Since 23andMe launched direct-to-consumer genetic testing in 2007, it’s evolved into more than just a relative novelty. It’s good for tracking down unknown relatives (for better or worse) and represents one of the many ways modern technology promotes health awareness. Its work is also covered by various regulations, and employs digital archiving for security, privacy, and ease of access.
But everything that has a beginning has an end, and 23andMe’s days could be numbered. What happens to your genetic data when the company holding it goes under? You might not have quite as much control over it as you’d like.
23andMe’s fall from grace
When venture capital runs out and the board runs off
DNA: The ultimate biometric.
Sixteen years of zero-profit operations were exacerbated last year, when roughly 14,000 23andMe accounts were breached. The hacker supposedly took advantage of thousands of users not practicing good password hygiene, and accessed their raw genetic data in addition to relatives and genetic commonalities of nearly seven million users.
Related
How to use Google’s Password Checkup
Because using ‘Password’ across different accounts isn’t really a wise decision
With the stock price crashing and the company’s future in question, the entire board resigned in September 2024. CEO and founder Annee Wojcicki was left to resuscitate the once-$6 billion venture. She has repeatedly denied the possibility of a third-party takeover, and believes she can revive 23andMe. Whether that’s true remains to be seen.
Why people are deleting their 23andMe data
It’s more than just one hack
Remember when MyHeritage first animated people’s dead ancestors?
Last year’s breach played out over 5 months, with 23andMe unaware of its occurrence until October 2023. That’s enough to question the company’s security on its own, but that’s not all.
The company has been contracted with pharmaceutical giant Glaxo Smith-Kline since 2018, with continued licensing agreements providing access to 23andMe’s database for treatment (that is, drug) research purposes. That collaboration raised eyebrows (and still does), but roughly 80% of users actively opt into 23andMe’s research mission when submitting a sample. Most people don’t appear too worried.
Related
Losing my phone while abroad nearly cost me my health
These days, losing your phone can be life threatening, especially when you’re a diabetic
Most pertinent are the company’s financial woes. If it somehow makes a resurgence, further data monetization could play a part. If 23andMe folds and is absorbed, there’s no telling where your data could end up. Security issues and extreme uncertainty make now a great time to delete your identifying 23andMe information.
The roadblock to reclaiming genetic data
Labs aren’t allowed to delete test results immediately
The companies that perform the actual tests on 23andMe samples are bound by federal guidelines called the Clinical Laboratory Improvement Amendments of 1988. The rules say that accredited labs must retain genetic testing results for a minimum of two years. We contacted a 23andMe representative, who explained the requirements:
The federal Clinical Laboratory Improvement Amendments (CLIA) of 1988, CAP Accreditation, and California laboratory regulations require our lab store your de-identified genotyping test results and to keep a minimal amount of test result or analysis information.
CLIA and CAP were established to ensure labs meet quality control and safety practices and require audit, inspection, and validation oversight by federal and state agencies. As such, per laboratory regulations, the lab cannot delete all information.
The relatively well-known LabCorp has done 23andMe’s testing since 2008, and follows CLIA regulations strictly. It’s unclear exactly how those guidelines apply to 23andMe and LabCorp databases, though. We know the absolute minimum retention period is two years, some regions require three years (such as California), and 23andMe representatives have cited 10 years as recently as 2019.
We’ve reached out to both LabCorp and 23andMe for clarification on the retention period, and on when the clock starts running.
Why you shouldn’t freak out about data retention
It’s slightly less invasive than you might think
We recommend you get your personal data out of 23andMe’s hands, but there’s no serious reason to worry about required data retention for now. These important points should put your mind at ease.
Retained genetic data is anonymized following 23andMe deletion
Requesting deletion closes your account permanently and prevents your data from being used in further research (existing research remains unaffected). The company makes clear that, once requested, deletion can’t be canceled or reversed. At that point, it removes all directly identifiable information from its database. 23andMe confirmed this:
Our laboratory will retain your de-identified Genetic Information and a randomized identifier on their secure servers for a limited period of time. The file is uninterpreted and is stripped from registration information.
Also, the Genetic Information is not accessed, used, or disclosed for any purpose other than as needed to comply with the laboratory’s quality requirements. The information will be carefully deleted once the retention obligations have been fulfilled.
While your data remains on the server, and (for example) law enforcement could theoretically cross-reference it against relatives’ results, it’s anonymous on the surface.
23andMe’s testing method isn’t very in-depth
There are less-invasive ways to leverage technology for better health.
Different types of genetic testing serve different purposes. 23andMe doesn’t perform thorough DNA sequencing, which essentially lays out your entire genetic road map. Instead, the service uses what’s called “single-nucleotide polymorphism genotyping.” That sounds complex, but it’s a relatively simple examination of singular points on the DNA molecule, and a comparison to what we know about how those markers affect the body.
There’s not actually a huge trove of information there. In a borderline-impossible situation where your data is somehow traced back to you, it won’t be worth much — even in the hands of a theoretical bad actor. Plus, if you did request that 23andMe retain your original sample, it will be destroyed as soon as you cancel your account.
Related
Meet the hackers behind the Ray-Ban Meta AI doxing glasses as we talk privacy, digital literacy, and good intentions
They’re not supervillains out to doxx us all (whew)
LabCorp is huge, with good information security
Source: Samsung
Part of the CLIA regulations outline the secure processing and storage of data. Genealogy is a tiny part of LabCorp’s business, compared to the significantly more detailed and impactful results of the rest of its testing. It’s extremely unlikely that LabCorp would ever be hacked, and if it were, former 23andMe users wouldn’t have much to worry about.
23andMe lacks the resources for that level of protection, but it’s not completely insecure. It also claims the data retained on its own servers is distinct from the most in-depth genetic data it gives users access to. Furthermore, your data will remain protected by the equivalent of 23andMe’s privacy policy if its assets are acquired.
Related
How to use TikTok and other data-sucking apps without giving up your privacy
Protect your privacy on TikTok and other apps with our guide
Any damage is probably already done
If you’re worried about privacy today, you might regret submitting your genes in the first place. Don’t feel bad — it’s a neat service, and has helped individuals chart their genetic health, in addition to the varying research it’s fueled.
By the time your 23andMe account is deleted and your data anonymized, you’ll be out of the system, untrackable by distant relatives and ineligible for future research efforts. Any hacked logins will lead nowhere, and 23andMe’s only remaining record of you will be a receipt proving your deletion was requested and completed.
How to delete your 23andMe data
Or how to start the process, at least
Regardless of the above points, the company’s bleak future makes now the right time for most people to jump ship. Luckily, it’s not difficult, although it’s also not instant.
First, download your data if you ever want to use it for something else. Go to the Settings menu and scroll down to 23andMe Data at the bottom. In a browser, select View; in the app, tap Access your data. Select each type of data you want to save. After a wait of up to 30 days, you’ll get an email with a limited-time download link.
To delete your account and identifying information, go back to Settings, scroll down to 23andMe Data, and select View or Access your Data. This time, tap or click Permanently Delete Data. You’ll get an email requesting confirmation of your choice. Once you confirm, you can’t back out.
There you have it — and you still own your genetic data
Just because a small section of your SNP phenotype data may be stored on a server somewhere doesn’t mean it’s not yours. The company holding it may be required to access it for legal reasons, but it won’t have your identifying information stamped on it. That company also has no legal rights to it, only keeping it as a record.
Ultimately, there may not be legitimately dangerous problems with your data remaining on a laboratory’s servers, or even 23andMe’s. But the uncertainty of the situation is bad enough that deletion can’t hurt. At the very least, it’ll give you peace of mind in a world where privacy is constantly under attack.