How to Delete Your 23andMe Data
122 comments
·March 26, 2025ahmedfromtunis
throwaway48476
But it creates legal grounds for lawsuits if they don't.
Cheer2171
Sure, you can sue the hollowed out shell of a bankrupt limited liability corporation that will soon have no assets for a court to sieze for whatever paltry damages a court finds.
wyldfire
Ideally the court can compel the purchaser(s) to destroy the data.
baranul
Good point. There is no confirming the data was actually deleted, beyond the request to do so. There is nobody to go after, as the new owner does not have to respect the request, unless a court orders them to do so. Even in that case, going after the new owner, it would appear to be time critical. Can users stop the selling or transfer of data, before any court could block it?
The correct timing, appears to be that 23andMe would have had an opt-out, blocking the selling or transfer of their data. That also should have included confirmation of data deletion, if requested. Since none of that existed, the options for users are quite limited. In fact, many would have participated in 23andMe Research, so their data was likely going to wherever long before.
ashoeafoot
You might get half a office chair , for a lifetime of disadvantages .
dragonwriter
Yeah, and if you spend all the effort and end up winning your lawsuit, you can get a fresh new claim against an already bankrupt entity.
ahmedfromtunis
Of course. And I'm not saying that they might do it in malice.
All I'm suggesting is that tapping some pixels on your backlit rectangular glass won't necessarily translate into pulses of electrons that'll eradicate the 0s and 1s representing your data.
I'm sure that corner of the codebase is one of the least visited parts, so bugs may lurk in, or misconfigurations, etc.
deepsun
How you lawyer is going to prove the data is not deleted?
And what damages are you going to claim in court.
Lawyers are not cheap, no lawyer will work on a case less that even $1k. My only hope is donating to privacy fighting organizations like EFF that file class actions.
pavel_lishin
A lawsuit costs money, and doesn't un-sell the data.
dylan604
Also, what prevents new owners from restoring from backups because "we were hacked" or any other reason for retrieving backup data for something that is currently "deleted"?
switch007
Exactly. Once you give your data, you no longer have any control over it, forever.
patrickwalton
I deleted my data a few months ago and it happened fast enough that it didn't seem like there was a human in the loop.
internetter
yes, but the implementation may, as far as you know, look like
if (userRequestsToDeleteAccount || user.deactivated) { user.deactivated = true; showDeletionSuccessfulPage(); }
In this implementation, the user believes their data is deleted, but it has not.
red-iron-pine
add a "count 400" or something in there to make it seem like something happened.
tonymet
For those curious about what actual data they are recording, they use Infinium Global Screening Array which records about 650-750k SNPs (single-nucleotide-polymorphisms) .
Obviously this data infers heritage, disease risk, relations. It could be used for discrimination, surveillance, potentially poisoning .
Everyone should request their data to be deleted, but this is an engineering forum, and we know what that means in practice. Every company like this has hundreds of copies of the data, and has shared it with dozens of providers.
Like Rev Tevia said, you can't put the feathers back into an opened pillow.
briHass
Their array of SNPs in ASCII letters is under 10MB compressed, probably well under that using a specialized SNP format/compression algorithm. Less than a complex Microsoft Office file.
Yeah, I can imagine they have a few dozen copies strewn over various backup media/blob buckets. There probably isn't much effort from what's left of their IT team to track them all down to delete.
tonymet
It’s not about the size. Every task will have made a copy and a derivative . I doubt the company ever cared to build a dependency tree for removal, certainly not managing copies given to partners.
Now the company is bankrupt this is the last thing on their task list to implement.
kjkjadksj
Poisoning really? All the risks are pretty sci fi. It’s pretty easy otoh to harm someone without bothering analyzing the snp data if that is your intention.
tonymet
ricin and polonium-210 have many documented cases, likely 10000+ undocumented. It's only scifi until years later when it becomes declassified
YooLi
This feels as hopeless as trying to keep your email/contacts from social media sites. Even if you are vigilant about never allowing an app/service to download your contacts, your friends will share theirs and it is trivial to recreate your contact list. If I keep my DNA from these companies, my relatives will share theirs and they basically have my DNA.
CharlesW
> This feels as hopeless as trying to keep your email/contacts from social media sites.
The cynic in me agrees, but the process was quick and easy, and I know I'm not safer by not deleting my information from 23andMe. I recommend it.
brian-armstrong
The distinction isn't super important, but 23andMe doesn't have your whole genome, just some specific locations from it. Roughly 750k base pairs or so.
https://www.quora.com/How-much-of-the-genome-does-23andMe-se...
echelon
Enough to be denied insurance, have job offers rescinded, or be targeted by scams.
And they don't even have to have your DNA. Just a close enough relative will do.
a2dam
The Genetic Information Nondiscrimination Act makes it illegal to adjust health (but not life) insurance premiums or discriminate for employment based on genetic information. Couples who do genetic testing before having kids have the same protections and they're very effective.
robwwilliams
To the best of my knowledge use of genetic data is illegal in the USA and several other countries. It has been operational banned (self-imposed) by the life insurance industries in the UK and Australia. This was a hit topic in the late 1990s. Here we are 25 years later with few if any known abuses by the life insurance industry. They have MUCH bigger fish to fry: Do you smoke? What is your income, age, and sex, and perhaps your blood pressure and blood chemistry. Each of those is worth 10X your genotype.
(I study actuarial genetics in the UM-HET3 mice and do quite a bit of human genetics related to aging. See this PMID: https://pubmed.ncbi.nlm.nih.gov/36173858/ )
echelon
Companies do illegal things all the time.
And let me flip this situation: are there any laws that prevent advertisers from looking at genetic data to target cohorts? If I were an unethical advertiser, I'd want to advertise to customers with less risk aversion, higher neuroticism, higher sense of FOMO. You could do some truly sickening stuff. Target higher mortality groups, certain personality types, cross reference with familial mortality data and have a field day...
There are untold ways this could be abused that I'm almost certain the law doesn't fully protect against.
echoangle
> have job offers rescinded, or be targeted by scams
Can you expand on this?
I understand the insurance thing due to genetic diseases and so on, but which jobs would I be denied for based on genetic information which wouldn’t be checked anyways?
I can only come up with stuff like colorblindness but that would probably be checked anyways if it were a strict requirement for the job so keeping the DNA secret wouldn’t help.
And what’s the scam angle when the DNA is known?
progmetaldev
I see most comments concentrated on employment. For a scam, think of someone that has been told they have a specific genetic disease, and that information is available in their DNA "data". As a scammer, I can start to send you information about alternative health treatments specific to your disease, that have no scientific backing to them. Since I'm a scammer, I can write anything I want to, like stating that the information is backed by FDA approval and even put statements like that in the fine print to build up my credibility. You could also try and sell fake services that wipe your released DNA information from databases online. There's a lot of potential for scams if you can link what people think is private (DNA), and their email/personal information.
When I was younger, I read a lot of ethics course material, and spent a lot of time thinking about how someone could get around existing laws or technology, and most of it boils down to most people believing what they're told with a bit of coaxing (building that credibility; social engineering). Luckily, I never went ahead using this information, and have actually turned down projects where my morals were put into question, but I think it prepared me to be more conscious of scams and shady advertising. I work for a digital advertising agency, and use an adblocker during my development work so I can see how a site is useful or mostly worthless when someone turns ad networks/tracking off. One of the benefits of working for a smaller company.
analog31
>>> And what’s the scam angle when the DNA is known?
A person with apparent authority, telling people something about themselves, that they believed to be hidden, is a tactic for gaining psychological control. A strong-minded person should be able to withstand it under normal circumstances, but we're not all strong-minded under all circumstances. Hence the power of things like personality tests, police interrogations, and so forth.
echelon
This would be wholly illegal, but companies could screen candidates prior to extending offers to them. After they get your primary details and history, they can look you up in the gene database. They could look for a whole host of genetic markers, including but not limited to:
- Markers like ADHD and other neurodivergence and performance signals
- Disease likelihoods to reduce their insurance burden. Cardiovascular, cancer, neurodegeneration, etc.
- Markers for intelligence and tenacity. Personality type. Conversely, dishonesty, neuroticism, etc.
They could screen for literally any hypothetical condition that could in theory impact performance, risk, cost, etc. By excluding candidates with "low genetic scores", they might think they're saving margin.
There is a ton of literature beyond what 23andMe is legally allowed to report on with respect to the SNP data they collect. These studies report on a wide range of phenotypical states and behaviors that could impact job performance. The stack of research is deep.
> And what’s the scam angle when the DNA is known?
Look for any markers that indicate IQ, agreeableness, neurodegeneration, schizophrenia, personality type, etc. It gives scammers a hypothetically better hit rate.
And again, they don't need your DNA to do this. Just a relative's.
linsomniac
Question: How are they going to link the DNA to people?
Some will be easier than others, sure. I'm trying to decide how "safe" my data is, since I created a single-use gmail account, with fictitious name, and paid for it with a gift card. I was afraid that some information in there might lead to being uninsurable, so I decided to row away from the rocks. Thankfully, my genetics didn't pop up any red flags, knock on wood.
I guess if you signed up using your normal e-mail address and your real name and used your credit card, you can still take the Shaggy defense ("It wasn't me"), but I suppose at that point they could ask you to prove it. I mean, most businesses aren't obligated to do business with you, for any or no reason at all.
beaugunderson
Genetic data like what 23andMe has is enough to guess at your surname, provided any of your relatives have signed up.
See Latanya Sweeney's work for more information: https://latanyasweeney.org/work/genomic.html
rendang
In what country would it be legal to deny someone insurance based on their genes? Has such a thing happened before?
consumer451
> Enough to be denied insurance...
Not just you, but your children who never had anything to do with 23andMe as well!
robwwilliams
First, last time I checked this was illegal in the USA (2 years ago) even for life insurance.
Second, no these data are not (yet) very informative for the subject, let alone for relatives, with the exception of monozygotic twins.
randomNumber7
Hello, I was sent back from the future to tell you there is already a backup.
ineedasername
Hey—when you get back, tell me it worked. That the branch held. That it’s stable. I’ll merge it all with a pull after that.
It’s not true—not yet—but once you say it, it will be.
Just… don’t mention that part. Not until after the first.
goykasi
Are we related? Are you me?
drdaeman
Note that despite any requests the genetic data and some personal information (DOB and sex) probably won't be deleted, at least because of CLIA requirements: https://news.ycombinator.com/item?id=41781879 (more details in https://bourniquelaw.com/2024/10/09/data-23-and-me/, linked from the thread there)
nelox
23andMe does not operate as a laboratory itself but contracts with U.S.-based labs that are certified under CLIA and accredited by the College of American Pathologists (CAP). According to their website, all saliva samples are processed in CLIA-certified and CAP-accredited labs, ensuring compliance with federal standards for accuracy and reliability. This certification is crucial, as it aligns with FDA requirements for certain health-related genetic tests. This distinction is significant, as CLIA primarily regulates labs, not the companies that contract them, potentially affecting the applicability of retention requirements to 23andMe’s broader operations.
CLIA’s record retention requirements, as per Section 493.1105, states labs must retain test requisitions, authorizations, and reports for at least 2 years, with longer periods for specific tests like pathology (10 years for slides).
CLIA Laboratory Record Retention Requirements:
- Test requisitions and authorizations: 2 years minimum. - Test reports: 2 years minimum, 10 years for pathology reports. - Cytology slide preparations: 5 years. - Histopathology slides: 10 years. - Pathology specimen blocks: 2 years. - Tissue: Until diagnosis is made.
Notably, these requirements focus on test-related records, such as requisitions (which may include patient details like date of birth and sex) and reports (which for genetic tests would include interpreted results). However, there is no explicit mention of retaining raw genetic data, such as the full genotype data, in the CLIA regulations. This raises questions about whether 23andMe’s assertion to retain raw genetic information is strictly required by CLIA or if it extends beyond the regulation for other reasons, such as research or quality control.
CharlesW
Here's a great post by a lawyer, linked to further down in that thread: https://bourniquelaw.com/2024/10/09/data-23-and-me/ It suggests a way to challenge them on their assertions that they must keep your data and samples.
bpodgursky
I'm sorry but this lawyer has absolutely no idea what he is talking about with regards to CLIA compliance. And he even admits as much, but keeps talking anyway.
CharlesW
CLIA is one of the excuses 23andMe uses to explain why they retain your genetic information, date of birth, and sex. The author cites the code sections he believes 23andMe are referencing to make this claim, then explains why he believes it doesn't apply. As a CLIA expert, do you mind explaining what he's getting wrong for our benefit?
biker142541
I've been a broken record about the implications of sending DNA to a corporation for 20 years... it's hard not to have seen this coming.
rglover
The data has already been sold off to the real customers (i.e., not you and me) [1]. You can (and should) request a deletion, but the damage has already been done.
[1] https://gizmodo.com/23andme-is-selling-your-data-but-not-how...
dahinds
This is false, we've sold data with PII to no one. Or it is misleading: the page you linked to even says, "It is selling de-identified, aggregate data for research, if you give them consent."
EA-3167
To what extent and using what method is it "de-identified"? Plenty of such schemes are very easy to circumvent, especially with a large enough pool of data. Given the nature of genetics in particular positively identifying a single case can be used to unmask whole families. In particular depending on the anonymization this would be a task suited to 'AI' very well.
dekhn
https://www.23andme.com/about/individual-data-consent
Basically, if you imagine this as a table of "user's name, date of birth, and address" keys mapping to genomic and other data, the key was replaced with a random identifier that could not be trivially joined to recover the user name, date of birth, and address.
These systems are not robust against motivated and capitalized adversaries.
dahinds
Here "de-identified" means stripped of PII (name, address, phone number, email, etc). You are correct that genetic information is intrinsically identifiABLE (in the sense that it is stable and uniquely distinguishing for individuals). When we've shared individual-level data with a partner, it was with consent of the participants involved, and under a contract that prohibits re-identification.
dekhn
Providing another company access to deidentified data is "selling your data", to argue otherwise is just semantics.
Note that selling deidentified data (genomic, health, etc) is common in the industry already and 23&Me is hardly unique in this respect.
dahinds
I would not argue with you on that it is "selling your data". But I also think there are meaningful differences in harm levels for different kinds of "selling your data", and fully identified data has more potential harms than de-identified data where you have to assume that an adversary is willing to violate contracts and/or the law to learn about particular individuals.
There is considerable confusion about the distinction between aggregated data and de-identified individual-level data. I would say that I don't consider sufficiently aggregated data to be "your data" in a particularly meaningful personal sense of "your", even though there are still some re-identification risks from these types of datasets.
I was contesting the statement that "The data has already been sold... [and] the damage is already done" which I still think is highly misleading.
ziddoap
>It is selling de-identified, aggregate data
Just a note that re-identifying aggregate data is a whole field of study that is decently successful.
dahinds
Indeed, but here "re-identification" generally means the sort of attack where you have an aggregated genomic dataset, and you already have access to full genomic data for a target individual, and you use the genomic dataset to infer something about that target that you didn't know, like whether or not they participated in that study. Not to entirely minimize this sort of attack, but the NIH decided it was a sufficiently low risk that most of the sorts of datasets it applies to (like GWAS) are routinely shared with no access controls.
robwwilliams
“In principle” but In 20 years do we gave any cautionary tales? i don’t and follow this area somewhat. Homomorphic encryption is pretty hard to crack.
ezfe
There are clearly labeled consent options in the settings page. They are all off for me.
partiallypro
I know I'm in the vast minority here, but I honestly don't really care what is done with my DNA data as long as it's not used against me for healthcare & insurance purposes (which I believe is already illegal.) If someone wants to use it to make new drugs, research, etc, I just don't care.
lurkersince2013
Am sure there’s a very real possibility that some shady data brokers will ultimately gain access to the treasure trove of data before long - and am sure that in our capitalistic world healthcare and insurance companies would happily pay for access.
simplyinfinity
In the USA. In Europe and such, I'm not saying it's zero chance, but it's extremely unlikely. As Europeans don't rely on insurance for healthcare, but we use government for that :) ( the exception being, if you want private insurance if your government provided one isn't enough)
robwwilliams
Not to mention it is illegal and not even an illegal money makers.
nickjj
I never made an account there or uploaded anything DNA related but what happens if a relative did? Is there the concept of a "ghost" account that gets filled in for people who didn't sign up yet but is likely related? Can this be deleted without making an account?
scottyah
Yeah, they teamed up with the Mormons mapping out the entire human family tree and have been able to predict every possible child DNA sequence in order to eventually create Paul Atreides.
(as for your question, I have no idea)
Boogie_Man
Me trying to sequence ppls genomes in my basement doesn't seem so bad now.
ashoeafoot
Oh, the scams i have to show you, such sights to behold :
"Dear Sir,Madam
while reading a recently acquired db, i came across your brother in law who has disease xy. Now, me being a decent person, i kept things qiet for now. No need to rattle potential love interests , your children or the community with news about this genetic curse. If you want this silence to last, just subscribe by donating 0.01 bitcoin per year to the Mammal & Animal Foundation for Integrity Agency."
This right here is the chernobyll of privacy.
To be honest, this is more like "requesting the data to be deleted". There's nothing that guarantees that the personal information will be physically wiped out of the hard drives used to store them.