Privacy policies often fail to uphold the goals of transparency – for individuals to understand the processing of their data and exercise their rights in a user-centered manner – which may lead to misalignment between privacy expectations and practices. Direct-to-consumer (DTC) genetic companies, expected to grow to more than 2.7 billion USD by 2032 in Europe, process sensitive data with many risks. The authors selected six leading DTC genetic companies and examined their EU privacy and research consent policies to answer: 

1) How vague, confusing, or complete are information flows?;  

2) Are they aligned with GDPR transparency requirements?;  

3) How relevant is the information to users?;  

4) What risk/benefit information is available?  

This study identified 62 flows for sharing genetic data and found that 81% were vague and 37% were contextually distinct and confusing. Consequently, GDPR transparency requirements may not be met. Qualitatively, information was not user-relevant and lacked collective risks of sharing data. The authors then offer specific suggestions to enhance user-centered transparency in policies and to use contextual integrity as a tool to assess, audit, and share data practices.