On March 23, the home DNA testing service 23andMe filed for bankruptcy(new window) due to weakening demand for its service and a lack of trust in the brand after a major data breach in 2023(new window).
To cover its debts, 23andMe is exploring the possibility of selling the DNA data it collected from more than 15 million people. While the company’s chairman, Mark Jensen, has said(new window), “We are committed to continuing to safeguard customer data and being transparent about the management of user data going forward, and data privacy will be an important consideration in any potential transaction,” the company is seeking to maximize the value of its assets, including this data.
That is why we advise anyone who used 23andMe to delete their information.
Why you should delete data from 23andMe
Unlike other health information, which is protected by HIPAA, there are almost no legal guardrails protecting genetic data collected by companies like 23andMe. If a company buys the data 23andMe has collected, it will likely be able to use it however it wants — despite assurances from 23andMe representatives.
This data is also incredibly sensitive. You can’t change your DNA, so once an organization collects this data and links it to you, your only recourse is to hope you can get them to delete it. And since DNA is passed from parent to child, 23andMe’s dataset could be used to identify you if a relative sent it a sample. This is not a hypothetical concern — in 2018, a famous serial killer from the 1970s and 80s was identified and arrested(new window) using this type of DNA information.
How to delete your data from 23andMe
Deleting your account is the best way to secure your data, even if doing so doesn’t necessarily mean 23andMe will delete your genetic information (see What are your rights?).
To delete (most of) your personal information from 23andMe’s databases, you must:
- Sign in to your account at https://you.23andme.com/(new window).
- Go to Settings in your profile, then find 23andMe Data and select View.
- If you want to keep a copy of your genetic information or reports, you must download them now. You will not be able to do so after you delete your data.
- To delete your data, scroll to Delete Data and select Permanently Delete Data.
- 23andMe will send an email to the address it has on file. You must follow the link in the email to complete the deletion. Once you tap or click this link, the deletion process begins automatically, and you will lose access to your account. You cannot reverse, cancel, or undo this step.
According to 23andMe’s support articles on account settings(new window) and closing your account(new window), once you’ve submitted this request, the company will delete data associated with all your accounts and discard any biological samples you gave it permission to hold. If you participated in 23andMe Research, your genetic and self-reported information will no longer be used in any future projects.
Who already has your data?
Unfortunately, if 23andMe has your genetic data, it has likely already been shared with numerous parties. Reporting by Reuters(new window) revealed that 23andMe had given access to its database to at least 30 pharmaceutical and biotech companies — and many of these agreements have not been disclosed.
The good news is that this genetic data is probably not linked to your name or other identifying information. The bad news is that even if your DNA is separated from your name and other identifiers, it’s almost impossible to completely anonymize. Studies have shown it’s simple to re-identify genetic information(new window) using free, publicly accessible internet resources.
What are your rights?
It is hard to know if 23andMe will delete user’s genetic information when they delete their account.
Its main privacy statement(new window) says:
23andMe and/or our contracted genotyping laboratory will retain your Genetic Information, date of birth, and sex as required for compliance with applicable legal obligations … even if you chose to delete your account.
Meanwhile, its privacy statements for the European Economic Area, the UK, and Switzerland(new window) and US states with strong privacy laws(new window) (California, Colorado, Connecticut, Utah, Virginia, and Washington) say explicitly that you have the right to delete your “personal information”. If you go back to the main privacy statement, genetic information is included as a type of personal information 23andMe collects.
Our understanding suggests the company will retain your genetic information unless you live in the European Economic Area, the UK, Switzerland, California, Colorado, Connecticut, Utah, Virginia, or Washington and have requested its deletion by exercising your privacy rights by sending an email to privacy@23andMe.com.
If you live elsewhere, it seems the company will retain your genetic information along with your birthdate and sex even if you delete your account.
We have written to 23andMe for clarification. We will update this article with their response.
The US’s legal patchwork makes it equally difficult to speak briefly about who has what rights, but according to the Electronic Frontier Foundation(new window), roughly a dozen states have laws that would probably require 23andMe to obtain user consent before transferring their data in an acquisition. If you live in one of those states, you could simply refuse to allow 23andMe to transfer your data.
The US needs a national privacy law
The inconsistent privacy laws across the US enable the mass collection and sharing of personal information on the internet. And no federal laws completely cover or protect users of online DNA testing by services like 23andMe and its competitors.
Policymakers must pass stronger laws that protect our data, especially sensitive genetic information. Our DNA can reveal all sorts of information, including our relatives, physical characteristics, and genetically determined diseases. This type of information deserves the same strong protection health information receives in other contexts.
Once data is shared, it can’t be called back
The situation surrounding 23andMe encapsulates the problem of the modern internet — once you share your information with a company (in many cases, you “share” your information simply by using a company’s app or visiting its website), it can share that information with countless third parties without you ever knowing (unless you closely read the privacy policy). DNA information is especially sensitive, and it’s very hard to prevent re-identification.
This is also why Proton uses end-to-end and zero-access encryption wherever possible. We encrypt your information so we cannot access it, allowing you to remain in control of your information, confident that it cannot be shared with anyone else.
