I've been dealing with their support trying to delete my data. Here's the latest response [1]. The way I read it, they won't delete your genetic data, and it sure seems personally identifiable to me. Am I reading this wrong?
[1] This is a follow-up from the 23andMe Team. Your
inquiry has been escalated to me for review. To clarify,
once you confirm your request to delete your account, we
will delete your data from our systems within 30 days,
unless we are required by law or regulation to
maintain data for a given timeframe.
For example, your Genetic Information, date of birth, and
sex will be retained by 23andMe and our third party
genotyping laboratory as required for compliance with
applicable legal obligations, including the U.S. Federal
Clinical Laboratory Improvement Amendments of 1988
(CLIA), California Business and Professional Code
Section 1265, and College of American Pathologists
accreditation requirements.
It is important to understand that the information stored
is distinct from the raw genotype data available within
your account. The raw data we receive from the lab
has not been processed by our interpretation software
to produce your individual-level genotype data (in
your account).
You can read more about our retention requirements in the
retention of personal information section of our Privacy
Statement.
As I get it, it's a federal requirement for a lab to keep genetic data for a while with no way for the specimen to do anything about it.
So, it's a CDC thing, not exactly 23AndMe fault. Save for the fact that 23AndMe advertised it's easy to delete data on their front page, but with the small print somewhere out there that you can't really delete the actual data. To be entirely fair, it was there somewhere (I think in their help center in some article about data deletion process) when I went to check out their privacy policies - because that's how I learned about it and reconsidered buying a test, but I guess most people don't read the small print until the deed is done.
My understanding is that they will delete your data on their side (leaving only a few things like payment receipts), but the lab won't because they legally can't.
I got an identical email, after asking numerous times for them to tell me when all information will be deleted, i.e. when do the compliance requirements expire for my specific account?
They certainly don't seem interested in answering this question, no matter how many ways I phrase it. So much for "you are in control of your data", I guess it was all BS as some people predicted.
"The law requires medical laboratories to retain some testing data and materials for various lengths of time, often 2 years, but as long as 10 years for some kinds of test."
My personal experience: I also failed the birth date test, even with my usual fake birth date. I also refused to provide a copy of my ID. They escalated my request and agreed to delete it anyway. All my samples and data are more than 10 years old, so they have no legal obligation to retain anything, which I pointed out to them in my confirmation.
I'm hoping they delete it but don't have the resources to do anything more than hope.
I’m in a weird spot with 23andMe - when I signed up, I used a fake name as a fig leaf in case they decided to sell to insurance or whatever. Since then, several members of my immediate family have all signed up, so “the child of X and the sibling of Y” means that fig leaf is pretty useless now - except I can’t issue an actual CCPA now, because fake name.
All of this is super predictable, but I wasn’t nearly cynical enough 15 years ago when I mailed my spit to them.
Have you tried emailing them a bit? It is worth a shot I think: you made a typo (people make them all the time), but you don’t really need to fully authenticate, because you are just making a deletion request anyway (not trying to access the data).
(Also keep in mind, customer service people have to argue with assholes all day long, staying polite but clear but on-target can go a long way. Stick to the topic and never give them an excuse to cut off communication).
They might delete it from their database, but it doesn't change the fact that it's been sold and shared in a way we can't also follow up and remove that information. There's no transparency. It not only implicates you, but your relations and future generations.
Genetic testing done through the hospital for a completely unrelated procedure can impact your life insurance. ( Example genetic testing for a child) Minnesota State Law prevents health insurance from changing. Laws need to protect right to know, not just right to use genetic information.
I tried to download my raw data recently and it took days. Seems like a lot of customers are trying to download it and cancel after the turmoil. I think 23andme has always been held hostage by its scientists who have stopped it from offering a lot of entertaining information about health related studies that are not considered methodologically sound enough to constitute health advice. Why not just add a "speculative or insufficiently replicated / peer-reviewed" section and let us have fun with our data!
I tell ya, it's a great party conversation that begins with "Hey, I'm a Libra, 3% Neanderthal, and I share a haplogroup with Genghis Khan! Let's go out for some tacos with extra cilantro, and a dark chocolate churro!"
Isn't it because there aren't ways around US laws regarding giving medical advice? That's my understanding why the places that do it are outside the US.
Your iPhone doesn't even really store your biometric information, it stores mathematical models that can be used to check whether the fingerprint (Touch ID) or face (Face ID) matches the person who enrolled on the device (you).
And that mathematical information is only stored in the Secure Enclave, which means even if the entire Operating System (iOS) is hacked, the attacker still would not have access to your biometric information.
As a California company the data is subject to the CCPA. You can download your data but more importantly you can request they delete it.
I highly recommend that everyone do so.
I can think of no more sensitive biometric data than your dna.
> I can think of no more sensitive biometric data than your dna.
I dunno, is that actually true? You leave DNA everywhere don't you? If someone really wanted tombert's DNA, they'd just have to follow me onto the train and swab the poll I'm grabbing, or grab the cup I was sipping on at McDonald's, or any number of things that could lead to a number of cells containing my DNA in a state that could be collected being dropped.
I feel like that ship has sailed. Every software company I have ever worked for is dysfunctional in this regard. You might think your "delete my data" request succeeded but there is absolutely zero way to guarantee that it actually did, and chances are it didn't.
Agree, this is pointless. For one thing how many companies have the technical ability to remove specific records from all their database backups and logs? None that I’ve worked at
Exactly this. Especially for a currently failing company that got an incentive to NOT delete your data (because that's the only value they still have).
100% this. It's laughable if you believe those requests work as expected. Sure they may "delete" some surface level bs like your account or login, but there is no way it's 100% scrubbed in the way it's supposed to work.
One instance where I am disappointed to be vindicated.
Considered doing 23andMe at the hype peak, discovered they had avoided HIPAA requirements, read through their privacy policy, and marked them off the possibility list.
It was pretty clear the delta between sequencing costs and price they were charging consumers equaled how much they thought they could make from your genetic information.
And because they don't fall under HIPAA, your data is theirs after they get it.
PS: Sequencing costs were also falling rapidly, so it isn't that expensive to get it done.
People are convicted all the time without any "proof" of guilt. It all goes to "beyond a reasonable doubt" and with enough circumstantial evidence, that "beyond" can be achieved.
The (consumer) company I used to work for also allowed their customers to "delete" their data. Deletion was implemented as a boolean filed in the database "deleted - true/false'. We called it "soft deletion". And why was it implemented like this? It's because actually deleting data is hard. There is no single database and the data is distributed across many servers. It's also backed up in different places. Running the delete operation can be extremely costly and can also create service interruptions and data integrity issues. I think there was a script that was supposed to actually delete the entries but it was not run very often and was there for legal and compliance issues.
Just remember that when you request to delete some data on the internet, it doesn't actually get deleted (right away anyway). The best way to deal with this is not to give random sites your real information in the first place. However, that can be difficult or impossible when dealing with government, financial institutions or shopping sites.
Edit: And just to address questions below, the actual delete script was not run daily. I don't know how often it was run (I was not an SRE) but I presume it was run at least once a month. I have no idea how other companies do this.
Many businesses would still use soft-deletion even if distributed data wasn't an issue. The company I work for has soft-deletion enabled because they want to be able to help customers who accidentally delete something. I wish we would just tell them "better luck next time", but obviously management will never say that.
What annoys me more is how many companies give next to no insight into or control over data retention. It should be unambiguous how soon or often our data gets hard-deleted, if ever.
Heh, I once worked for a company that had an "is_deleted2" field .. it indicated record was "hard" deleted and not accessible anymore via usual means!!
When you ask a company to delete your data, you're actually asking them to pretend they deleted it by making it invisible to you. There's too much $$$ sloshing around for them to behave ethically.
I don't think I have ever seen a correctly implemented data deletion request system that worked well with the company's backups. If it's backed up, it's likely not getting deleted.
I still find it astonishing anyone would be so careless of their own and close blood relatives' privacy to hand over their genetic material to a private company. What were you thinking. You can't undo that and you can't change your DNA ever. You have no idea where it ends up any time -- and that "any time" covers your life time and your close blood relatives entire lifetime too. These companies should have never been able to get a single customer but I guess.
And here we are 18 years later and some people still think they can delete this. What else do you believe in? The tooth fairy? Santa Claus? Come on.
Also what have you thought they can tell you? An archaeogenetics teacher described this belief as "they think we throw a bone in the machine which tells us it was half hun, half avar, half bear and spoke slavic".
Y'all surrendered an intrinsic part of the privacy of your, your sister, your brother, even your unborn children for snake oil -- and paid for the privilege. I can't even.
commence the downvotes but you can't put the toothpaste back once it's been squeezed out.
As a twin I've always been extra cautious about this kind of stuff. I don't think I have a right to give people my twin's biometric data. I even refrain from posting images of myself publicly---there are at most two pictures of me from the past five years floating around the internet. It astounds me how reckless others are with their relatives' private information.
[+] [-] carimura|1 year ago|reply
[+] [-] drdaeman|1 year ago|reply
So, it's a CDC thing, not exactly 23AndMe fault. Save for the fact that 23AndMe advertised it's easy to delete data on their front page, but with the small print somewhere out there that you can't really delete the actual data. To be entirely fair, it was there somewhere (I think in their help center in some article about data deletion process) when I went to check out their privacy policies - because that's how I learned about it and reconsidered buying a test, but I guess most people don't read the small print until the deed is done.
My understanding is that they will delete your data on their side (leaving only a few things like payment receipts), but the lab won't because they legally can't.
[+] [-] mikrl|1 year ago|reply
Quite possibly the most terrifying thing I’ve read recently.
[+] [-] cypherpunks01|1 year ago|reply
They certainly don't seem interested in answering this question, no matter how many ways I phrase it. So much for "you are in control of your data", I guess it was all BS as some people predicted.
[+] [-] vaurora|1 year ago|reply
https://bourniquelaw.com/2024/10/09/data-23-and-me/
Most relevant bit:
"The law requires medical laboratories to retain some testing data and materials for various lengths of time, often 2 years, but as long as 10 years for some kinds of test."
My personal experience: I also failed the birth date test, even with my usual fake birth date. I also refused to provide a copy of my ID. They escalated my request and agreed to delete it anyway. All my samples and data are more than 10 years old, so they have no legal obligation to retain anything, which I pointed out to them in my confirmation.
I'm hoping they delete it but don't have the resources to do anything more than hope.
[+] [-] csl|1 year ago|reply
[+] [-] 10u152|1 year ago|reply
[+] [-] roughly|1 year ago|reply
All of this is super predictable, but I wasn’t nearly cynical enough 15 years ago when I mailed my spit to them.
[+] [-] filchermcurr|1 year ago|reply
sigh
[+] [-] bee_rider|1 year ago|reply
(Also keep in mind, customer service people have to argue with assholes all day long, staying polite but clear but on-target can go a long way. Stick to the topic and never give them an excuse to cut off communication).
[+] [-] j-bos|1 year ago|reply
[+] [-] FloatArtifact|1 year ago|reply
Genetic testing done through the hospital for a completely unrelated procedure can impact your life insurance. ( Example genetic testing for a child) Minnesota State Law prevents health insurance from changing. Laws need to protect right to know, not just right to use genetic information.
[+] [-] marcell|1 year ago|reply
Previous: https://news.ycombinator.com/item?id=41575685
[+] [-] resters|1 year ago|reply
[+] [-] AStonesThrow|1 year ago|reply
[+] [-] _DeadFred_|1 year ago|reply
[+] [-] tamimio|1 year ago|reply
[+] [-] jesseendahl|1 year ago|reply
And that mathematical information is only stored in the Secure Enclave, which means even if the entire Operating System (iOS) is hacked, the attacker still would not have access to your biometric information.
You should read this page. It goes into great detail about how much security there is around Touch ID and Face ID: https://support.apple.com/guide/security/face-id-and-touch-i...
[+] [-] yoavm|1 year ago|reply
[+] [-] more_corn|1 year ago|reply
I can think of no more sensitive biometric data than your dna.
[+] [-] tombert|1 year ago|reply
I dunno, is that actually true? You leave DNA everywhere don't you? If someone really wanted tombert's DNA, they'd just have to follow me onto the train and swab the poll I'm grabbing, or grab the cup I was sipping on at McDonald's, or any number of things that could lead to a number of cells containing my DNA in a state that could be collected being dropped.
[+] [-] whalesalad|1 year ago|reply
[+] [-] davedx|1 year ago|reply
[+] [-] jakjak123|1 year ago|reply
[+] [-] goalonetwo|1 year ago|reply
[+] [-] sfjailbird|1 year ago|reply
[+] [-] Yhippa|1 year ago|reply
[+] [-] ethbr1|1 year ago|reply
But don't the GDPR and CCPA et al. create liability around failure-to-delete after receiving a request?
[+] [-] bluetidepro|1 year ago|reply
[+] [-] renewiltord|1 year ago|reply
[+] [-] ethbr1|1 year ago|reply
Considered doing 23andMe at the hype peak, discovered they had avoided HIPAA requirements, read through their privacy policy, and marked them off the possibility list.
It was pretty clear the delta between sequencing costs and price they were charging consumers equaled how much they thought they could make from your genetic information.
And because they don't fall under HIPAA, your data is theirs after they get it.
PS: Sequencing costs were also falling rapidly, so it isn't that expensive to get it done.
[+] [-] outworlder|1 year ago|reply
[+] [-] kulesh|1 year ago|reply
[+] [-] iwontberude|1 year ago|reply
[+] [-] bdamm|1 year ago|reply
[+] [-] SoftTalker|1 year ago|reply
[+] [-] Jerry2|1 year ago|reply
Just remember that when you request to delete some data on the internet, it doesn't actually get deleted (right away anyway). The best way to deal with this is not to give random sites your real information in the first place. However, that can be difficult or impossible when dealing with government, financial institutions or shopping sites.
Edit: And just to address questions below, the actual delete script was not run daily. I don't know how often it was run (I was not an SRE) but I presume it was run at least once a month. I have no idea how other companies do this.
[+] [-] adrianmsmith|1 year ago|reply
Sounds like the laws worked in this case. They required data to be actually deleted, and it was due to those laws, and only due to those laws.
[+] [-] ravenstine|1 year ago|reply
What annoys me more is how many companies give next to no insight into or control over data retention. It should be unambiguous how soon or often our data gets hard-deleted, if ever.
[+] [-] zapkyeskrill|1 year ago|reply
[+] [-] lm28469|1 year ago|reply
If anything gdpr made painfully obvious how sloppy some devs/companies are
[+] [-] williamdclt|1 year ago|reply
[+] [-] CatWChainsaw|1 year ago|reply
[+] [-] kanzure|1 year ago|reply
[+] [-] outworlder|1 year ago|reply
[+] [-] chx|1 year ago|reply
And here we are 18 years later and some people still think they can delete this. What else do you believe in? The tooth fairy? Santa Claus? Come on.
Also what have you thought they can tell you? An archaeogenetics teacher described this belief as "they think we throw a bone in the machine which tells us it was half hun, half avar, half bear and spoke slavic".
Y'all surrendered an intrinsic part of the privacy of your, your sister, your brother, even your unborn children for snake oil -- and paid for the privilege. I can't even.
commence the downvotes but you can't put the toothpaste back once it's been squeezed out.
[+] [-] programjames|1 year ago|reply
[+] [-] unknown|1 year ago|reply
[deleted]
[+] [-] artursapek|1 year ago|reply