It’s an incredibly compelling idea: For a couple hundred bucks and a little bit of saliva, you can learn things about your ancestry and health that you may never have imagined.

That’s the promise that’s made DNA testing companies such as 23andMe and Ancestry.com so wildly popular. Since these firms opened for business a decade ago, some three million consumers have tested their DNA to learn the secrets of who they are and where they came from.

With these tests, people have discovered everything from an unknown heritage, to family secrets, to genetic predisposition to diseases such as breast or ovarian cancer, Parkinson’s disease or late-onset Alzheimer’s.

But shedding light on all this information brings up a darker question, too: If you make your health-related genetic information available to a third party, how does that impact your privacy?

“We worry about this in the privacy space,” says Jennifer King, director of consumer privacy at the Center for Internet and Society Stanford Law School. “Your DNA is uniquely identifiable, it’s what makes you, you.  This gets into a whole new realm of privacy concerns.” 

Here’s what you need to know before you spit in a tube or swab your cheek.  

Laws and loopholes

First, the good news: In theory, at least, the law prohibits health insurers from using data from direct-to-consumer genetic tests to deny coverage. It also bars employers from using genetic information to hire, fire or promote workers.

Some privacy advocates worry, however, that the law that protects DNA tests, the Genetic Information Non-discrimination Act of 2008 (GINA), isn’t as strong as the Health Insurance Portability and Accountability Act (commonly called HIPAA), the law that protects all your individual health information at the doctor’s office.

What’s more, GINA only applies to health insurers. Life, long-term care, and disability insurers are not subject to the laws restrictions.

Your data will be sold to third parties, including pharmaceutical companies.

Fortunately, insurers can’t readily get their hands on your DNA information. But that might not stop them from trying: Experts say that insurers are worried that consumers, armed with information from these tests, will rush to buy life or long-term care insurance and make expensive claims in the future.

And while they may not be able to access the information themselves, insurers could potentially ask consumers to disclose results of any genetic testing they may have had, and deny or discontinue coverage if you refuse to disclose.

Data for sale

When you order a DNA test, you’ll be asked to sign a long privacy statement. Among other things, it lets you know that—unless you opt out—your data will be sold to third parties, including pharmaceutical companies.

A valid email is required

However, the companies say the data is batched and de-identified, so it can only be used for research purposes.

For example, here’s what the 23andMe privacy policy says: If you choose to consent to participate in 23andMe Research, 23andMe researchers can include your de-identified Genetic Information and Self-Reported Information in a large pool of customer data for analyses aimed at making scientific discoveries.

And most consumers don’t opt out, according to data from 23andMe, because they believe such research can help find cures and advance science. 

Privacy experts believe it would be relatively easy for interested parties to find identifying characteristics.

But just how anonymous is that data? Some privacy experts believe that it would be relatively easy for interested parties to find identifying characteristics. That would potentially allow them to target consumers directly for the marketing of drugs and other products related to specific diseases, according to King.

Plus, notes King, companies may change the privacy statement at any time, something they make perfectly clear in the fine print. “There’s nothing to protect consumers if these companies simply change their mind,” she says.

An alternative method

Besides privacy concerns, many experts worry that finding out genetic information can be inconclusive, alarming and upsetting. You may not be ready to handle the news that you’re at risk for developing a disease without a known cure.

One way around this is to have a genetic test through a health-care provider instead of a DNA kit. That way, your info is protected by the more-stringent HIPAA laws—and you can discuss the results with a trained professional, says Dr. Lori Frank, a member of the Alzheimer’s Foundation of America’s advisory board.

“Remember, a genetic test that shows you might be at risk, is not the same as a definitive diagnosis,” says Frank. 

Watch this

5 places you can retire and live the luxe life on a budget