Popular DNA testing companies like 23andMe and Ancestry.com are being investigated by the Federal Trade Commission over their policies for handling personal info and genetic data, and how they share that info with third parties.

The probe was revealed in the agency’s response to a Freedom of Information Act request by Fast Company last month seeking records pertaining to 23andMe and Ancestry.com. The FTC denied the FOIA request, saying in its letter that any records “would be exempt from disclosure . . . because disclosure of that material could reasonably be expected to interfere with the conduct of the Commission’s law enforcement activities.” The agency cited an exemption—5 U.S.C. 552(b)(7)(A)—which has often been interpreted by journalists as the disclosure of an investigation.

A spokesperson for the agency declined comment, saying that “FTC investigations are non-public, and so typically we do not comment on an investigation or even whether we are investigating.”

Privacy issues in the use of such DNA testing kits came to the forefront last month with the arrest of the notorious Golden State Killer, when it was revealed that police had used data from GEDMatch, a genealogy research site where users upload genealogical and genetic information, to help identify the suspect. When contacted by Fast Company, spokespersons for 23andMe and Ancestry.com said they’re rarely approached by law enforcement for genetic data.

Yet as the DNA testing market has exploded—worth approximately $99 million in 2017 and expected to increase to $310 million by 2022—concerns have also grown about the use of genetic data. Many consumers don’t realize that their personal info may be shared with third-party companies and there have been complaints raised that the companies’ terms of service are not always clear about their policies in such matters.

There are also growing concerns about the security of personal DNA data. On Monday, Israel-based DNA testing service MyHeritage announced a security researcher had uncovered tens of millions of account details for some 92 million customers, including email addresses and hashed passwords. The company said it had no reason to believe user data was compromised, and claimed that users’ DNA data is stored on separate systems.

Joel Winston, an attorney who specializes in privacy law and formerly served as a deputy attorney general for the state of New Jersey, said he welcomed the FTC probe. “DNA data is the most important data you own. Your DNA is you,” he wrote in an email. “An enforcement action by the FTC would send a clear message that for-profit companies cannot use the fine print to quietly take an ownership interest in their customers’ DNA. Companies must not be permitted to mislead, deceive, or confuse customers about how their DNA data is being collected, analyzed, and monetized.