What are the institutional and regulatory implications of this document?

REGULATORY LANDSCAPE: This policy engages GDPR (EU and UK) for users in those jurisdictions, citing consent and legitimate interests as legal bases for processing; the CCPA and California Privacy Rights Act (CPRA) for California residents, including opt-out of sale and sharing of personal information; the California Genetic Information Privacy Act (GIPA) with respect to DNA data collection and research use; and general FTC Act consumer protection principles for US users broadly. The FTC is the …

How does Ancestry's Ancestry Privacy Statement affect users?

The agreement establishes that Ancestry collects genetic data through AncestryDNA in addition to standard identifiers, browsing activity, and family history content, and authorizes use of DNA data for research purposes subject to a separate consent layer described in the AncestryDNA Terms and Conditions. Under these terms, personal data including contact information, device data, and usage history is shared with advertising, analytics, and research partners, and Ancestry states it may share dat…

How often is Ancestry's Ancestry Privacy Statement updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Ancestry updates this document?

Yes. Monitor subscribers ($19/month) can add Ancestry to their watchlist and receive same-day email alerts whenever this document or any other Ancestry document changes.

CA-D-000224

Ancestry Privacy Statement

Ancestry

Last change detected June 13, 2026 Privacy policy

SHA-256: 64822b9fd1d40085b9a… 6 versions captured 4 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Ancestry ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

6 Total

2 High severity

4 Medium severity

0 Low severity

Summary

This is Ancestry's Privacy Statement, covering how the company collects and uses personal data across its genealogy research platform, DNA testing service (AncestryDNA), and associated apps and websites. Ancestry states it collects genetic data, family tree content, contact and payment information, device identifiers, browsing activity, and location-related data, and authorizes sharing this information with service providers, advertising and analytics partners, and research institutions, with DNA data subject to separate consent for research participation. California residents and EU/UK users are provided specific rights including the ability to request deletion of personal data, opt out of the sale or sharing of personal information, and in the case of DNA data, separately withdraw consent for research use through the AncestryDNA settings.

Technical / Legal Breakdown

This document is Ancestry's Privacy Statement governing the collection, use, sharing, and retention of personal information across Ancestry's genealogy, DNA testing, and related digital services, with stated legal bases including consent, contractual necessity, and legitimate interests depending on jurisdiction. The agreement states that Ancestry collects a broad range of data including name, contact information, payment details, family tree content, communications, device identifiers, browsing and clickstream activity, IP addresses, and genetic data submitted through AncestryDNA, and authorizes use of this data for product delivery, personalization, advertising, research, and sharing with third-party service providers, business partners, and affiliated companies. The collection and processing of genetic and health-related data represents an operationally distinct element of this policy relative to standard consumer digital services, as the agreement asserts rights to store, analyze, and share DNA data with research partners, subject to separate consent mechanisms described in the AncestryDNA Terms and Conditions; the agreement's asserted authority over such sensitive biological data may interact with state-level genetic privacy statutes and federal frameworks in ways that applicable law may constrain. The policy engages GDPR for EU and UK users, CCPA and California Genetic Information Privacy Act for California residents, and general FTC Act consumer protection principles applicable to US users; jurisdiction-specific rights including access, deletion, portability, correction, and opt-out of sale or sharing of personal information are disclosed with region-specific mechanisms, though the practical enforceability of certain cross-border data transfer provisions and research consent terms depends on evolving regulatory guidance.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

4 important changes detected

6 versions captured · Last updated: June 2026

June 2, 2026

unknown

What changed Ancestry updated their Ancestry Privacy Statement on June 02, 2026. Change detected: 1 sentence(s) modified. Document contained 348 sentences after update.

View full change record →

May 13, 2026

medium

What changed Ancestry updated its Privacy Statement on May 13, 2026, making 46 sentence additions, 52 removals, and 54 modifications across the document. Key operational changes include: clarification of permitted and prohibited uses of services; updated language about photo grouping features requiring express consent; addition of SMS messaging references for future opt-in communications; reorganization of brand coverage under a 'Related Brands' structure rather than listing specific brands; and removal of references to uploaded DNA data in the account creation section. The effective date changed from August 21, 2024 to May 12, 2026.

Why this matters The updated Privacy Statement clarifies what uses of Ancestry services are permitted and prohibited, establishes that photo face-grouping in your gallery requires your express consent, and introduces SMS messaging as a communication channel for future opt-in communications. The statement now covers Ancestry, AncestryDNA, and Related Brands under a unified framework while noting that other services operated by the company use separate privacy statements. The removal of 'uploaded DNA data' from the account creation section reflects a narrowing of that specific provision's scope, though genetic information processing remains described elsewhere in the policy. You can review the full updated statement to understand how your personal information will be processed and manage your communication preferences when SMS opt-ins become available.

View full change record →

May 6, 2026 low

Ancestry updated the navigation menu and footer layout of its Privacy Statement on May 6, 2026. The changes reorganized how certain links are presented—moving 'About Us' into the footer, reordering …

View change record →

May 1, 2026 medium

Ancestry removed a reference to 'Do Not Sell or Share My Personal Information' from the footer links in their privacy statement as of May 1, 2026. This link previously connected …

View change record →

Recent Provision Changes Jun 2, 2026

Added (3)

Third-Party Data Sharing with Advertising and Analytics Partners High

This expands data sharing scope to explicitly include advertising and analytics partners and allows third-party ad companies direct collection of activity data, significantly broadening monetization of user information.

Collection of Device Identifiers, Browsing Activity, and Location Data Medium

Newly detailed provision explicitly documenting automatic collection of tracking data across multiple categories that could enable comprehensive user profiling beyond genetic ancestry services.

Data Retention After Account Closure Medium

New provision with vague 'legitimate business purposes' language allows indefinite retention post-deletion, weakening user control over personal data.

Removed (5)

Aggregate Research Data Persistence After Deletion

Explicit acknowledgment of research data persistence was removed, potentially obscuring the permanent incorporation of user data into research despite deletion requests.

Third-Party Data Sharing with Research Partners

Removal of explicit confidentiality requirements for research partners and the reassurance that DNA data is not sold to third parties diminishes user protections and transparency around research sharing.

Children's Privacy and Age Restrictions

Removal of COPPA compliance provisions and deletion procedures for children's data weakens legal protections for minors.

GDPR Rights for EU and UK Users

Removal of explicit GDPR/UK GDPR rights provisions eliminates detailed disclosure of European privacy protections and data controller identification.

Data Sharing with Third-Party Service Providers and Partners

This detailed provision specifying service provider obligations and limitation of use was replaced with vaguer language in the advertising/analytics section, reducing contractual clarity around data protection.

Modified (3)

Genetic Data Collection and Research Use

Removed specific mention of saliva sample collection and destruction rights; expanded to include health conditions and physical traits; shifted from 'choose to participate' to 'opted in to our research program'.

Corporate Transaction Data Transfer

Removed notification requirement, opportunity to opt out, and disclosure of changes to privacy policy; significantly weakened user protections in corporate transactions.

Jurisdiction-Specific Deletion and Opt-Out Rights

Generalized California-specific CCPA/CPRA rights into jurisdiction-dependent language; removed explicit mention of the right to know what is collected/disclosed, right to limit sensitive data use, and removal of specific toll-free number contact method.

View full change record →

High — 2 provisions

Genetic Data Collection and Research Use Compare →

Ancestry collects DNA samples submitted through AncestryDNA and analyzes them to generate ethnicity estimates and genetic relative matches. Users who opt in to the research program consent to their DNA data and associated health or trait information being used for research and shared with third-party research partners.

Added May 20, 2026 Standard Seen across 284 platforms
Third-Party Data Sharing with Advertising and Analytics Partners Compare →

Ancestry authorizes sharing of user information with third-party vendors for fraud prevention, payment processing, advertising, and analytics, and permits third-party advertising companies to collect user activity data from Ancestry's services for targeted advertising purposes.

Added May 20, 2026 Standard Seen across 252 platforms

Medium — 4 provisions

Data Retention After Account Closure Compare →

Ancestry states it retains personal information for the duration necessary to provide services and meet legal obligations, and may continue retaining certain data after account closure for legal compliance and business purposes.

Added May 20, 2026 Standard Seen across 284 platforms
Corporate Transaction Data Transfer Compare →

Ancestry states that personal information, including potentially genetic data and family history content, may be transferred to a third party in the event of a corporate transaction such as a merger, acquisition, or asset sale.

Added May 20, 2026 Standard Seen across 252 platforms
Jurisdiction-Specific Deletion and Opt-Out Rights Compare →

Ancestry discloses that users in certain jurisdictions, particularly California residents and EU and UK users, have legal rights including access, correction, deletion, and opt-out of sale or sharing of personal information, and describes mechanisms for exercising these rights.

Added May 20, 2026 Standard Seen across 284 platforms
Collection of Device Identifiers, Browsing Activity, and Location Data Compare →

Ancestry states it automatically collects device identifiers including IP addresses and cookie identifiers, browsing and clickstream activity, search terms, pages visited, and IP-derived general location data from users of its services.

Added May 20, 2026 Standard Seen across 284 platforms