I recently posted that Verogen (the corporate owner of GEDmatch) has been sued—not once but twice—for violations of genetic privacy. Last week, Gene by Gene (the corporate owner of FamilyTreeDNA) was also sued in the state of Illinois. The case, Joshua Saathoff v Gene by Gene, was filed on 25 November 2024. All three class-action lawsuits allege that Gene by Gene violated the Illinois Genetic Information Privacy Act (GIPA) by using tracking software that synced with Facebook.
The gist of the complaint is very similar to that in Curley v Verogen and Hutcheson et al. v. Verogen, which I summarized in an earlier post. Briefly, it alleges that Gene by Gene installed tracking software on its website to report user movements back to Meta/Facebook for advertising purposes. The plaintiff argues that merely telling Facebook that they took a DNA test violated Illinois’ GIPA.
The Saathoff complaint goes into more detail than the earlier lawsuits about how the tracking software, called the Facebook Pixel or the Meta Pixel, works in practice: as a user navigates the FamilyTreeDNA website from shopping to checkout to login to test results, that information is stored on Gene by Gene’s servers and passed along to Meta/Facebook.
Each time a FamilyTreeDNA user accesses these pages, FamilyTreeDNA shares with Meta via the Facebook Pixel an “Event” called “PageView” that tells Meta, among other data points, the URL of the page that the consumer is viewing on FamilyTreeDNA.com, which, as described above, disclose the portions of the FamilyTreeDNA website the user is accessing and, by extension, the fact that the user has obtained a genetic test from FamilyTreeDNA. [Saathoff v Gene by Gene, #64]
Those page views tell Facebook not only that the user took a DNA test but which test they took (autosomal, mitochondrial, or one of the Y-DNA offerings), which reports they viewed, and possibly even which matches they examined.
What Does This Mean for Gene by Gene?
I am not a lawyer. I can’t speak to the legal merits of this lawsuit nor the two that were recently filed against GEDmatch/Verogen. I can, however, make some general observations.
At FamilyTreeDNA, a user does not create an account until they place an order for a DNA test, and each individual user has a separate account. That means the information passed along to Facebook will necessarily be specific to that one person.
In contrast, at GEDmatch, one can use the site without necessarily having done a DNA test, and a single account can host several DNA kits. Thus, the information reported back to Facebook may or may not be about that specific user.
That might put GEDmatch in a more defensible position. However, the percentage of users who do not have their own DNA results at GEDmatch is undoubtedly marginal. What’s more, if Meta is cross-referencing those secondary DNA tests to accounts at Facebook, GEDmatch could be exposed to even more liability.
What Does This Mean for Genealogists?
We’re in for a bumpy ride. FamilyTreeDNA has been sued. GEDmatch has been sued twice. 23andMe recently settled an unrelated class-action case that also centered on genetic privacy.
The reputational harm to the industry as a whole will be substantial. I expect all of the companies to change course to protect privacy—and their own bottom lines. That’s good for us as individuals but not as genealogists.
Personally, I’m agnostic. My work as a genetic genealogist will undoubtedly be harder if the companies clamp down. On the other hand, I’ve been arguing for years that genealogists need to take genetic privacy more seriously. It’s no fun being Cassandra.
The next few years will be interesting, that’s for sure.
—–
Hey!
I’m trying out Substack as an alternative blogging site. I may stick with it; I may not. If you’d like to check me out there, you can find me at thednageek.substack.com.
These are not the only companies behaving in this way.
Anytime a google search is made for a product, the advertising for that product appears in may sites subsequently visited. – from cars to cosmetics and clothing.
You are absolutely correct that similar tracking software is used on many if not most internet sites. As creepy as it is, I’m not aware of any state that legislatively protects your privacy rights when you buy eyeliner. There are several states, however, that protect your privacy when it comes to doing a DNA test.
“… a user does not create an account until they place an order for a DNA test…”
Transfer from Ancestry to FTDNA will create an account without ordering a DNA test.
True in the strictest sense, but from a privacy standpoint, the Meta Pixel is still telling Facebook that the user has done an atDNA test. Whether that test was originally done at FTDNA or elsewhere is a trivial difference.
As a FTDNA project admin and manager of many kits for elderly relatives who tested at my request, it concerns me that Facebook has been tracking my activity when I’m working with someone else’s kit.