The well-known genome company, 23andMe, has been in a downward spiral since it suffered a catastrophic data breach last year. Since then, the company, once led by former wife of Sergey Brin, Anne Wojcicki, has been embroiled in controversy. Lawsuits, layoffs, and financial losses have plagued the company. As a result, many of the company’s customers are looking to cut ties and run. It is understandable that people want to delete their accounts and purge any data the company has on them. Unfortunately, 23andMe will not delete all of your data.
Oh, you can certainly delete your account. There is a tutorial on the company’s website explaining how to do so. However, reports from MIT Technology Review indicate that while the company may technically delete your account, it plans to retain a significant portion of the associated information. For example, if you previously agreed to share your anonymous genetic data with third parties, there is no way for you to delete that information. At the same time, the company will also retain a mysterious amount of your genetic information, as well as information about your gender, date of birth, email address, and details about your account deletion request, as reported by the Massachusetts Institute of Technology. According to 23andMe’s privacy policy, they retain genetic information and your date of birth to meet regulatory requirements.
In short, the company will retain evidence of your account’s existence, as well as easily identifiable information (DOB), your contact information via email, and again, some of your genetic information.
If you wish to delete your account, you can do so through your “Account Settings” tab. You may need to undergo some identity verification processes to complete this stage of the deletion request. You will receive an email from the company asking you to confirm your desire to delete your account. If you continue with the deletion process, the company notes that once you confirm your decision, you will not be able to revert back.
When contacted by Gizmodo for comment, a spokesperson for 23andMe provided a partial statement:
We have strong privacy protection measures for our customers. 23andMe does not share customer data with third parties without customer consent, and participation in our research program requires clients to undergo a separate and informed consent process before joining. In addition, 23andMe’s research is overseen by an external institutional review board, ensuring our adherence to high ethical standards in the research we conduct. Nearly 80% of 23andMe customers agree to participate in our research program, which has produced over 270 peer-reviewed publications and revealed hundreds of new genetic insights on diseases.
Regarding the issue of retaining data after account deletion, the spokesperson said:
Although we will delete the majority of a customer’s personal information after an account deletion request, our genetic testing labs are required to retain some information to comply with our legal obligations. This includes the customer’s age, gender, and a subset of uninterpreted primary genetic data…
23andMe’s data breach was first reported in October 2023 when customer data appeared on the dark web. At that time, 23andMe informed the public that only about 14,000 accounts were affected by the breach. However, subsequent investigations revealed that due to the internal data sharing feature linked to those accounts, the actual number of affected individuals may have been around 6.9 million. In September of this year, 23andMe agreed to pay a $30 million settlement related to the breach. Last month, after announcing that Anne Wojcicki would attempt to take the company private, all independent directors of 23andMe resigned from the company’s board of directors.
