I've been dealing with their support trying to delete my data. Here's the latest response [1]. The way I read it, they won't delete your genetic data, and it sure seems personally identifiable to me. Am I reading this wrong?

    [1] This is a follow-up from the 23andMe Team. Your 
    inquiry has been escalated to me for review. To clarify, 
    once you confirm your request to delete your account, we 
    will delete your data from our systems within 30 days, 
    unless we are required by law or regulation to 
    maintain data for a given timeframe.

    For example, your Genetic Information, date of birth, and     
    sex will be retained by 23andMe and our third party     
    genotyping laboratory as required for compliance with     
    applicable legal obligations, including the U.S. Federal     
    Clinical Laboratory Improvement Amendments of 1988 
    (CLIA), California Business and Professional Code 
    Section 1265, and College of American Pathologists 
    accreditation requirements.

    It is important to understand that the information stored     
    is distinct from the raw genotype data available within 
    your account. The raw data we receive from the lab 
    has not been processed by our interpretation software 
    to produce your individual-level genotype data (in 
    your account).

    You can read more about our retention requirements in the 
    retention of personal information section of our Privacy     
    Statement.

I’m in a weird spot with 23andMe - when I signed up, I used a fake name as a fig leaf in case they decided to sell to insurance or whatever. Since then, several members of my immediate family have all signed up, so “the child of X and the sibling of Y” means that fig leaf is pretty useless now - except I can’t issue an actual CCPA now, because fake name.

All of this is super predictable, but I wasn’t nearly cynical enough 15 years ago when I mailed my spit to them.

I lied about my birth date and apparently there's no way to delete your data without the fake date or a photo ID... with the fake birth date...

sigh

Glad I never did any of these tests, I refuse to use biometrics in my own iPhone let alone sending my whole DNA to some company.

I used to work at 23andMe, AMA

Previous: https://news.ycombinator.com/item?id=41575685

They might delete it from their database, but it doesn't change the fact that it's been sold and shared in a way we can't also follow up and remove that information. There's no transparency. It not only implicates you, but your relations and future generations.

Genetic testing done through the hospital for a completely unrelated procedure can impact your life insurance. ( Example genetic testing for a child) Minnesota State Law prevents health insurance from changing. Laws need to protect right to know, not just right to use genetic information.

I tried to download my raw data recently and it took days. Seems like a lot of customers are trying to download it and cancel after the turmoil. I think 23andme has always been held hostage by its scientists who have stopped it from offering a lot of entertaining information about health related studies that are not considered methodologically sound enough to constitute health advice. Why not just add a "speculative or insufficiently replicated / peer-reviewed" section and let us have fun with our data!

I feel like that ship has sailed. Every software company I have ever worked for is dysfunctional in this regard. You might think your "delete my data" request succeeded but there is absolutely zero way to guarantee that it actually did, and chances are it didn't.

I moved my DNA data from 23andMe to Genomelink ~5 years ago. Sort of saw it coming.

One instance where I am disappointed to be vindicated.

Considered doing 23andMe at the hype peak, discovered they had avoided HIPAA requirements, read through their privacy policy, and marked them off the possibility list.

It was pretty clear the delta between sequencing costs and price they were charging consumers equaled how much they thought they could make from your genetic information.

And because they don't fall under HIPAA, your data is theirs after they get it.

PS: Sequencing costs were also falling rapidly, so it isn't that expensive to get it done.

The (consumer) company I used to work for also allowed their customers to "delete" their data. Deletion was implemented as a boolean filed in the database "deleted - true/false'. We called it "soft deletion". And why was it implemented like this? It's because actually deleting data is hard. There is no single database and the data is distributed across many servers. It's also backed up in different places. Running the delete operation can be extremely costly and can also create service interruptions and data integrity issues. I think there was a script that was supposed to actually delete the entries but it was not run very often and was there for legal and compliance issues.

Just remember that when you request to delete some data on the internet, it doesn't actually get deleted (right away anyway). The best way to deal with this is not to give random sites your real information in the first place. However, that can be difficult or impossible when dealing with government, financial institutions or shopping sites.

Edit: And just to address questions below, the actual delete script was not run daily. I don't know how often it was run (I was not an SRE) but I presume it was run at least once a month. I have no idea how other companies do this.

I don't think I have ever seen a correctly implemented data deletion request system that worked well with the company's backups. If it's backed up, it's likely not getting deleted.

Note that even if they delete the data, if you have close relatives that submitted their samples a company can still infer quite a lot from that.

Don't know why you'd bother. I, and my friends, and soon my family are in All of Us. We'll be in every genomics dataset you want.

As a California company the data is subject to the CCPA. You can download your data but more importantly you can request they delete it. I highly recommend that everyone do so.

I can think of no more sensitive biometric data than your dna.

Honestly it doesn't even matter. There is no proof the DNA is yours because they do no validation of users identity.

When you ask a company to delete your data, you're actually asking them to pretend they deleted it by making it invisible to you. There's too much $$$ sloshing around for them to behave ethically.

inb4 Blackrock lol

I still find it astonishing anyone would be so careless of their own and close blood relatives' privacy to hand over their genetic material to a private company. What were you thinking. You can't undo that and you can't change your DNA ever. You have no idea where it ends up any time -- and that "any time" covers your life time and your close blood relatives entire lifetime too. These companies should have never been able to get a single customer but I guess.

And here we are 18 years later and some people still think they can delete this. What else do you believe in? The tooth fairy? Santa Claus? Come on.

Also what have you thought they can tell you? An archaeogenetics teacher described this belief as "they think we throw a bone in the machine which tells us it was half hun, half avar, half bear and spoke slavic".

Y'all surrendered an intrinsic part of the privacy of your, your sister, your brother, even your unborn children for snake oil -- and paid for the privilege. I can't even.

commence the downvotes but you can't put the toothpaste back once it's been squeezed out.

What, you mean sending your DNA to a random startup to have them analyze it for you was a BAD idea? #surprisedpikachu