How To
Posted on
by
Joshua Long
Over the past few days, there has suddenly been some panic in the press surrounding 23andMe’s DNA ancestry and inherited traits service. Some media outlets have suggested that you should delete your data and your 23andMe account.
What’s really going on, and should you be concerned? Let’s break it down.
In this article:
The back story: a data breach, financial woes, and uncertainty
The genetics-based heredity and health company 23andMe suffered a series of data leaks in late 2023 that exposed millions of customer records. At the time, 23andMe essentially blamed users for the data breach. People whose data was exposed had allegedly reused passwords across multiple sites and had not enabled two-factor authentication; either that, or they were related to someone with weak account security—no fault of their own.
That data breach led to a costly lawsuit. Naturally, investors worried about 23andMe’s profitability and customer retention. Adding insult to injury, the board of directors resigned last month, citing disagreements with the CEO.
Those who are particularly concerned about all this have begun to wonder whether it might be prudent to delete their 23andMe account prior to any potential acquisition of the company—which could lead to further sharing of sensitive genetic and personal data.
Can you actually delete all of your 23andMe data?
We retain Personal Information for as long as necessary to provide the Services and fulfill the transactions you have requested, comply with our legal obligations, resolve disputes, enforce our agreements, and other legitimate and lawful business purposes. Because these needs can vary for different data types in the context of different services, actual retention periods can vary significantly based on criteria such as user expectations or consent, the sensitivity of the data, the availability of automated controls that enable users to delete data, and our legal or contractual obligations.
23andMe and/or our contracted genotyping laboratory will retain your Genetic Information, date of birth, and sex as required for compliance with applicable legal obligations, including the federal Clinical Laboratory Improvement Amendments of 1988 (CLIA), California Business and Professions Code Section 1265 and College of American Pathologists (CAP) accreditation requirements, even if you chose to delete your account. 23andMe will also retain limited information related to your account and data deletion request, including but not limited to, your email address, account deletion request identifier, communications related to inquiries or complaints and legal agreements for a limited period of time as required by law, contractual obligations, and/or as necessary for the establishment, exercise or defense of legal claims and for audit and compliance purposes.
Essentially, the company (or any future owner, if 23andMe gets acquired) reserves the right to retain your personal information for whatever it deems “legitimate business purposes.” And both 23andMe and its contracted lab will continue to hold onto your genetic information, birthdate, and sex, even after you delete your account. They’ll also continue to store your e-mail address for as long as they see fit.
That may not exactly be comforting, if you’re trying to completely cut ties with the company. But that’s what you agreed to when you created your account and sent in your DNA sample.
Should I delete my 23andMe account?
Of course, you don’t necessarily need to buy into the hype or delete your account and associated data.
For now, 23andMe hasn’t announced plans to shut down operations or sell off its data to another party. It’s possible that neither may happen in the foreseeable future.
If you find the service valuable for finding DNA relatives, conducting genealogical or family history research, or learning more about what your genes say about your health predispositions, then 23andMe will continue to provide those services to you. Nothing has changed, and you don’t need to take any action.
How can I delete my 23andMe account?
If you do decide to delete your account, here are the steps to do so. Note that the steps might be a little different, depending on whether you’re using the 23andMe app or the account settings page.
- Log into your account (if necessary) and go to Settings. (In the mobile app, tap on your face or the icon in the upper-right corner.)
- Scroll down to the section “23andMe Data” and choose “View” (or “Delete your data” in the mobile app).
- When prompted, enter your birthdate (to ostensibly confirm your identity).
- Scroll down and choose “Permanently Delete Data.”
- Check the e-mail associated with your 23andMe account to confirm the data deletion request. After you confirm, you will no longer be able to log into your account.
Again, this is entirely optional, and a personal decision you’ll need to make for yourself. 23andMe hasn’t announced any changes, so if you enjoy using the service, you can continue to do so. Just ensure that you’re using a strong and unique password.
How can I learn more?
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels:
Photo credit: 23andMe DNA Test Kit by Mike Mozart (CC BY 2.0).
About Joshua Long
Joshua Long (@theJoshMeister), Intego’s Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master’s degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which is often featured by major news outlets worldwide. Look for more of Josh’s articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon.
View all posts by Joshua Long →