It sounds like such a fun holiday gift idea: a DNA test that can tell your sister-in-law whether she really has Native American ancestors, or one that promises to craft your friend a perfect diet based on his genes.

Home DNA tests are likely a big seller for the next few weeks, but privacy experts say consumers should be cautious. Last year New York Sen. Chuck Schumer asked the Federal Trade Commission to "take a serious look at this relatively new kind of service and ensure that these companies can have clear, fair privacy policies."

The problem is that when you send away a tube of your spit or a cheek swab, you are giving away your full genetic code. Every cell on that cheek swab carries the full sequence of your DNA, including the mutation pattern that makes it uniquely yours.

“It’s the most valuable thing you own,” says Peter Pitts of the Center for Medicine in the Public Interest, a nonprofit advocacy group.

Legitimate genetic testing companies promise not to sell or give this data away without consent.

"We respect and agree with Sen. Schumer's concern for customer privacy and believe any regulation should match the commitments we make to our customers,” Ancestry.com said in a statement in 2017.

"We do not sell your data to third parties or share it with researchers without your consent."

Read the whole agreement

But usually, a broad consent is part of the initial contract a consumer makes with a company when he or she submits the test for analysis.

“Obviously, there is a lot of fine print,” said Mary Freivogel, president of the National Society of Genetic Counselors. “Any time you do anything and you have a big, long agreement in front of you, I think so many of us are accustomed to just clicking ‘agree’.”

Even if you do read the whole agreement, which can go on for pages, you may not understand what you’re giving the company permission to do, said Hank Greely, director of the Center for Law and the Biosciences at Stanford School of Medicine.

“There is no legal limit on what they could do other than the agreement that you enter into with them which they may or may not choose to follow,” Greely added. “If they don’t follow it, the chance you would ever find out is very, very low.”

And it really doesn’t matter if your sample is earmarked for use in tracing Neanderthal ancestors or just looking for rare disease genes. It doesn’t matter if the sample is destroyed. The code itself is digitized and can be shared countless times and in countless ways.

“It’s the most valuable thing you own."

“Even if you just send your DNA in for genealogical work, what those companies typically run is a SNP test hundreds of thousands of markers, even though they may be only looking for a couple of hundred markers,” Greely said. A SNP (pronounced “snip”) is a single nucleotide polymorphism, a single-letter difference in the genetic code that may cause disease or that may lead back to your great-great grandfather.

“That analysis shows things about your health that the company never told you because that is not the business they are in,” he said. “They are in the genealogy business.”

So here’s some potentially devastating information about your health and it’s in someone else’s hands, Greely said.

“For a non-trivial percentage of us, there really are scary things in our genomes,” he said.

That information may or may not be useful to someone else.

“Maybe you’re doing it for fun or for laughs or for conversation at the holiday table but at the end of the day you may have a good time but the company now can sell that information 100 different ways,” said Pitts.

“You don’t want that information displayed to other people,” he added. “Ultimately you don’t want an employer to have access to your information.”

Not that hard to identify you

A 2008 law called the Genetic Information Nondiscrimination Act forbids discrimination based on genetic information and that would include firing someone because they have a gene that predisposes to an expensive disease. But it would also be hard to prove an employer did that, said Pitts.

Right now, it’s hard to identify anyone based strictly on their DNA sequence. But as people enter more and more information into databases, it could become easier.

More than 60 percent of Americans who have some European ancestry can be identified using DNA databases, according to a recent report in the journal Science. Not only could police use this information, but so could other people seeking personal information about someone, the researchers reported. Earlier this year, the Golden State Killer was identified after detectives used geneaology websites to match DNA taken from crime scenes with his distant relatives.

23andme has an extensive questionnaire about health, lifestyle habits and preferences and while it allows customers to skip any questions they choose to, they can be contributing a lot of personal detail with their DNA sample.

“For a non-trivial percentage of us, there really are scary things in our genomes.”

“Especially if it is coupled with health information, you can say this is a 39-year-old woman from Westchester County who is five feet, seven inches tall, who has blue eyes and has cystic fibrosis — it wouldn’t be that hard for somebody to find you,” Greely said.

“Now would anybody try? I don’t know. If you are a member of the royal family or a celebrity of some sort, I suspect people would. Is there a snoopy relative? Is there somebody just curious about you?”

In 2013, a team at the Whitehead Institute for Biomedical Research said they figured out the identities of 50 people from DNA donated anonymously for scientific study using easily available internet databases.

That’s why companies do their best to strip away personal information from the genetic codes, but anyone who has been the victim of credit card fraud or identity theft know that anonymizing data is far from foolproof.

“You cannot promise people absolute confidentiality,” Greely said. “The other side of it is that it’s possible that somebody will hack into a company database that does contain your information. My financial information has been hacked three times in two years. All that stuff is out there.”

Most of the sharing is for legitimate, scientific research and many people may want to help in that endeavor.

“Let’s say they are looking for new genes related to diabetes,” said Freivogel.

“They want a large set of DNA from people who have diabetes as well as a large set of samples of people who do not have diabetes.” Buying that data is easier than recruiting thousands of volunteers.

“A lot of times companies are looking for large sets of DNA samples to do research on, to find new genes or even validate genetic tests that they’ve developed,” Freivogel said.

Disease risks

People may not want to help out a company trying to make a profit off their DNA, and may not associate “scientific research” with enriching a corporate bottom line.

And people may think they are ready to get some interesting news about their disease risks, until they actually get it.

“It has emotional consequences that go along with it, and family dynamic consequences,” said Freivogel.

“If you have a positive result, you may need to share that with your five sisters. And are you prepared to do that?”

People getting genetic testing at a clinic will almost certainly be offered counseling, but not so for home tests.

“Ideally we need to talk to people before they make the decision about genetic testing,” Freivogel said.

“You need experts to help people understand how much stock to put in that DNA result.”