23andMe is struggling, and its CEO Anne Wojcicki has muttered about taking the company private. 23andMe wields DNA data for more than 15 million customers. With the company up for sale, this highly sensitive data is on the brink of changing hands.
23andMe’s privacy policy stipulates, “If we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction… We may also disclose Personal Information about you to our corporate affiliates to help operate our services and our affiliates’ services.”
Said otherwise, if 23andMe moves, your DNA data and some personal information may move with it. The DNA data could be used to discern your relatives and ancestry, unearth family secrets, and reveal clues about diseases you have or could be predisposed to. If the data makes its way to certain insurers, they may deny you coverage or charge you more for life, disability, or long-term care insurance because of your genetics. This is some of the most precious data that exists about you; you’re right to be concerned that it’s up for grabs.
If you’re a 23andMe customer, now may be the moment to initiate deletion of your data. Let’s get you up to speed on exactly what information 23andMe collects, and how to get that data wiped.
What data does 23andMe collect?
Most 23andMe customers can imagine what their genomic data looks like (a lot of A’s, C’s, G’s, and T’s). However the company collects a host of data in addition – including your home address, family history, payment details, and private messages and comments you’ve exchanged with the company. In the Permission Slip app, we show a complete list of the data 23andMe collects according to their privacy policy:
How to delete your data from 23andMe
You can initiate deletion of your data from 23andMe via their online portal, or using CR’s Permission Slip app.
If you know your 23andMe login, we recommend initiating deletion directly from the 23andMe online portal since it’s likely to be more expedient. However if you don’t know your 23andMe login, or think 23andMe may have your data even if you were never a direct customer, Permission Slip may be able to help.
Deletion via 23andMe Online Portal
Sign into 23andMe.com and click “Settings,” then scroll down to “23andMe Data” and click on “View.” Now that you’re on the “23andMe Data” page, scroll down to “Delete Data” and then click on the red “Permanently Delete Data” button.
After clicking “Permanently Delete Data” you’ll see the message below, explaining that 23andMe will send you an email asking you to confirm your data deletion.
Open your email to find the confirmation from 23andMe; you may need to check your spam folders to find it. Press the “Permanently Delete All Records” button in the email; try to do it right away since the link expires after 24 hours. Once you confirm, 23andMe will begin the process of deleting your data. Under California state law they have up to 45 days to execute the data deletion so the process may take a while.
Initiate Deletion via the Permission Slip app
Permission Slip is a free app created by Consumer Reports that helps you request deletion of your data, among other things. We’ve submitted many data deletion requests to 23andMe on behalf of our users in the past. Their process is not as straightforward as some of the other companies we support, but going through its paces is a way to amplify your voice and a helpful option for initiating deletion if you don’t have access to your 23andMe account.
Start by downloading Permission Slip, and creating an account if you don’t already have one. From the app’s homepage, tap into the Search bar at the top and search “23andMe,” then tap the arrow to see information about the data 23andMe collects. Scroll to the bottom of the screen, then tap “Delete My Account” and “Submit Request.” You may need to share your email, phone, and address with Permission Slip and go through 2FA on email and phone if you haven’t done so already.
Once your data request has been sent to 23andMe, Permission Slip will reach out to the company on your behalf. Based on what we’ve seen in the past, we expect that 23andMe will respond to us, asking us to loop you in so you can confirm that Permission Slip has authority to act on your behalf. When we do this, we’ll provide sample language in the email to make the process simple.
Once you confirm your intent to delete, 23andMe can proceed with deleting your data. Remember that deletion takes 45 days.
Help keep Permission Slip in the loop
Companies change their processes all the time, especially when major news stories are shining a spotlight on their privacy programs. Any tips you can share on deletion communications from 23andMe will help us better advocate for users like you! Let us know what you’re hearing from 23andMe by reaching out at permissionslip@cr.consumer.org.
Thanks to Houman Saberi for his help researching this post.