Even if you delete your DNA data or close your Ancestry account, any contributions your genetic data has already made to aggregate research datasets will not be removed.
This analysis describes what Ancestry's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This carve-out means that deletion of your DNA data is not complete erasure — your genetic information may persist in research databases in aggregated form. This has particular significance for users who later change their mind about research participation.
Interpretive note: Whether the aggregate data retained meets the legal threshold for anonymization or de-identification under GDPR and applicable US law is not determinable from the policy text alone and depends on Ancestry's technical implementation.
The updated Privacy Statement no longer displays a dedicated 'Do Not Sell or Share My Personal Information' link in the footer, which was previously accessible to California residents under CCPA requirements. This link allowed users to exercise data-sharing opt-out rights. The footer now lists 'Consumer Health Privacy' as a separate item but does not explicitly direct users to their CCPA controls. California residents may need to locate their opt-out rights through alternative navigation paths on the Ancestry site.
View change record →The updated Privacy Statement clarifies what uses of Ancestry services are permitted and prohibited, establishes that photo face-grouping in your gallery requires your express consent, and introduces SMS messaging as a communication channel for future opt-in communications. The statement now covers Ancestry, AncestryDNA, and Related Brands under a unified framework while noting that other services operated by the company use separate privacy statements. The removal of 'uploaded DNA data' from the account creation section reflects a narrowing of that specific provision's scope, though genetic information processing remains described elsewhere in the policy. You can review the full updated statement to understand how your personal information will be processed and manage your communication preferences when SMS opt-ins become available.
View change record →California residents lose direct navigation to the CCPA-mandated 'Do Not Sell or Share My Personal Information' disclosure page from Ancestry's privacy footer. While California law requires the company to honor data sale opt-out requests, removing the link reduces visibility and accessibility of this right. California residents can locate this right by searching Ancestry's website or contacting the company directly, but the removal creates an additional barrier to exercising a legally protected option.
View change record →Explicit acknowledgment of research data persistence was removed, potentially obscuring the permanent incorporation of user data into research despite deletion requests.
View full change record →Requesting deletion of your DNA removes your individual results and raw data, but data already incorporated into research aggregates persists. This limitation means consumers should carefully consider their research consent decision before agreeing, as it cannot be fully reversed.
How other platforms handle this
After your account is deleted, we keep data about interactions you've had on our service to prevent abuse, ban evaders and others in an effort to protect and ensure the safety and security of our service and our members.
We keep information for as long as we need it to provide our products, comply with legal obligations, or for other legitimate purposes, such as to maintain safety, security, and integrity.
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Monitoring
Ancestry has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Please note that if you request deletion of your DNA data or close your account, we may retain de-identified or aggregated data that does not identify you and that has been incorporated into research or product development. Deletion of your DNA data means we will delete your DNA results, ethnicity estimate, and raw DNA data file from our systems, but data that has already been incorporated into research may not be fully removable.— Excerpt from Ancestry's Ancestry Privacy Statement
(1) REGULATORY LANDSCAPE: This provision engages GDPR Article 17 (right to erasure), which permits retention of de-identified aggregate data but requires that data be genuinely de-identified to a standard where re-identification is not reasonably possible. The European Data Protection Board has issued guidance on anonymization standards that applies here. For California residents, CPRA Section 1798.105 governs deletion rights and includes exceptions for certain research uses. (2) GOVERNANCE EXPOSURE: High. The assertion that aggregate research data persists after deletion is legally permissible under both GDPR and CCPA only if the data is genuinely anonymous or de-identified. Given the sensitivity of genetic data and the known risks of genetic re-identification from aggregate datasets, this carve-out warrants careful technical and legal scrutiny. The FTC has taken enforcement positions on claims of de-identification that prove inadequate in practice. (3) JURISDICTION FLAGS: EU/EEA users have the strongest grounds to challenge this provision if the aggregate data is not demonstrably anonymous under GDPR standards. California residents may have rights under CPRA to contest research exceptions. Illinois and other states with genetic privacy laws may impose additional constraints on retention of aggregate genetic data post-deletion request. (4) CONTRACT AND VENDOR IMPLICATIONS: If research partner contracts permit partners to retain aggregate data after the user's deletion request, those agreements should be audited to ensure the data shared meets applicable anonymization standards and that partner data processing is consistent with user rights assertions in the policy. (5) COMPLIANCE CONSIDERATIONS: Legal and technical teams should document and verify the anonymization methodology applied to research aggregate data to ensure it meets GDPR and applicable US legal standards. A data flow map covering the research data lifecycle, from individual consent through aggregation and post-deletion persistence, is advisable. Consent language presented to users at the point of research opt-in should clearly disclose this persistence limitation.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This carve-out means that deletion of your DNA data is not complete erasure — your genetic information may persist in research databases in aggregated form. This has particular significance for users who later change their mind about research participation.
Requesting deletion of your DNA removes your individual results and raw data, but data already incorporated into research aggregates persists. This limitation means consumers should carefully consider their research consent decision before agreeing, as it cannot be fully reversed.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Ancestry.