How to delete your 23andMe data amid the company's turmoil

Original Article ↗ Hacker News Discussion ↗

Overall concern: sensitivity and misuse of DNA data

  • Many see DNA as the most sensitive biometric, especially when linked to name, contact info, and relatives.
  • Others argue “you leave DNA everywhere,” questioning how much extra risk a database adds.
  • Counterpoint: mass, indexed DNA with identifiers enables cheap large‑scale profiling (e.g., insurers, surveillance) that physical traces alone do not.

Effectiveness and limits of “delete my data” requests

  • Strong skepticism that deletion requests are fully honored; many expect soft deletes or flags only.
  • Several note that backups, data lakes, logs, and ad‑hoc copies make total deletion hard, especially in microservice environments.
  • Others argue GDPR/CCPA fines and liability have forced serious redesigns in larger/regul­ated companies, with real hard‑delete workflows.
  • A recurring ambiguity: it is very hard for users to prove whether data was truly deleted.

Technical approaches and challenges

  • Common pattern: “soft delete” via a boolean field; periodic batch jobs may (or may not) do hard deletion.
  • Some describe more robust systems: fan‑out of delete requests across services, timed hard delete after a grace period, and processes to prevent deleted records from reappearing after backup restores.
  • Suggested ideal: per‑user encryption keys so destroying the key effectively deletes all related data, though this complicates analytics and key management.
  • Debate on whether deletion from backups is mandated or only required when “reasonable”; interpretations and implementations vary.

23andMe‑specific issues

  • 23andMe is said not to be covered by HIPAA, which surprises some.
  • Company emails reportedly state that account‑level data can be deleted, but some genetic information, DOB, and sex must be retained for years due to lab and accreditation regulations (e.g., CLIA), creating frustration.
  • Users complain that timelines for final deletion of all data are unclear or not disclosed.
  • Fake names / birthdates used for privacy can block CCPA/GDPR requests because ID checks then fail.
  • Some users report escalations where deletion was granted despite ID issues; others remain stuck.

Risks, benefits, and ethics of consumer DNA testing

  • Critics call sending DNA to private firms irreversible and reckless, affecting relatives and future generations.
  • Concerns include insurance discrimination, data sales, breaches, and potential state‑level misuse.
  • Others downplay practical harm so far, noting few or no concrete real‑world cases from leaks.
  • There is moral debate about one person exposing family members’ genetic information without consent.