There's a few possibilities, each of which might be simultaneously true to different degrees. The first is that no matter how much the companies tout privacy, that's mostly just marketing; as soon as they want/need to sell the data, they will. There might also be some kind of law enforcement exceptions for certain searches that you have to dig into the fine print of the user agreements to find. Then there's the fact that the average person using 23 & Me or Ancestry is probably more focused on finding out their ancestry or family history than manually opting out of or into all the privacy related stuff. For instance, I know 23 & Me has an opt-in feature where it will tell you if you are related to anyone else who sends in a sample to them. If you select this feature, they'll pop up as possible relatives when you get your results back or you'll be pinged if in the future one of these people submits their own sample. I believe this is how they got the California guy - they created a fake profile, submitted the DNA, and he popped up as a possible relative.