I've been dealing with their support trying to delete my data. Here's the latest response [1]. The way I read it, they won't delete your genetic data, and it sure seems personally identifiable to me. Am I reading this wrong?
[1] This is a follow-up from the 23andMe Team. Your
inquiry has been escalated to me for review. To clarify,
once you confirm your request to delete your account, we
will delete your data from our systems within 30 days,
unless we are required by law or regulation to
maintain data for a given timeframe.
For example, your Genetic Information, date of birth, and
sex will be retained by 23andMe and our third party
genotyping laboratory as required for compliance with
applicable legal obligations, including the U.S. Federal
Clinical Laboratory Improvement Amendments of 1988
(CLIA), California Business and Professional Code
Section 1265, and College of American Pathologists
accreditation requirements.
It is important to understand that the information stored
is distinct from the raw genotype data available within
your account. The raw data we receive from the lab
has not been processed by our interpretation software
to produce your individual-level genotype data (in
your account).
You can read more about our retention requirements in the
retention of personal information section of our Privacy
Statement.
As I get it, it's a federal requirement for a lab to keep genetic data for a while with no way for the specimen to do anything about it.
So, it's a CDC thing, not exactly 23AndMe fault. Save for the fact that 23AndMe advertised it's easy to delete data on their front page, but with the small print somewhere out there that you can't really delete the actual data. To be entirely fair, it was there somewhere (I think in their help center in some article about data deletion process) when I went to check out their privacy policies - because that's how I learned about it and reconsidered buying a test, but I guess most people don't read the small print until the deed is done.
My understanding is that they will delete your data on their side (leaving only a few things like payment receipts), but the lab won't because they legally can't.
Assuming for a second these federal requirements cited are a) valid, and b) for a good reason, it still says right there in the response that it's not just the lab, sadly.
For example, your Genetic Information, date of birth, and
sex will be retained by 23andMe
it's ridiculous. unless I'm missing something, they basically have this entire fluff piece of a privacy policy, data control, deletion, etc, and then just keep your genetic info after deletion for sale to the highest bidder / nation state.
If we are involved in a bankruptcy, merger, acquisition, reorganization, or
sale of assets, your Personal Information may be accessed, sold or
transferred as part of that transaction and this Privacy Statement will apply
to your Personal Information as transferred to the new entity.
I got an identical email, after asking numerous times for them to tell me when all information will be deleted, i.e. when do the compliance requirements expire for my specific account?
They certainly don't seem interested in answering this question, no matter how many ways I phrase it. So much for "you are in control of your data", I guess it was all BS as some people predicted.
Ya I asked that also, as well as "is the information you are retaining personally identifiable to me?" but sadly I think I know the answer to that one....
no response yet. I'm sure the privacy department is busy.
"The law requires medical laboratories to retain some testing data and materials for various lengths of time, often 2 years, but as long as 10 years for some kinds of test."
My personal experience: I also failed the birth date test, even with my usual fake birth date. I also refused to provide a copy of my ID. They escalated my request and agreed to delete it anyway. All my samples and data are more than 10 years old, so they have no legal obligation to retain anything, which I pointed out to them in my confirmation.
I'm hoping they delete it but don't have the resources to do anything more than hope.
I did read it. The response is we will delete unless… and it lists a bunch of possibly applicable laws.
Based on the vagueness of the response (which law in particular, what are the details etc) I’d argue they won’t delete anything ever and claim that they thought they might run afoul of some law.
