MIT Technology Review’s How To series helps you get things done.
Things aren’t looking good for 23andMe. The consumer DNA testing company recently parted ways with all its board members but CEO Anne Wojcicki over her plans to take the company private. It’s also still dealing with the fallout of a major security breach last October, which saw hackers access the personal data of around 5.5 million customers.
23andMe’s business is built on taking saliva samples from its customers. The DNA from those samples is processed and analyzed in its labs to produce personalized genetic reports detailing a user’s unique health and ancestry. The uncertainty swirling around the company’s future and potential new ownership has prompted privacy campaigners to urge users to delete their data.
“It’s not just you. If anyone in your family gave their DNA to 23&Me, for all of your sakes, close your/their account now,” Meredith Whittaker, president of the encrypted messaging platform Signal, posted on X after the board’s resignation.
“Customers should consider current threats to their privacy as well as threats that may exist in the future—some of which may be magnified if 23AndMe were sold to a new owner,” says Jason Kelley, activism director at the Electronic Frontier Foundation. “23AndMe has protections around this much of this. But a potential sale could put your data in the hands of a far less scrupulous company.”
A spokesperson for 23andMe said that the company has strong customer privacy protections in place, and does not share customer data with third parties without customers’ consent. “Our research program is opt-in, requiring customers to go through a separate, informed consent process before joining,” they say. “We are committed to protecting customer data and are consistently focused on maintaining the privacy of our customers. That will not change.”
Why deleting your account comes with a caveat
Deleting your data from 23andMe is permanent and cannot be reversed. But some of that data will be retained to comply with the company’s legal obligations, according to its privacy statement.
That means 23andMe and its third-party genotyping laboratory will hang onto some of your genetic information, plus your date of birth and sex—alongside data linked to your account deletion request, including your email address and deletion request identifier. When MIT Technology Review asked 23andMe about the nature of the genetic information it retains, it referred us to its privacy policy but didn’t provide any other details.
Any information you’ve previously provided and consented to being used in 23andMe research projects also cannot be removed from ongoing or completed studies, although it will not be used in any future ones.
Beyond the laboratories that process the saliva samples, the company does not share customer information with anyone else unless the user has given permission for it to do so, the spokesperson says, including employers, insurance companies, law enforcement agencies, or any public databases.
“We treat law enforcement inquiries, such as a valid subpoena or court order, with the utmost seriousness. We use all legal measures to resist any and all requests in order to protect our customer’s privacy,” the spokesperson says. “To date, we have successfully challenged these requests and have not released any information to law enforcement.”
For those who still want their data deleted, here’s how you go about it.
How to delete your data from 23andMe
- Log into your account and navigate to Settings.
- Under Settings, scroll to the section titled 23andMe data. Select View.
- You may be asked to enter your date of birth for extra security.
- In the next section, you’ll be asked which, if any, personal data you’d like to download from the company (onto a personal, not public, computer). Once you’re finished, scroll to the bottom and select Permanently delete data.
- You should then receive an email from 23andMe detailing its account deletion policy and requesting that you confirm your request. Once you confirm you’d like your data to be deleted, the deletion will begin automatically and you’ll immediately lose access to your account.
What about your genetic sample?
When you set up your 23andMe account, you’re given the option either to have your saliva sample securely destroyed or to have it stored for future testing. If you’ve previously opted to store your sample but now want to delete your 23andMe account, the company says, it will destroy the sample for you as part of the account deletion process.
What if you want to keep your genetic data, just not on 23andMe?
Even if you want your data taken off 23AndMe, there are reasons why you might still want to have it hosted on other DNA sites—for genealogical research, for example. And some people like the idea of having their DNA results stored on more than one database in case something happens to any one company. This is where downloading your data comes into play. FamilyTreeDNA, MyHeritage, GEDmatch, and Living DNA are among the DNA testing companies that allow you to upload existing DNA results from other companies, although Ancestry and 23andMe don’t accept uploads.
How to download your raw genetic data
- Navigate directly to you.23andme.com/tools/data/.
- Click on your profile name on the top right-hand corner. Then select Resources from the menu.
- Select Browse raw genotyping data and then Download.
- Visit Account settings and click on View under 23andMe data.
- Enter your date of birth for security purposes.
- Tick the box indicating that you understand the limitations and risks associated with uploading your information to third-party sites and press Submit request.
23andMe warns its users that uploading their data to other services could put genetic data privacy at risk. For example, bad actors could use someone else’s DNA data to create fake genetic profiles.
They could use these profiles to “match” with a relative and access personal identifying information and specific DNA variants—such as information about any disease risk variants you might carry, the spokesperson says, adding: “This is one reason why we don’t support uploading DNA to 23andMe at this time.”
Update: This article has been updated to reflect that when asked about the nature of the genetic information it retains, 23andMe referred us to its privacy policy but didn’t provide any other details.