have different reasons to opt into research, many are doing so out of a desire to contribute to and accelerate scientific and medical discovery,” says Jacquie Haggarty, vice president, deputy general counsel, and privacy officer at 23andMe.
All four of the companies ask their customers to proactively opt into such research, rather than including them in research by default and requiring them to opt out, which is a plus for consumers. However, what consumers are opting into isn’t always as clear as it could be, says CR’s Fitzgerald. For instance, “research” could mean scientific studies conducted by third-party academic institutions, which people may view as a way to contribute to the common good. “They understand the advances that can be made in science through the sharing of genetic information. And people want to help with that,” says Jennifer Lynch, surveillance litigation director at the Electronic Frontier Foundation (EFF), who wasn’t involved in our study.
However, it could mean internal research intended for product development for the company itself in some cases. “Several companies have language that implies or outright states that new products could be developed from data accessed under research terms, which indicates a very fuzzy line between scientific research and corporate product development,” Fitzgerald says. At Geno Palate, for example, the lead investigator on scientific studies conducted with consumers’ DNA data is also the CEO of the company. Geno Palate told CR that all data used for research is de-identified, and that, “All research efforts go through strict IRB approvals which are very sensitive about protecting research participants’ privacy.” (IRB stands for the institutional review board, which is a group of people convened to review and approve proposals for research involving human subjects.) And My Heritage also states in its privacy policy that customers’ shared DNA data could be used “to improve and develop new products and services.”
Our experts say that the permissions granted when consumers opt into research are likely more expansive than consumers may realize since they often include permission for third-party researchers to receive not just de-identified DNA information, but any other information you share or that the company collects about you, which can include self-reported health information and information about relatives. Ancestry’s research permissions include the use of any data shared with the company, including data shared in the future. 23andMe notes that ongoing analysis using your data could occur.
As My Heritage’s research consent form is particularly careful to point out, because of the unique nature of the information you share, there will always be a risk of you being reidentified by the DNA info you provide—even if it is de-identified.
Data Overcollection While consumers may willingly share a great deal of information with these companies, we found that the companies collect additional data, too, in some cases giving them a detailed profile of individual users that goes far beyond their DNA.
During our testing in 2021, the Android apps we evaluated all declared broad permissions that could support data overcollection. Specific permissions included the ability to read contacts, the ability to track a person’s precise location, and the ability to collect precise information about a person’s phone, among others.
By themselves, each of these permissions is not a sign of a company doing something nefarious. For example, when we asked 23andMe why their Android app requests the use of your biometric data, the company told us that this allows consumers to unlock the app using the fingerprint stored with their phone and that 23andMe never accesses the actual fingerprint.
And some apps may include permissions that are never actually used. Geno Palate, for example, told us that several permissions we asked about, including the use of fingerprint and biometric data and access to a user’s contacts, aren’t ever actually requested from the user. “Some software libraries we use declare those permissions by default, but they are never requested nor used,” Geno Palate’s CEO Sherry Zhang, Ph.D., told us.
Still, CR’s experts say customers’ privacy would be better protected if permissions never used by an app weren’t declared in the first place. “Collectively, looking at the sum of what’s allowed by these permissions, and the way data are handled as defined by privacy policies, overly broad permissions create the potential for data collection that does not directly benefit consumers, and is not necessary for the service,” says CR’s Fitzgerald.
In many instances, the apps and websites collect data about you that you didn’t share, but that the company collects from third parties, a practice known as “data augmentation.” (Full disclosure: Consumer Reports also employs data augmentation to collect data from third parties about our members. Read more about our privacy policy and principles.)
In the privacy policies we evaluated for these services, the sources of data listed are broad, and include, in some cases, newspapers, birth records, marriage records, third-party advertising companies, census records, immigration lists, and social media sites. For sites like Ancestry, MyHeritage, and 23andMe, which are also providing genealogy information, some of this broader data augmentation makes sense. However, the privacy policy language allowing this data augmentation can be very broad. MyHeritage, for example, also includes a generic category of "other records," making it difficult to imagine a source of data that would not fit this broad definition. MyHeritage didn’t respond to any of our requests for comment.
We asked the companies we evaluated to tell us which sources they use to augment customer data. Ancestry told us they incorporate demographic data from credit reporting company Experian. The purpose, a spokesperson told us, is “for analysis and understanding of purchase and usage trends, which help Ancestry improve our product and marketing. Ancestry does not use Experian data for any targeting of individual users across the web.”
23andMe told us that while it may receive data from users’ social media accounts, “in the spirit of data minimization and purpose limitation principles, we limit the use and retention of such data.”
Both Ancestry and 23andMe pointed out that customers can download all the data each company has on them, including from data augmentation sources. Circle DNA and GenoPalate told CR that users can request records of the personal data collected on them, though this isn’t spelled out in the companies’ privacy policies (except in the case of GenoPalate, which outlines the ability to request data only for California residents).