Welcome to Opt Out, a semi-regular column in which we help you navigate your online privacy and show you how to say no to surveillance. The last column covered how to stop tech companies spying on your phone as Trump promises mass deportations.
The DNA testing company 23andMe has filed for bankruptcy after months of concern over its financial health and its ability to keep users’ genetic information secure. In light of the uncertainty looming over the company’s future, you should do one thing to protect your privacy today: delete your 23andMe account.
If you have used the service to discover your ancestry via your DNA, the extremely sensitive information you shared with 23andMe may transfer to the company’s eventual buyer. While 23andMe has a host of privacy controls that now allows users opt out of sharing their data with scientific researchers or requires the company delete their samples, that could change under a new owner.
Generally, privacy and civil liberties experts do not recommend using ancestry and DNA testing services. There are few federal privacy regulations that limit how companies can use your information in the US – even your genetic data. How a private company maintains, stores and shares your data is left up to the whims of the people running it. Privacy policies change often and so do executive suites. Not only is your data vulnerable to hacks, it can also be used for various commercial products and shared with law enforcement.
23andMe has insisted that any new owner would have to comply with existing laws around the sale and use of consumer genetic data, but the reality in the US is that only a handful of states legally protect this type of personal information. In California, where this kind of privacy protection does exist, the attorney general, Rob Bonta, has issued an urgent “consumer alert” encouraging Californians to delete their 23andMe data.
“California has robust privacy laws that allow consumers to take control and request that a company delete their genetic data,” said Bonta. “Given 23andMe’s reported financial distress, I remind Californians to consider invoking their rights and directing 23andMe to delete their data and destroy any samples of genetic material held by the company.”
There’s good reason for concern. 23andMe suffered a massive hack affecting some 7 million users in 2023. The hackers first revealed they gained access to the information when they attempted to sell what they claimed was the data of 1 million users of Ashkenazi Jewish descent and 100,000 users of Chinese descent on a popular hacking forum. In addition to a class-action lawsuit alleging the company failed to notify users of the data breach in a timely manner, the company said it was facing more than 50 other lawsuits in the wake of the hack. Its problems are international, too: the UK information commissioner’s office issued a notice of intent to fine the company £4.59m earlier this month.
If you are one of 15 mllion people who have already handed over your DNA to 23andMe, what can you do to protect your data?
How to delete your 23andMe account
The main thing you should do to protect your genetic privacy: delete your account.
There’s a big caveat: the company says it will have to retain some information in its archives even if you delete your account. “23andMe and/or our contracted genotyping laboratory will retain your Genetic Information, date of birth, and sex as required for compliance with applicable legal obligations … even if you chose to delete your account,” the company’s privacy policy reads.
If you’re reading this and you are trying to decide if you want to do a DNA test with one of these private companies, take the above caveat as a big reason not to. It’s possible, depending on what state you’re in, your data will never be completely erased.
That said, it is still worth making the effort to delete your account and all the data in it. Here’s how you do it: Log in, go to settings, and scroll to “23andMe Data”. Click “view” and then scroll to “delete data”. Click “permanently delete data”. You will receive an email from the company to confirm your request. (Check your spam folder.) If you don’t confirm it via the link provided to you in the email, it will not complete your request.
The company says that, once your account is deleted, you “will automatically opt you out of Research and discard your sample”.
after newsletter promotion
If you don’t delete your account, opt out of sharing your data
If you want to keep your 23andMe account, the next best thing is have the company discard your sample, stop sharing your information and remove you from any future research studies. You can also do this from your settings.
To stop sharing any reports resulting from your DNA test, scroll down to “Privacy/Sharing” and click “edit”. From there you should be able to adjust the sharing settings on your reports.
To ask the company to discard your DNA sample, go back to your settings and scroll down to “preferences”, click “edit” and opt out of sharing your sample with the company. The company will discard your sample.
To stop the company from sharing your DNA with future research projects, go back to settings, scroll down to “research and product consents” and edit the permissions.
These changes are not retroactive. Withdrawing consent to use your DNA in studies will only stop your data from being used in new research and can take up to 30 days.
If you have any specific questions about your account information, you can also email [email protected].
