Business & Government

Thinking About Deleting Your 23andMe Data? Here’s Why It Matters

If you’re one of the estimated 15 million people who used 23andMe to create a DNA profile, now might be the time to consider deleting your account and data before it is sold as part of the company’s assets. The DNA-testing company announced Sunday it would file for bankruptcy.

Craig Konnoth, a professor at the University of Virginia School of Law, said the privacy of information in customer accounts – including DNA profiles, family connections and genetic health data – depends on the terms of the agreement between the customer and the company.

For 23andMe customers, that contract could change depending on bankruptcy proceedings and whoever purchases the company’s assets.

“The use of customer information is basically governed by whatever the provisions in the privacy and use agreements are that 23andMe contracted with the consumers,” Konnoth said. “If those provisions get broken, it’s unclear that consumers would have any recourse because the company is going bankrupt.”

Konnoth said the U.S. has not established strong federal regulations governing how companies collect and store personal information.

Craig Konnoth is the Martha Lubin Karsh and Bruce A. Karsh Bicentennial Professor of Law at the UVA School of Law. (Contributed photo)

“I think that there are lots of concerns with the way our information is handled and the lack of federal legislation,” he said. “There may be some state law protections, but that depends on which state you’re in. I think going online, going in and deleting the data would be a very good idea.”

Virginia is one of the states that has consumer information protection laws. Virginia’s Consumer Data Protection Act took effect Jan. 1, 2023, giving consumers the right to have inaccuracies corrected, obtain copies of the information a company holds about the customer, and opt out of advertising or profiling based on their information or the sale of their information.

It also allows consumers to require companies to delete personal data, whether the consumer provided it or the company collected it.

Here’s how to delete data on the 23andMe website:

Log into your account and go to “settings.”
Scroll to “23andMe data” and click “view.”
Scroll to “delete data” and click on “permanently delete data.”
Confirm your deletion request.

Although that process will delete most personal information, to delete your DNA test sample from 23andMe records requires additional action: Log into your account, go to settings and then to preferences and follow the prompts.

Biotech Innovation Has A New Home in Virginia, to be Great and Good in all we do.

The company’s customer database includes DNA profiles, names, family connections, addresses and other personal information. The company has partnered with pharmaceutical companies to use DNA data and has offered customers tests for various gene-related medical conditions.

When sold as an asset, the data could reveal to buyers a person’s predisposition to medical conditions, as well as information regarding family members.

In October 2023, 23andMe experienced a data breach affecting nearly 7 million customers. The company reported hackers gathered profile and ethnicity information, primarily from customers of Ashkenazi Jewish and ethnically Chinese descent.

Stolen information included names, profile photos, birth years and locations, family surnames, ethnicity estimates, external family tree links and information related to mitochondrial DNA and Y-chromosome DNA.

Shortly after the breach, some customers filed a class action lawsuit against the company, alleging negligence and breach of contract. Two months later, in December 2023, 23andMe changed its terms of service to prevent customers from filing class action lawsuits.