Since 23andMe launched consumer genetic testing in 2007, it has evolved into more than just a relative novelty. This is well suited (for better or worse) to track down unknown relatives and represents one of the many ways modern technology promotes health awareness. Its work is also subject to various regulations and employs digital archiving for security, privacy, and accessibility.
But everything that has a beginning has an end, and 23andMe's days may be numbered. What happens to your genetic data if the company holding it goes out of business? You may not have as much control as you think.
The depravity of 23andMe
When venture capital disappears and the board of directors disappears
DNA: The ultimate biometrics.
About 14,000 23andMe accounts were compromised last year, further worsening 16 years of zero-profit business. The hacker is believed to have taken advantage of thousands of users with poor password hygiene and gained access to relatives and genetic similarities, as well as raw genetic data, for approximately 7 million users. .
related
How to use Google Password Checkup
Because using “passwords” between different accounts is not a wise decision
The entire board of directors resigned in September 2024 as the stock price plummeted and the future of the company was in doubt. CEO and founder Annie Wojcicki was left with the task of reviving the once $6 billion venture. She has repeatedly denied the possibility of a third-party takeover and believes she can revive 23andMe. Whether that's true remains to be seen.
Why people delete their 23andMe data
It's not just a hack
Remember when MyHeritage first animated people's dead ancestors?
Last year's breach lasted for five months, and 23andMe didn't know it happened until October 2023. This alone is enough to make you question the company's security, but there's more.
The company has had an ongoing agreement with pharmaceutical giant GlaxoSmithKline since 2018 to provide access to 23andMe's database for therapeutic (i.e. drug) research purposes. Although this collaboration raised eyebrows (and still does), approximately 80% of users actively participate in 23andMe's research mission when they submit samples. Most people don't seem too worried.
related
I lost my cell phone overseas and almost put my health at risk.
These days, losing your phone can be life-threatening, especially if you have diabetes.
The most relevant factor is the company's financial difficulties. If it returns in some form, further data monetization could play a role. If 23andMe folds and gets absorbed, there's no telling where your data will end up. Given the security concerns and extreme uncertainty, now is the perfect time to delete your personal information from 23andMe.
Obstacles to recovering genetic data
Labs are not allowed to delete test results immediately
The companies that perform the actual testing of 23andMe samples are bound by federal guidelines called the Clinical Laboratory Improvement Amendments of 1988. Regulations state that accredited laboratories must retain genetic test results for a minimum of two years. We contacted a 23andMe representative and explained our requirements:
Per the Federal Clinical Laboratory Improvement Act (CLIA) of 1988, CAP accreditation, and California laboratory regulations, our laboratories store de-identified genotyping test results and provide minimal test result or analysis information. is required to be kept.
CLIA and CAP were established to ensure that laboratories meet quality control and safety practices and to require oversight of audits, inspections, and verification by federal and state agencies. Therefore, due to laboratory regulations, the laboratory cannot delete all information.
The relatively well-known LabCorp has been testing 23andMe since 2008 and strictly follows CLIA regulations. However, it is unclear exactly how these guidelines apply to the 23andMe and LabCorp databases. We know the absolute minimum retention period is 2 years, but some regions (like California) require 3 years, and 23andMe representatives cited 10 years as recently as 2019 .
We asked both LabCorp and 23andMe for clarification on retention periods and when the clock starts.
Why you don't need to worry about data retention
Slightly less invasive than you think
While we recommend that you remove your personal data from 23andMe's hands, there is currently no significant reason to be concerned about retaining the data you need. Understanding these important points will give you peace of mind.
After 23andMe deletion, retained genetic data will be anonymized
If you request deletion, your account will be permanently closed and your data will not be used for further research (existing research is not affected). The company makes it clear that once you request removal, it cannot be canceled or revoked. At that time, all directly identifiable information will be removed from our database. 23andMe confirmed:
Our laboratory will store your anonymized genetic information and randomized identifier on a secure server for a limited period of time. The file will not be interpreted and will be removed from your registration.
Additionally, genetic information will not be accessed, used, or disclosed for any purpose other than as necessary to comply with laboratory quality requirements. Information is carefully deleted after retention obligations have been fulfilled.
The data remains on the server and could theoretically be cross-referenced by law enforcement with results for relatives, but it is ostensibly anonymous.
23andMe's testing methods are not very detailed
There are less invasive ways to leverage technology to improve your health.
Different types of genetic testing serve different purposes. 23andMe does not perform exhaustive DNA sequencing, which essentially reveals your entire genetic roadmap. Instead, the service uses something called “single nucleotide polymorphism genotyping.” Although it sounds complicated, it's a relatively simple test that looks for singularities on the DNA molecule and compares them to what we know about how those markers affect the body. is.
The truth is, there isn't a ton of information out there. In the borderline impossible situation that your data is somehow traced back to you, it's not worth much, even if it were to fall into the wrong hands, even in the theoretical wrong hands. Additionally, if you request that 23andMe retain your original samples, they will be destroyed as soon as you cancel your account.
related
We meet the hackers behind the Ray-Ban Meta AI Doxing Glasses to talk privacy, digital literacy, and goodwill.
They're not supervillains threatening us all (well)
LabCorp is huge and has great information security
Source: Samsung
Part of the CLIA regulation outlines the secure processing and storage of data. Compared to the more detailed and impactful results of the rest of our tests, genealogy is only a small part of LabCorp's business. It's highly unlikely that LabCorp will be hacked, and if it were, former 23andMe users shouldn't worry too much.
23andMe doesn't have the resources for that level of protection, but it's not completely secure. It also claims that the data stored on its servers is not the most detailed genetic data it allows its users to access. Additionally, even if assets are acquired, your data will continue to be protected by the equivalent of 23andMe's Privacy Policy.
related
How to use TikTok and other data-sucking apps without giving up your privacy
Protect your privacy on TikTok and other apps with our guide
Some damage has probably already been done
If you're concerned about privacy now, you may regret submitting your genes in the first place. There's no need to feel bad. This is an excellent service that helps individuals chart their genetic health and also facilitates a variety of research.
By the time your 23andMe account is deleted and your data is anonymized, you will be out of the system, untraceable to distant relatives, and ineligible to participate in future research activities. A hacked login won't lead you anywhere. 23andMe's only record of you will be your receipt proving that deletion was requested and completed.
How to delete 23andMe data
How to at least start the process
Regardless of the points above, the company's future is bleak, so for many, now is the perfect time to jump ship. Fortunately, it's not difficult, but it's also not quick.
If you want to use it for something else, download the data first. go to setting Click on the menu and scroll down. 23andMe data It's at the bottom. Select in browser view;In the app, tap access data. Select each type of data you want to save. Wait up to 30 days and you'll receive an email with a limited-time download link.
To delete your account and identifying information, please return to. settingscroll down and 23andMe dataSelect view or access data. Now tap or click Permanently delete data. You will receive an email asking you to confirm your selections. Once confirmed, there is no going back.
Now you've got it – and you still own your genetic data
Just because some SNP phenotype data is stored somewhere on a server doesn't mean it's not yours. No personally identifying information will be imprinted on it, although the company that owns it may need access for legal reasons. The company also has no legal rights to it and only keeps it as a record.
After all, the data left on the lab's servers or 23andMe's servers may not be legally dangerous. But the uncertainty of the situation is bad enough that it doesn't hurt to remove it. At least it can give you peace of mind in a world where your privacy is under constant attack.