Ancestry collects DNA samples submitted through AncestryDNA and analyzes them to generate ethnicity estimates and genetic relative matches. Users who opt in to the research program consent to their DNA data and associated health or trait information being used for research and shared with third-party research partners.
This analysis describes what Ancestry's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes a two-tier consent structure for DNA data: baseline collection required for service delivery and an optional research consent layer governing use and external sharing of genetic and health information. Compliance review should confirm the research consent mechanism satisfies requirements for explicit, specific, and withdrawable consent under applicable genetic privacy and data protection frameworks.
Interpretive note: The precise scope of the research consent mechanism and whether it satisfies GDPR Article 9 explicit consent standards is not fully determinable from the policy text alone; the AncestryDNA Terms and Conditions govern the specific consent flow.
The updated Privacy Statement clarifies what uses of Ancestry services are permitted and prohibited, establishes that photo face-grouping in your gallery requires your express consent, and introduces SMS messaging as a communication channel for future opt-in communications. The statement now covers Ancestry, AncestryDNA, and Related Brands under a unified framework while noting that other services operated by the company use separate privacy statements. The removal of 'uploaded DNA data' from the account creation section reflects a narrowing of that specific provision's scope, though genetic information processing remains described elsewhere in the policy. You can review the full updated statement to understand how your personal information will be processed and manage your communication preferences when SMS opt-ins become available.
View change record →California residents lose direct navigation to the CCPA-mandated 'Do Not Sell or Share My Personal Information' disclosure page from Ancestry's privacy footer. While California law requires the company to honor data sale opt-out requests, removing the link reduces visibility and accessibility of this right. California residents can locate this right by searching Ancestry's website or contacting the company directly, but the removal creates an additional barrier to exercising a legally protected option.
View change record →Removed specific mention of saliva sample collection and destruction rights; expanded to include health conditions and physical traits; shifted from 'choose to participate' to 'opted in to our research program'.
View full change record →Under this provision, submitting a DNA sample to AncestryDNA results in collection and retention of genetic data for service purposes; users who separately opt in to research participation authorize Ancestry to use and share that genetic and health information with third-party research partners. Users can withdraw research consent through AncestryDNA account settings without affecting their access to genealogy matching features.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
We collect your personal data when you use our Services, create a new eBay account, provide us with information via a web form, add or update information in your eBay account, participate in online community discussions or otherwise interact with us.
Monitoring
Ancestry has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"When you use AncestryDNA, we collect the DNA you provide and the results of our analysis of your DNA. We may also collect other information about you in connection with the AncestryDNA service, such as information about health conditions or physical traits... If you have opted in to our research program, we may use your DNA data and any health and trait information you've provided for research purposes, including sharing with third-party research partners.— Excerpt from Ancestry's Ancestry Privacy Statement
REGULATORY LANDSCAPE: Collection and research use of genetic data implicates GDPR Article 9 (special category data requiring explicit consent), the California Genetic Information Privacy Act, and potentially state-level genetic privacy statutes in Illinois, Maryland, and other jurisdictions with standalone genetic data protections. The FTC has enforcement authority over deceptive or unfair practices related to health and genetic data in the US. EU and UK data protection authorities enforce GDPR Article 9 compliance for EU and UK users. GOVERNANCE EXPOSURE: High. Genetic data is among the most sensitive categories of personal information under both GDPR and US state law. The layered consent structure (service-required collection plus optional research consent) must demonstrably satisfy specificity, granularity, and revocability standards. Any deficiency in the research consent mechanism could expose Ancestry to enforcement action by EU supervisory authorities or state attorneys general. JURISDICTION FLAGS: EU and UK users are subject to GDPR Article 9 explicit consent requirements for processing genetic data. California users have rights under both the CPRA and the California Genetic Information Privacy Act. Illinois, Maryland, and Alaska have enacted or proposed genetic privacy statutes that may impose additional restrictions on third-party sharing of genetic data. Research partner sharing may trigger additional cross-border transfer obligations for EU user data. CONTRACT AND VENDOR IMPLICATIONS: Third-party research partners receiving DNA and health data must be assessed as data processors or independent controllers under GDPR, which affects the required contractual instruments. Procurement and vendor management teams should verify data processing agreements or data sharing agreements with research partners include appropriate protections, deletion obligations, and use limitations consistent with the consent scope granted by users. COMPLIANCE CONSIDERATIONS: Compliance teams should audit the research consent flow to confirm it meets GDPR Article 9 explicit consent standards, document the mechanism by which consent withdrawal is operationalized and propagated to research partners, and confirm data subject request workflows for genetic data deletion are technically implemented and not merely disclosed. Data mapping should reflect genetic data as a distinct special category with its own retention, access, and sharing controls.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes a two-tier consent structure for DNA data: baseline collection required for service delivery and an optional research consent layer governing use and external sharing of genetic and health information. Compliance review should confirm the research consent mechanism satisfies requirements for explicit, specific, and withdrawable consent under applicable genetic privacy and data protection frameworks.
Under this provision, submitting a DNA sample to AncestryDNA results in collection and retention of genetic data for service purposes; users who separately opt in to research participation authorize Ancestry to use and share that genetic and health information with third-party research partners. Users can withdraw research consent through AncestryDNA account settings without affecting their access to genealogy matching features.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Ancestry.