How to Delete Your 23andMe Data

Original Article ↗ Hacker News Discussion ↗

Perceived Futility of DNA Privacy

  • Several commenters liken DNA privacy to contact privacy on social media: even if you abstain, relatives’ submissions effectively expose much of your genome.
  • Some still advocate deletion as a low-cost harm-reduction step: you’re not safer by leaving it there.

CLIA, Retention, and What Can Actually Be Deleted

  • Discussion centers on whether CLIA lab regulations really require 23andMe (or its labs) to keep genetic data plus DOB/sex.
  • One linked legal analysis claims CLIA mandates retention of test records, not raw genotype data; others argue that interpretation misunderstands CLIA.
  • Distinction emphasized: CLIA regulates labs and test records; 23andMe is a consumer company contracting labs, so its broader retention may be business-driven, not strictly regulatory.

Technical and Legal Limits of “Deletion”

  • Many see the process as “requesting” deletion, with no way to verify wiping of production copies, backups, or partner-held data.
  • Concerns include:
    • Bankruptcies and asset sales: data as an asset that may persist under new owners.
    • Restores from backups after “hacks.”
    • Difficulty proving non-deletion and quantifying damages in court.
  • Some argue deletion requests at least create legal leverage; others note lawsuits are expensive, slow, and don’t “unsell” data.

Data Sharing, “De-Identification,” and Re‑Identification Risk

  • 23andMe is described as selling de‑identified individual-level data and aggregated data to partners, with explicit consent settings.
  • Debate over how meaningful “de‑identification” is for inherently identifying genomic data; re-identification research is acknowledged but seen by some as low‑risk in practice.
  • Others argue providing de‑identified data is still “selling your data” and that re‑identification is a real, if specialized, threat.

Scope and Potential Harms of the Genotype Data

  • Company uses SNP arrays (~650–750k variants), not full-genome sequencing; some say this nuance doesn’t matter for risk.
  • Speculated abuses: insurance and employment screening, personality/IQ targeting, discriminatory advertising, tailored scams, even extremist targeting by ancestry.
  • Counterpoint: current predictive power of SNPs for complex traits (personality, IQ, many diseases) is very weak; traditional risk factors (smoking, age, BP) are far more actionable.
  • Legal protections (e.g., bans on genetic discrimination in health insurance/employment) are mentioned, but commenters note: laws can change, are sometimes broken, and don’t cover all domains (e.g., advertising, life insurance everywhere).

User Experiences and Workarounds

  • Several users report:
    • Difficulty logging in or receiving password-reset emails right after the breach news.
    • Slow or missing data exports before deletion.
    • Using GDPR/right-to-erasure tools to send legally binding deletion requests.
  • Engineers emphasize that, given typical data pipelines and backups, full erasure across systems and partners is improbable.

Broader Attitudes and Comparisons

  • Some express fatalism: the “bell can’t be unrung,” especially if data was already shared for research.
  • Others are relatively unconcerned if data is used only for research and not insurance/healthcare discrimination.
  • Comparisons drawn to trusting Dropbox/Google; reply is that DNA is uniquely sensitive and long-lived, and current legal/judicial safeguards are widely distrusted.