Protecting Your Genetic Data: How to Delete Your 23andMe Information Amidst Company Upheaval

Protecting Your Genetic Data: Taking Action with 23andMe

Recent months have brought significant uncertainty for customers of the popular DNA testing service, 23andMe. The company, which holds the genetic information of approximately 15 million individuals, faced serious upheaval, including filing for Chapter 11 bankruptcy protection in March. This period of instability raised alarms among privacy advocates and security experts, prompting urgent calls for customers to take steps to protect their sensitive personal biological information.

The situation culminated recently in a bidding war for the company's assets. Ultimately, co-founder Anne Wojcicki successfully reacquired control through her nonprofit, TTAM Research Institute, for $305 million. While this resolves the immediate ownership question stemming from the bankruptcy, it hasn't entirely alleviated concerns about the future of the vast repository of genetic data the company holds.

The bankruptcy proceedings themselves sent shockwaves through the direct-to-consumer genetic testing industry. The interim CEO of 23andMe revealed that a substantial number of customers have already reacted to the uncertainty. Approximately 1.9 million people, representing around 15% of 23andMe's customer base, have formally requested that their genetic data be deleted from the company's servers.

Adding another layer of complexity, more than two dozen states have reportedly filed lawsuits challenging the potential sale or transfer of customer data during or after the bankruptcy process. These legal challenges argue that 23andMe must obtain explicit consent from customers before transferring or selling their personal genetic information to any new entity, including the one controlled by Wojcicki's nonprofit.

Given this evolving landscape and the inherent sensitivity of genetic information, many of the 15 million individuals who shared their DNA with 23andMe are understandably seeking ways to minimize their exposure and protect their privacy. While it's crucial to understand that deleting your data may not erase every single trace — particularly information already shared with research partners or stored in backup systems as per the company's policies — there are still meaningful actions you can take directly within your account settings.

How to Request Deletion of Your 23andMe Data

The most direct action you can take to protect your genetic data is to request its permanent deletion from 23andMe's active servers. This process is initiated through your account settings on the 23andMe website. Here is a step-by-step guide:

Log in to your 23andMe account using your credentials.
Navigate to the Settings section of your profile. This is typically found in the account menu.
Scroll down the settings page until you find the section specifically labeled 23andMe Data.
Click on the View option within the 23andMe Data section. This will take you to a page with more details about your data.
On this page, scroll down to locate the Delete Data section.
Within the Delete Data section, click the button labeled Permanently Delete Data.

After initiating the deletion request through these steps, 23andMe will send an email to the address associated with your account. This email will contain a link that you must click to confirm your request for permanent data deletion. This confirmation step is a security measure to ensure that the request is legitimate.

Before proceeding with the permanent deletion, 23andMe typically offers you the option to download a copy of your raw genetic data. If you wish to retain a personal copy of your information, be sure to complete the download process before confirming the deletion request.

Important Caveats Regarding Data Deletion

It is critical for customers to understand the limitations of the data deletion process as outlined in 23andMe's privacy policy. The policy explicitly states that the company and its associated laboratories are required to retain certain information for compliance with applicable legal obligations. This retained information includes your Genetic Information, date of birth, and sex.

Furthermore, the policy clarifies that 23andMe will also retain limited information related to your account and the deletion request itself for a specific period. This includes, but is not limited to, your email address, an identifier for your account deletion request, communications related to inquiries or complaints you may have made, and legal agreements you have accepted. This retention is necessary for legal requirements, contractual obligations, and/or as needed for the establishment, exercise, or defense of legal claims, as well as for audit and compliance purposes.

In essence, while requesting deletion removes your data from the primary, accessible databases used for providing services and research (if you've consented), some core genetic information and metadata related to your account and the deletion request will be retained for an unspecified amount of time to meet legal and operational necessities. This means that requesting deletion does not necessarily erase all traces of your interaction with the company or the fact that your genetic information was processed.

Destroying Your Test Sample and Revoking Research Consent

Beyond the digital data stored on servers, 23andMe also handles physical saliva samples provided by customers. If you previously opted to have your saliva sample and the extracted DNA stored by 23andMe for potential future use or research, you have the ability to change this setting and request the destruction of your physical sample.

To revoke your permission for the storage of your physical sample, you need to access your account settings page and navigate to the Preferences section. Within this section, you should find an option related to sample storage where you can update your preference.

Additionally, if you previously agreed to allow 23andMe and third-party researchers to use your genetic data and sample for research purposes, you can withdraw this consent. This option is typically found within the Research and Product Consents section in your account settings. Withdrawing consent means your data will no longer be included in new research initiatives.

It is important to note, however, that while you can reverse your consent for future research use, there is generally no way for you to retroactively delete or retrieve information that may have already been anonymized, aggregated, and shared with research partners prior to your withdrawal of consent. Research data is often processed in ways that make it difficult or impossible to isolate and remove individual contributions after the fact.

Communicating with Family Members About Genetic Data Privacy

Genetic information is unique in that it inherently contains information not just about you, but also about your biological relatives. When you submit your DNA to a service like 23andMe, the data generated can reveal insights about your parents, siblings, children, and more distant relatives who share segments of your DNA.

Because of this interconnectedness, the privacy and security risks associated with your genetic data can extend to your family members, regardless of whether they have ever used a genetic testing service themselves. For example, if your data were to be compromised or used in ways you didn't anticipate, it could potentially reveal sensitive information about your relatives.

Therefore, once you have taken steps to request the deletion of your own data and revoke consent for research, it is highly recommended that you communicate with your family members. Encourage them to understand the implications of sharing genetic data and, if they are also 23andMe customers, urge them to consider taking similar steps to safeguard their own information. Discussing these issues openly can help ensure that all your loved ones are aware of the potential risks and are empowered to make informed decisions about their genetic privacy.

Extending this conversation beyond immediate family to close friends who may have used similar services is also a good practice. Raising awareness about data privacy in the context of genetic testing helps build a collective understanding of the potential vulnerabilities and encourages a proactive approach to protecting personal information in the digital age.

The Broader Context: Genetic Data Privacy in the Digital Age

The situation with 23andMe highlights broader concerns about the privacy and security of highly sensitive personal data collected by direct-to-consumer genetic testing companies. Millions of people have willingly shared their most intimate biological blueprints, often without fully grasping how this data might be used, stored, or potentially exposed.

Genetic data is unlike other forms of personal information. It cannot be changed, and it contains predictive information about health risks, ancestry, and familial relationships that can have profound implications. Once shared, it is difficult, if not impossible, to fully control its dissemination and use.

The potential uses of this data are vast, ranging from valuable scientific and medical research to potentially less desirable applications, such as targeted advertising, insurance underwriting (though often restricted by law), or even forensic investigations. The terms of service and privacy policies of these companies are complex and can change over time, leaving customers uncertain about the long-term fate of their genetic information.

The legal and regulatory landscape surrounding genetic data is still developing. While some laws offer protections, the specific rights of individuals regarding the data derived from their biological samples, especially when it's aggregated or used in research, remain a subject of ongoing debate and legal challenges, as seen in the lawsuits filed by various states against 23andMe.

The reacquisition of 23andMe by Anne Wojcicki through a nonprofit entity might offer some customers reassurance compared to a sale to a purely commercial or unknown third party. However, the fundamental questions about data ownership, control, and the potential for future use or transfer persist. The fact that 15% of customers requested deletion during the bankruptcy proceedings underscores the level of concern among the user base.

For anyone who has used 23andMe or similar services, the recent events serve as a stark reminder of the importance of understanding the privacy policies, reviewing account settings regularly, and taking proactive steps to manage the data shared. While complete erasure may not always be possible due to legal and technical constraints, minimizing the data footprint and revoking consent for non-essential uses are crucial steps in asserting control over your genetic identity in an increasingly data-driven world.