DNA testing startups exist in a regulatory grey area for data privacy. Example: DnaNudge, a company which recommends products based on genetic traits with a retail store in central London. After walking past their storefront recently, I took a look at their privacy policy: 1/n

The policy offers no protections for 'anonymized' data. This data may be sold or shared. Even stripped of identifiers, genetic data is not anonymous. The company states that it only stores patterns, but without knowing more it's hard to know how much protection this provides.

Personal data may be shared with third-parties for purposes including 'marketing and customer service', potentially opening the door for genetically-targeted advertising. The FAQ suggests some of this already, where the app uses location data to recommend 'product alternatives'.

Both personal and 'anonymous' data may be used for outside research purposes. This has traditionally been an opt-in use of data at other genetic testing companies. Are users given a similar option when enrolling in this service?

Data may be processed using 'machine learning' to further personalize the service. It's unclear what this means in practice, but could include the construction of behavioral profiles from usage data. Users may not understand what inferences are being made.

While GDPR provides some protections for genetic information, it's still unclear how these will apply in practice. In the US, fewer explicit genetic privacy protections currently exist.