DNA Testing Privacy Risk Scores 2026
Quantified privacy risk assessment for 8 major consumer DNA testing companies. Each provider scored on a 0–100 scale across six dimensions: de-identification strength, breach history, law enforcement access, third-party data sharing, data deletion difficulty, and jurisdiction risk. Based on privacy policy analysis, public records, and user-reported experiences.
Citable Dataset — CC BY 4.0
This analysis is licensed under Creative Commons Attribution 4.0. You may cite, reference, and republish this data with attribution to ChronosGenomics Research Team.
Executive Summary
Key Findings
- * 23andMe scored highest risk (62/100): 2023 breach affecting 6.9M users, bankruptcy, TTAM acquisition, and congressional scrutiny over data sales create compounding privacy concerns
- * FamilyTreeDNA scored medium-high (55/100): Open law enforcement cooperation for cold-case investigations, according to public reporting by BuzzFeed News
- * Living DNA scored lowest risk (25/100): UK/GDPR jurisdiction, no known breaches, no law enforcement partnerships, no third-party data sharing based on privacy policy analysis
- * GDPR jurisdiction reduces risk: Companies under EU/UK data protection law scored 8–15 points lower on average than US-based counterparts
- * Breach history is the strongest predictor: MyHeritage (2018) and 23andMe (2023) carry permanent penalty points regardless of subsequent improvements
This whitepaper introduces a quantified privacy risk scoring methodology for consumer DNA testing companies. Each company is evaluated across six dimensions on a composite 0–100 scale, where higher scores indicate greater privacy risk. Scores are derived from:
- Privacy policy analysis — systematic review of each company's current privacy policy, terms of service, and data processing agreements
- Public breach records — documented data breaches via Have I Been Pwned, SEC filings, and news reporting
- Regulatory filings and legal proceedings — bankruptcy filings, FTC actions, class-action lawsuits, and congressional testimony
- User-reported deletion experiences — community surveys (n=300+) on data deletion timelines and completeness
Intelligence Aggregation Disclaimer
ChronosGenomics is an intelligence aggregation platform, not a testing laboratory. We do not conduct penetration testing, access proprietary systems, or audit company infrastructure. All assessments are based on privacy policy analysis, publicly available records, regulatory filings, and user-reported experiences. Scores reflect publicly observable risk indicators as of March 2026.
Scoring Methodology
Each company is scored across six dimensions. Scores are additive, producing a composite risk score from 0 (lowest possible risk) to 100 (highest possible risk). For detailed methodology on how we evaluate DNA testing companies, see our full methodology page.
De-identification Weakness
0–20 pointsEvaluates how effectively the company anonymizes stored genetic data, based on privacy policy language around pseudonymization, encryption, and separation of identifiers from genomic data. Companies claiming blockchain-based de-identification or end-to-end encryption score lower (better). Companies storing linked PII alongside raw genetic data score higher (worse).
Breach History Penalty
0–10 per breach (uncapped)Each documented data breach adds 0–10 penalty points based on severity. Scoring factors: number of affected users, type of data exposed (email/password vs. genetic data vs. health reports), time to disclosure, and whether genetic data was directly compromised. Based on public records from Have I Been Pwned, SEC filings, and news reporting.
Law Enforcement Access
0–20 pointsAssesses the company's transparency report and stated policy on responding to law enforcement requests. Companies that require valid warrants and publish transparency reports score lower. Companies that proactively cooperate with law enforcement (e.g., voluntary cold-case partnerships) score higher. Based on privacy policy analysis and public reporting.
Third-Party Data Sharing
0–20 pointsEvaluates whether genetic or phenotypic data is shared with pharmaceutical companies, research institutions, advertisers, or other third parties. Scoring differentiates between opt-in research sharing (lower risk), opt-out sharing (higher risk), and alleged undisclosed sharing (highest risk). Based on privacy policy terms, published research partnerships, and legal filings.
Data Deletion Difficulty
0–20 pointsMeasures how easy it is for users to fully delete their genetic data and account. Scoring factors: availability of self-service deletion, stated timeline for completion, whether deletion is verifiable, and whether data persists in de-identified research pools post-deletion. Based on privacy policy analysis and user-reported deletion experiences (n=300+ community survey responses).
Jurisdiction Risk
0–20 pointsAssesses the data protection regime governing the company. EU/UK GDPR companies score lowest (strongest consumer protections). US companies under state-level patchwork laws (no federal genetic privacy law) score highest. Companies in jurisdictions with specific genetic data protections (e.g., Illinois GIPA) receive partial credit. Based on registered headquarters and applicable regulatory framework.
Composite Score Interpretation
Privacy Risk Score Results
| Company | Composite Score | De-ID | Breach | LEA | Sharing | Deletion | Jurisdiction | Risk Level |
|---|---|---|---|---|---|---|---|---|
| Living DNA Living DNA Ltd. (UK) | 25 /100 | 5 | 0 | 2 | 3 | 8 | 7 | LOW |
| Dante Labs Dante Labs S.r.l. (Italy) | 32 /100 | 6 | 0 | 4 | 5 | 10 | 7 | LOW-MEDIUM |
| Sequencing.com Sequencing.com Corp. (US) | 35 /100 | 5 | 0 | 6 | 4 | 6 | 14 | LOW-MEDIUM |
| DNA Complete ProPhase Labs (US) | 38 /100 | 4 | 0 | 6 | 10 | 4 | 14 | MEDIUM |
| MyHeritage MyHeritage Ltd. (Israel) | 42 /100 | 6 | 8 | 5 | 5 | 8 | 10 | MEDIUM |
| AncestryDNA Ancestry.com LLC (US) | 45 /100 | 8 | 0 | 8 | 8 | 7 | 14 | MEDIUM |
| FamilyTreeDNA Gene by Gene Ltd. (US) | 55 /100 | 7 | 0 | 18 | 5 | 11 | 14 | MEDIUM-HIGH |
| 23andMe 23andMe Holding Co. (US) | 62 /100 | 10 | 10 | 8 | 12 | 8 | 14 | HIGH |
Company Deep Dives
23andMe
23andMe Holding Co. — South San Francisco, CA, USA
23andMe carries the highest privacy risk score in our analysis due to a convergence of factors that are unprecedented in the consumer genomics industry. The October 2023 data breach exposed personal information of approximately 6.9 million users, according to SEC filings and reporting by Wired and TechCrunch. While raw genetic data was not directly accessed, the breach exposed ethnicity estimates, birth years, and family tree data through the DNA Relatives feature.
According to public bankruptcy filings (November 2025), 23andMe's genetic database — comprising 14 million user profiles — was identified as a key company asset. The subsequent acquisition by TTAM (Telomere-to-Mitochondria) raised congressional concern, with the House Energy and Commerce Committee requesting briefings on data transfer protections according to public committee correspondence. For a detailed analysis of 23andMe data sovereignty issues, see our 23andMe Data Sovereignty technical analysis.
Based on privacy policy analysis, 23andMe's data sharing practices included partnerships with GlaxoSmithKline (GSK) for drug target discovery, which was disclosed and opt-in. However, the combination of breach history, bankruptcy-driven asset transfer, and US jurisdiction without federal genetic privacy protections produces the highest composite score in our assessment.
Sources: 23andMe SEC filing (Oct 2023 breach disclosure), Wired "23andMe Data Breach" (Oct 2023), 23andMe Chapter 11 bankruptcy filing (Nov 2025), House Energy and Commerce Committee public correspondence (Jan 2026)
FamilyTreeDNA
Gene by Gene Ltd. — Houston, TX, USA
FamilyTreeDNA's elevated score stems primarily from its law enforcement access dimension (18/20), the highest of any company in our analysis. According to reporting by BuzzFeed News (Jan 2019), FamilyTreeDNA acknowledged allowing the FBI to search its database to identify suspects in violent crime cold cases. While this cooperation was voluntary and initially undisclosed to users, the company subsequently updated its terms of service to reflect the practice.
Based on privacy policy analysis, FamilyTreeDNA's current terms allow law enforcement to create accounts and upload DNA profiles for comparison against the user database. This is the most permissive law enforcement policy among major consumer DNA testing companies, according to our review. The company does not publish a transparency report detailing the volume or nature of law enforcement requests.
On the positive side, FamilyTreeDNA has no documented data breaches according to public records, and its third-party data sharing is limited. For more on FamilyTreeDNA's testing capabilities, see our FamilyTreeDNA review.
Sources: BuzzFeed News "FamilyTreeDNA Is Letting The FBI Use Its Database" (Jan 2019), FamilyTreeDNA Terms of Service and Privacy Policy (reviewed Mar 2026), Science magazine "Forensic genealogy" coverage (2019–2024)
AncestryDNA
Ancestry.com LLC — Lehi, UT, USA
AncestryDNA's medium risk score reflects its position as the largest consumer DNA database (27M+ users based on company reports) under US jurisdiction with private equity ownership. According to public records, Blackstone Group acquired a majority stake in Ancestry in 2020 for $4.7 billion. The scale of the database and corporate ownership structure introduce systemic risk factors.
Based on privacy policy analysis, AncestryDNA states it will comply with valid legal process including warrants and subpoenas. The company publishes a transparency report indicating it has received law enforcement requests, though the volume remains modest relative to the database size. AncestryDNA's research program (AncestryHuman Diversity Project) is opt-in, according to their current terms of service.
User-reported deletion experiences (n=85 survey respondents) indicate a 30-day stated deletion timeline, with most users reporting confirmation within the stated period. For our full analysis of AncestryDNA, see our AncestryDNA review and database size analysis.
Sources: AncestryDNA Privacy Statement (reviewed Mar 2026), AncestryDNA Transparency Report (2025), Blackstone acquisition press release (Aug 2020), user deletion survey (n=85, Feb 2026)
MyHeritage
MyHeritage Ltd. — Or Yehuda, Israel
MyHeritage's medium score is driven primarily by the 2018 data breach, which exposed email addresses and hashed passwords for approximately 92 million user accounts, according to the company's public disclosure and reporting by Ars Technica. Importantly, no genetic data or family tree content was compromised in this breach — the exposed data was limited to authentication credentials. This distinction is reflected in a breach penalty of 8/10 rather than the maximum.
Since the 2018 incident, MyHeritage has implemented two-factor authentication, engaged third-party security auditors, and established a bug bounty program, according to company blog posts and their updated security page. Based on privacy policy analysis, MyHeritage operates under Israeli data protection law (PPPA), which provides protections comparable to GDPR for EU users.
Data sharing is opt-in for research purposes according to the current privacy policy, and there are no publicly documented law enforcement partnerships. For our full review, see the MyHeritage review page.
Sources: MyHeritage breach disclosure (Jun 2018), Ars Technica "92 million MyHeritage accounts exposed" (Jun 2018), MyHeritage Privacy Policy and Security page (reviewed Mar 2026), Have I Been Pwned database entry
DNA Complete
ProPhase Labs, Inc. — Garden City, NY, USA
DNA Complete presents a mixed privacy profile. On the positive side, the company claims blockchain-based data management for genetic information, which would represent strong de-identification if implemented as described — resulting in a low de-identification weakness score (4/20). No data breaches have been publicly documented as of March 2026.
However, the third-party data sharing score (10/20) is elevated due to a class-action lawsuit alleging that ProPhase Labs shared user data with Meta, Google, and Microsoft advertising platforms without adequate consent, according to court filings. ProPhase Labs filed for Chapter 11 bankruptcy protection, which introduces uncertainty about data stewardship continuity, similar to the concerns documented in the 23andMe data sovereignty analysis.
Based on privacy policy analysis, DNA Complete's current terms describe data encryption and user-controlled sharing. The bankruptcy filing, however, means these commitments may be subject to change under new ownership. For a comparison of DNA testing providers and their privacy practices, see our DNA test privacy comparison.
Sources: ProPhase Labs SEC filings (2024–2025), class-action complaint re: data sharing (PACER, 2025), ProPhase Labs Chapter 11 filing, DNA Complete Privacy Policy (reviewed Mar 2026), BBB complaint records
Sequencing.com
Sequencing.com Corp. — USA
Sequencing.com scores in the low-medium range despite US jurisdiction, primarily because of a clean breach record and privacy-forward design. Based on privacy policy analysis, Sequencing.com positions itself as a data storage and analysis platform rather than a traditional testing company — users upload existing DNA data files, maintaining more control over their raw data.
According to their current privacy policy, data sharing with third-party app developers occurs only when explicitly authorized by the user through their app marketplace model. No law enforcement partnerships or research data sharing programs have been publicly documented. The primary risk factor is US jurisdiction (14/20), which applies uniformly to all US-based companies in the absence of federal genetic privacy legislation.
For more on Sequencing.com's capabilities, see our Sequencing.com review.
Sources: Sequencing.com Privacy Policy (reviewed Mar 2026), Sequencing.com Terms of Service, Trustpilot user reviews (2024–2026)
Dante Labs
Dante Labs S.r.l. — L'Aquila, Italy
Dante Labs benefits significantly from GDPR jurisdiction, being headquartered in Italy and subject to EU data protection regulations. Based on privacy policy analysis, Dante Labs operates under a GDPR-compliant framework that provides users with explicit rights to access, rectify, and delete their data. No data breaches have been publicly documented according to available records.
According to their current privacy policy, research data sharing is opt-in and anonymized. Dante Labs states that genetic data is stored with pseudonymization, separating identifiable information from raw genomic data. The company does not maintain any publicly documented law enforcement partnerships or cooperation agreements.
The primary risk factor is the data deletion difficulty score (10/20), reflecting user-reported experiences of lengthy deletion timelines. Community survey respondents (n=40) reported deletion confirmation times ranging from 2 to 8 weeks, with some users noting the need for multiple follow-up requests. For our full review, see the Dante Labs review page.
Sources: Dante Labs Privacy Policy (reviewed Mar 2026), GDPR compliance documentation, user deletion experience survey (n=40, Feb 2026), Trustpilot reviews (2024–2026)
Living DNA
Living DNA Ltd. — Frome, Somerset, UK
Living DNA achieves the lowest privacy risk score in our analysis. Based on privacy policy analysis, Living DNA operates under UK GDPR (retained EU law post-Brexit), providing strong data protection guarantees. The company is headquartered in Frome, Somerset, UK, and processes genetic data within UK/EU jurisdictions.
According to public records, Living DNA has no documented data breaches, no law enforcement cooperation agreements, and no third-party data sharing partnerships. Their privacy policy states that genetic data is not shared with any external parties without explicit user consent. The company's smaller scale (500K+ users based on company communications) reduces its attractiveness as a target for both data breaches and law enforcement requests.
The primary area for improvement is data deletion difficulty (8/20), where user-reported experiences indicate a functional but not instantaneous deletion process. Survey respondents (n=25) reported 1–4 week confirmation times. For our full review, see the Living DNA review page.
Sources: Living DNA Privacy Policy (reviewed Mar 2026), UK ICO registration records, user deletion experience survey (n=25, Feb 2026)
Key Takeaways
Bankruptcy is the ultimate privacy risk multiplier
Both 23andMe and DNA Complete (ProPhase Labs) demonstrate that corporate financial distress transforms genetic databases from protected assets into sellable commodities. Bankruptcy courts have broad authority to approve asset sales, potentially overriding privacy policy commitments.
GDPR jurisdiction provides measurable protection
The three lowest-scoring companies (Living DNA, Dante Labs, Sequencing.com) include two EU/UK GDPR-regulated entities. GDPR's right to deletion, data minimization requirements, and breach notification mandates produce structurally lower risk scores. See our 23andMe alternatives guide for privacy-focused alternatives.
Law enforcement access is the most polarizing dimension
FamilyTreeDNA's open cooperation with the FBI (18/20) versus Living DNA's minimal exposure (2/20) represents the widest spread of any single dimension. This reflects a genuine policy divergence rather than a data quality issue — different companies have made fundamentally different choices about law enforcement access.
Breach history creates permanent risk elevation
Our methodology assigns permanent penalty points for breaches because compromised data cannot be "un-breached." MyHeritage's 2018 breach and 23andMe's 2023 breach both continue to elevate scores regardless of subsequent security improvements. This reflects the reality that exposed data remains in circulation indefinitely.
How to Cite This Whitepaper
APA Citation
ChronosGenomics Research Team. (2026, March 15). DNA testing privacy risk scores 2026. ChronosGenomics. https://chronosgenomics.com/research/dna-privacy-risk-scores-2026
MLA Citation
ChronosGenomics Research Team. "DNA Testing Privacy Risk Scores 2026." ChronosGenomics, 15 Mar. 2026, chronosgenomics.com/research/dna-privacy-risk-scores-2026.
Chicago Citation
ChronosGenomics Research Team. "DNA Testing Privacy Risk Scores 2026." ChronosGenomics. March 15, 2026. https://chronosgenomics.com/research/dna-privacy-risk-scores-2026.
License: CC BY 4.0
This whitepaper is licensed under Creative Commons Attribution 4.0 International (CC BY 4.0). You are free to share, adapt, and build upon this work for any purpose, even commercially, as long as you provide attribution to ChronosGenomics Research Team.
Related Research & Pages
DNA Test Comparison Table 2026
Side-by-side comparison of all major DNA testing providers across price, features, and capabilities.
23andMe Data Sovereignty
Technical analysis of 23andMe's bankruptcy, TTAM acquisition, and what happens to 14M users' genetic data.
DNA Health Test Comparison
Side-by-side comparison of DNA health testing providers, including WGS options and privacy assessments.
Sources & References
Privacy Policies (reviewed February–March 2026)
- 23andMe Privacy Statement — https://www.23andme.com/about/privacy/
- AncestryDNA Privacy Statement — https://www.ancestry.com/cs/legal/privacystatement
- MyHeritage Privacy Policy — https://www.myheritage.com/privacy-policy
- FamilyTreeDNA Privacy Policy — https://www.familytreedna.com/legal/privacy-statement
- Living DNA Privacy Notice — https://livingdna.com/privacy-notice
- Dante Labs Privacy Policy — https://www.dantelabs.com/pages/privacy-policy
- Sequencing.com Privacy Policy — https://sequencing.com/privacy-policy
- DNA Complete / ProPhase Labs Privacy Policy — https://www.dnacomplete.com/privacy
Data Breach Records
- Have I Been Pwned — MyHeritage breach entry (Jun 2018, 92M records)
- 23andMe SEC Form 8-K — Material data breach disclosure (Oct 2023, 6.9M users)
- Wired — "23andMe's Data Breach Keeps Spiraling" (Dec 2023)
- Ars Technica — "92 million MyHeritage accounts exposed in massive data breach" (Jun 2018)
Law Enforcement & Legal Proceedings
- BuzzFeed News — "FamilyTreeDNA Is Letting The FBI Use Its Database To Catch Criminals" (Jan 2019)
- Science magazine — "Forensic genealogy leads to high-profile arrests" (2019–2024, multiple articles)
- U.S. House Energy and Commerce Committee — Public correspondence re: 23andMe data transfer protections (Jan 2026)
- House Oversight Committee — Hearing testimony on consumer genetic data protections (2024)
- ProPhase Labs class-action complaint — Allegations of undisclosed data sharing with Meta, Google, Microsoft (PACER, 2025)
Regulatory & Corporate Filings
- 23andMe Chapter 11 bankruptcy filing (Nov 2025)
- ProPhase Labs Chapter 11 bankruptcy filing (2025)
- Blackstone Group — Ancestry.com acquisition press release ($4.7B, Aug 2020)
- AncestryDNA Transparency Report (2025)
- NPR — "23andMe is bankrupt. Here's how to get your DNA data deleted" (Nov 2025)
User Surveys & Community Data
- Reddit r/Genealogy data deletion experience survey (n=300+, Feb–Mar 2026)
- Trustpilot company reviews — 23andMe, Dante Labs, Sequencing.com, MyHeritage (2024–2026)
- BBB complaint records — ProPhase Labs / DNA Complete (2024–2025)
- Genetic Genealogy Tips & Techniques Facebook group — community discussions (50K members)
Disclosure: ChronosGenomics is an independent intelligence aggregation platform. We do not accept payment from DNA testing companies for placement or scoring. Some pages on this site contain affiliate links; this research whitepaper does not. Privacy risk scores are based solely on publicly available information as described in our methodology. For questions about this research, contact us.