If Ancestry is bought, merged, or sold, your personal data — including genetic information — may transfer to the new owner, though Ancestry commits to notifying you and giving you an opt-out opportunity.
This analysis describes what Ancestry's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
A corporate acquisition could result in your genetic and family history data being controlled by a different company with different privacy practices, making the opt-out opportunity described here particularly important for sensitive data categories.
Interpretive note: The policy does not specify the timeline or mechanism for the opt-out in a corporate transaction scenario, and whether an opt-out is legally sufficient (versus a fresh consent requirement) for genetic data under GDPR is not resolved by the policy text.
The updated Privacy Statement no longer displays a dedicated 'Do Not Sell or Share My Personal Information' link in the footer, which was previously accessible to California residents under CCPA requirements. This link allowed users to exercise data-sharing opt-out rights. The footer now lists 'Consumer Health Privacy' as a separate item but does not explicitly direct users to their CCPA controls. California residents may need to locate their opt-out rights through alternative navigation paths on the Ancestry site.
View change record →The updated Privacy Statement clarifies what uses of Ancestry services are permitted and prohibited, establishes that photo face-grouping in your gallery requires your express consent, and introduces SMS messaging as a communication channel for future opt-in communications. The statement now covers Ancestry, AncestryDNA, and Related Brands under a unified framework while noting that other services operated by the company use separate privacy statements. The removal of 'uploaded DNA data' from the account creation section reflects a narrowing of that specific provision's scope, though genetic information processing remains described elsewhere in the policy. You can review the full updated statement to understand how your personal information will be processed and manage your communication preferences when SMS opt-ins become available.
View change record →California residents lose direct navigation to the CCPA-mandated 'Do Not Sell or Share My Personal Information' disclosure page from Ancestry's privacy footer. While California law requires the company to honor data sale opt-out requests, removing the link reduces visibility and accessibility of this right. California residents can locate this right by searching Ancestry's website or contacting the company directly, but the removal creates an additional barrier to exercising a legally protected option.
View change record →In the event of a corporate transaction, your personal and genetic data may pass to a new owner. The policy commits to notifying you and providing an opt-out, but the window and method for exercising that opt-out are not specified in the policy text.
How other platforms handle this
By using our Services, you agree to be bound by this Privacy Policy.
We may share your personal information with our affiliates, meaning entities that control, are controlled by, or are under common control with Consensys. We also share information with service providers who assist in operating our services, subject to confidentiality obligations.
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Monitoring
Ancestry has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"If we are involved in a merger, acquisition, bankruptcy, reorganization, dissolution, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you (by email or notice on our website) of any change in ownership or uses of your personal information, and you will be given the opportunity to opt out before your personal information becomes subject to a different privacy policy.— Excerpt from Ancestry's Ancestry Privacy Statement
(1) REGULATORY LANDSCAPE: Transfer of personal data in corporate transactions engages GDPR Article 6 (lawful basis for processing by the new controller) and may require fresh consent for special category data under Article 9 if the acquiring entity's purposes differ from Ancestry's. FTC guidance on data assets in transactions and relevant state consumer protection laws also apply. The FTC has previously scrutinized data transfers in corporate transactions involving sensitive personal data. (2) GOVERNANCE EXPOSURE: Medium. The policy's commitment to notification and opt-out opportunity is a consumer-protective provision, but the absence of specified timelines or methods for the opt-out creates operational ambiguity. For genetic data specifically, the adequacy of an opt-out (as opposed to a fresh consent requirement) may be contested under GDPR Article 9 in EU jurisdictions. (3) JURISDICTION FLAGS: EU/EEA users have the strongest protections: an acquirer processing special category genetic data would need a fresh explicit consent basis under GDPR if processing purposes change. California residents have CPRA notice rights. All users are affected by this provision given the breadth of data Ancestry holds. (4) CONTRACT AND VENDOR IMPLICATIONS: Due diligence teams in any M&A transaction involving Ancestry should assess the genetic data asset, associated consent records, research partner agreements, and regulatory obligations that would transfer with the business. The policy's opt-out commitment creates a post-transaction operational obligation for the acquirer. (5) COMPLIANCE CONSIDERATIONS: Legal teams should assess whether the opt-out model described is sufficient for all data categories under applicable law, particularly for genetic and health-adjacent data under GDPR Article 9. A pre-transaction assessment of consent records and their portability is advisable.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
A corporate acquisition could result in your genetic and family history data being controlled by a different company with different privacy practices, making the opt-out opportunity described here particularly important for sensitive data categories.
In the event of a corporate transaction, your personal and genetic data may pass to a new owner. The policy commits to notifying you and providing an opt-out, but the window and method for exercising that opt-out are not specified in the policy text.
ConductAtlas has identified this type of provision across 10 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Ancestry.