Photo by National Cancer Institute on Unsplash
In the last decade, millions of Americans mailed saliva samples to companies like 23andMe and Ancestry.com, eager to learn their ethnic roots or disease risks. But as one high-profile consumer genomics company enters bankruptcy and its DNA database is auctioned off, a pressing question has come into sharp focus: Who actually owns your DNA, you, the company you gave it to, or someone else entirely?
At the surface level, companies like 23andMe insist that you retain ownership of your genetic data and can control how it is used. That data includes the digital code representing your genes, which the company strips of personally identifying details if you opt into research. According to the company, this anonymized information is pooled with other participant data to support scientific studies, but only with your explicit consent. Customers can decline research participation or revoke consent later.
Yet the legal and practical reality is more complicated. When you agree to a direct-to-consumer DNA test, you sign terms of service and consent forms that govern how your data may be used, stored, and shared. These legal agreements often grant the company a license to host, process, analyze, and even transfer your genetic information for research and product development. While this is not the same as full ownership in the strictest sense, it gives companies broad rights over your DNA data beyond simply providing you with test results.
One reason this matters now more than ever is the recent bankruptcy of 23andMe. In 2025, the company filed for Chapter 11 protection amid financial struggles and a significant data breach. The bankruptcy process raised alarms among lawmakers and privacy advocates because genetic data, the company’s most valuable asset, could be transferred to a new owner.
In response, the U.S. House Committee on Oversight and Government Reform held hearings about the future of Americans’ genetic information. Members voiced concerns about what would happen if control of millions of DNA profiles fell into the hands of companies with different priorities or into jurisdictions with weaker privacy protections. The debate highlighted a gap in federal law: unlike medical records held by doctors or hospitals, DNA data collected by consumer genetic testing companies is not fully protected under the Health Insurance Portability and Accountability Act (HIPAA).
In theory, this legal structure leaves room for change. Consumers may have the right to request access to their data, opt out of research, or even request that their DNA sample and digital information be deleted. In practice, however, withdrawing consent can be complicated, especially once data has already been used in research or shared with third parties under the original agreement. If a company changes ownership, even strong privacy policies may shift under new management or legal frameworks.
The most striking part of this situation is how little the average person considers these implications before taking a test. For many, consumer DNA testing starts as a fun way to learn if they have ancestry from a distant place or if they carry a gene linked to a health condition. Few pause to read technical privacy policies, much less weigh the possibility that their genetic blueprint could outlive the company that analyzed it, legally moving into the control of another entity altogether.
Genetic data is not just interesting trivia about ancestry; it is a permanent record of who you are at the most fundamental biological level. If misused, this information could have serious consequences. Insurers could, in theory, use genetic information to deny coverage or increase premiums. Employers could discriminate based on disease risk, even though laws like GINA (Genetic Information Nondiscrimination Act) exist to prevent this, loopholes remain. Law enforcement or third-party companies could combine anonymized DNA with other datasets to re-identify individuals. Finally, genetic data can be sold to pharmaceutical companies or research labs, creating profit for corporations while leaving individuals with little control or benefit.
Misuse is not hypothetical. In 2019, law enforcement used a public genealogy database to identify the Golden State Killer, highlighting both the power and the privacy risks of shared DNA data. As more DNA becomes digitized and aggregated in corporate hands, the potential for breaches, hacking, or corporate exploitation grows. Consumers who do not understand the stakes risk exposing themselves, their relatives, and even future generations to privacy violations that cannot be undone. Awareness and caution are essential because once your DNA is out there, it is effectively permanent and extremely difficult to retract.
Some countries have begun debating stronger genetic privacy laws, but in the United States, the regulatory framework remains piecemeal. California has passed protections that allow residents to request deletion of their DNA data and restrict certain uses, but there is no comprehensive federal law governing all aspects of consumer genetic information.
At its core, the question of DNA ownership is a clash between biological reality and legal frameworks created for the digital age. Biologically, your DNA is a unique record of who you are. Legally, once you send a sample to a company under a contract, parts of that code can be licensed, analyzed, and stored in ways you might not fully understand, potentially indefinitely and possibly under future ownership. As consumer genetic testing grows and evolves, so too must our conversations about consent, privacy, and what it really means to own your DNA in the 21st century.
Be First to Comment