Over the past few days, there has suddenly been some panic in the press surrounding 23andMe’s DNA ancestry and inherited traits service. Some media outlets have suggested that you should delete your data and your 23andMe account.
What’s really going on, and should you be concerned? Let’s break it down.
In this article:
The genetics-based heredity and health company 23andMe suffered a series of data leaks in late 2023 that exposed millions of customer records. At the time, 23andMe essentially blamed users for the data breach. People whose data was exposed had allegedly reused passwords across multiple sites and had not enabled two-factor authentication; either that, or they were related to someone with weak account security—no fault of their own.
That data breach led to a costly lawsuit. Naturally, investors worried about 23andMe’s profitability and customer retention. Adding insult to injury, the board of directors resigned last month, citing disagreements with the CEO.
Those who are particularly concerned about all this have begun to wonder whether it might be prudent to delete their 23andMe account prior to any potential acquisition of the company—which could lead to further sharing of sensitive genetic and personal data.
23andMe says in its privacy policy that when you delete your account, they “automatically opt you out of Research and discard your [DNA] sample.” However, the company has two paragraphs detailing how it will retain other data (emphases added):
We retain Personal Information for as long as necessary to provide the Services and fulfill the transactions you have requested, comply with our legal obligations, resolve disputes, enforce our agreements, and other legitimate and lawful business purposes. Because these needs can vary for different data types in the context of different services, actual retention periods can vary significantly based on criteria such as user expectations or consent, the sensitivity of the data, the availability of automated controls that enable users to delete data, and our legal or contractual obligations.
23andMe and/or our contracted genotyping laboratory will retain your Genetic Information, date of birth, and sex as required for compliance with applicable legal obligations, including the federal Clinical Laboratory Improvement Amendments of 1988 (CLIA), California Business and Professions Code Section 1265 and College of American Pathologists (CAP) accreditation requirements, even if you chose to delete your account. 23andMe will also retain limited information related to your account and data deletion request, including but not limited to, your email address, account deletion request identifier, communications related to inquiries or complaints and legal agreements for a limited period of time as required by law, contractual obligations, and/or as necessary for the establishment, exercise or defense of legal claims and for audit and compliance purposes.
Essentially, the company (or any future owner, if 23andMe gets acquired) reserves the right to retain your personal information for whatever it deems “legitimate business purposes.” And both 23andMe and its contracted lab will continue to hold onto your genetic information, birthdate, and sex, even after you delete your account. They’ll also continue to store your e-mail address for as long as they see fit.
That may not exactly be comforting, if you’re trying to completely cut ties with the company. But that’s what you agreed to when you created your account and sent in your DNA sample.
Of course, you don’t necessarily need to buy into the hype or delete your account and associated data.
For now, 23andMe hasn’t announced plans to shut down operations or sell off its data to another party. It’s possible that neither may happen in the foreseeable future.
If you find the service valuable for finding DNA relatives, conducting genealogical or family history research, or learning more about what your genes say about your health predispositions, then 23andMe will continue to provide those services to you. Nothing has changed, and you don’t need to take any action.
If you do decide to delete your account, here are the steps to do so. Note that the steps might be a little different, depending on whether you’re using the 23andMe app or the account settings page.
Again, this is entirely optional, and a personal decision you’ll need to make for yourself. 23andMe hasn’t announced any changes, so if you enjoy using the service, you can continue to do so. Just ensure that you’re using a strong and unique password.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels:
Photo credit: 23andMe DNA Test Kit by Mike Mozart (CC BY 2.0).