What are the institutional and regulatory implications of this document?

(1) REGULATORY LANDSCAPE: This policy engages GDPR and UK GDPR for EU and UK residents (with Ancestry Ireland UC designated as the EU data controller and Ancestry.com Operations Inc. as the UK controller), CCPA and CPRA for California residents, and references compliance with state-level genetic privacy laws including Illinois GIPA and Texas CUBI. The handling of genetic data also engages the Genetic Information Nondiscrimination Act at the federal level and may require evaluation under various…

How does Ancestry's Ancestry Privacy Statement affect users?

The document establishes that genetic data submitted to Ancestry may be applied to product development and scientific research activities without separate consent for the former, with separate opt-in consent required for the latter. The terms specify that deletion of user accounts or raw DNA samples does not remove genetic information already incorporated into aggregate research datasets. Users operate under provisions permitting management of consent elections and raw DNA deletion requests thr…

How often is Ancestry's Ancestry Privacy Statement updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Ancestry updates this document?

Yes. Watcher subscribers ($9.99/month) can add Ancestry to their watchlist and receive same-day email alerts whenever this document or any other Ancestry document changes.

CA-D-000224

Ancestry Privacy Statement

Ancestry

Last change detected May 13, 2026 Privacy policy

SHA-256: 21f90bd97c69ddd935f… 4 versions captured 3 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Ancestry ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

8 Total

3 High severity

3 Medium severity

2 Low severity

Summary

This privacy statement establishes Ancestry's data collection, use, and retention practices for personal information and genetic data submitted through its genealogy platform and DNA testing services. The statement authorizes Ancestry to use genetic data for product development and, with separate user consent, for scientific research purposes, and specifies that aggregate research dataset contributions remain in use following individual account or DNA deletion requests. Users may manage DNA data preferences, research consent elections, and marketing communications through account settings or by submitting deletion requests to Ancestry's support team.

Technical / Legal Breakdown

This document is Ancestry's global Privacy Statement, governing the collection, use, sharing, and retention of personal data across Ancestry's family history, DNA testing, and related services, with its legal basis varying by jurisdiction (consent, legitimate interests, and contractual necessity under GDPR; various state law bases in the US). The policy states that Ancestry collects a broad range of data types including name, contact details, family tree information, payment data, communications, device and usage data, and — most significantly — genetic data from DNA testing kits, and the terms authorize sharing of this information with service providers, business partners, affiliated companies, and in connection with corporate transactions such as mergers or acquisitions. The treatment of genetic and health-related data is operationally distinct: the policy asserts that DNA data is used for genealogy matching, product improvement, and — with separate explicit consent — research purposes, but users who have submitted DNA samples retain a meaningful deletion right, though the policy states that deletion of raw DNA data does not affect results already incorporated into aggregate research datasets. The policy engages GDPR and UK GDPR for EU and UK residents respectively, CCPA and CPRA for California residents, and references compliance with various US state biometric and genetic privacy laws; the handling of genetic data intersects with sector-specific frameworks including the Genetic Information Nondiscrimination Act (GINA) and state-level genetic privacy statutes. Compliance teams should note that the policy's description of data sharing with research partners under a separate consent model, combined with the carve-out preserving aggregate research contributions after individual deletion, warrants careful evaluation under GDPR data minimization and purpose limitation principles and applicable US genetic privacy regimes.

Institutional Analysis

Institutional analysis available with Professional

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Start Professional free trial

3 important changes detected

4 versions captured · Last updated: May 2026

May 13, 2026

medium

What changed Ancestry updated its Privacy Statement on May 13, 2026, making 46 sentence additions, 52 removals, and 54 modifications across the document. Key operational changes include: clarification of permitted and prohibited uses of services; updated language about photo grouping features requiring express consent; addition of SMS messaging references for future opt-in communications; reorganization of brand coverage under a 'Related Brands' structure rather than listing specific brands; and removal of references to uploaded DNA data in the account creation section. The effective date changed from August 21, 2024 to May 12, 2026.

Why this matters The updated Privacy Statement clarifies what uses of Ancestry services are permitted and prohibited, establishes that photo face-grouping in your gallery requires your express consent, and introduces SMS messaging as a communication channel for future opt-in communications. The statement now covers Ancestry, AncestryDNA, and Related Brands under a unified framework while noting that other services operated by the company use separate privacy statements. The removal of 'uploaded DNA data' from the account creation section reflects a narrowing of that specific provision's scope, though genetic information processing remains described elsewhere in the policy. You can review the full updated statement to understand how your personal information will be processed and manage your communication preferences when SMS opt-ins become available.

View full change record →

May 6, 2026

low

What changed Ancestry updated the navigation menu and footer layout of its Privacy Statement on May 6, 2026. The changes reorganized how certain links are presented—moving 'About Us' into the footer, reordering some menu items, and adding a 'Do Not Sell or Share My Personal Information' link in the footer. These are structural and presentational updates to how privacy-related information and opt-out options are accessed, not changes to the actual privacy rights or data practices described in the statement itself.

Why this matters This change makes it easier to find and exercise your right to opt out of data sales or sharing under California privacy law. The 'Do Not Sell or Share My Personal Information' link is now prominently placed in the footer of Ancestry's Privacy Statement, rather than being buried elsewhere. You can click this link from the privacy page directly to manage your data sale preferences.

View full change record →

May 1, 2026 medium

Ancestry removed a reference to 'Do Not Sell or Share My Personal Information' from the footer links in their privacy statement as of May 1, 2026. This link previously connected …

View change record →

High — 3 provisions

DNA and Genetic Data Collection and Use Compare →

Ancestry collects your saliva and DNA data when you use a DNA kit, uses it to generate ancestry results, and may use or share it for research purposes if you separately consent to that.

Added May 10, 2026 Standard Seen across 246 platforms
Aggregate Research Data Persistence After Deletion Compare →

Even if you delete your DNA data or close your Ancestry account, any contributions your genetic data has already made to aggregate research datasets will not be removed.

Added May 10, 2026 Standard Seen across 223 platforms
Third-Party Data Sharing with Research Partners Compare →

If you opt into research, Ancestry may share your genetic data with outside research organizations. These partners are contractually required to keep it confidential and use it only for the stated research purpose.

Added May 10, 2026 Standard Seen across 246 platforms

Medium — 3 provisions

Data Sharing in Corporate Transactions Compare →

If Ancestry is bought, merged, or sold, your personal data — including genetic information — may transfer to the new owner, though Ancestry commits to notifying you and giving you an opt-out opportunity.

Added May 10, 2026 Standard Seen across 246 platforms
California Privacy Rights (CCPA/CPRA) Compare →

California residents have specific legal rights to access, delete, correct, and limit use of their personal data, and to opt out of data sales or sharing, exercisable through Ancestry's Privacy Center.

Added May 10, 2026 Standard Seen across 262 platforms
Data Sharing with Third-Party Service Providers and Partners Compare →

Ancestry shares your personal data with outside companies that help run its services (such as payment processors and marketing vendors) and with business partners offering related products.

Added May 10, 2026 Standard Seen across 246 platforms

Low — 2 provisions

Children's Privacy and Age Restrictions Compare →

Ancestry's services are not intended for children under 13, and Ancestry states it does not knowingly collect data from children under 13 without parental consent.

Added May 10, 2026 Standard Seen across 262 platforms
GDPR Rights for EU and UK Users Compare →

EU and UK users have legal rights to access, correct, delete, and port their data, and to object to certain processing. They can also complain to their local data protection authority.

Added May 10, 2026 Standard Seen across 262 platforms