Full Report
23andMe holds millions of customers' genetic information. Here's what you can do to protect your data.
Analysis Summary
The provided article focuses on the steps an individual user must take to delete their personal genetic data from the 23andMe service, particularly in light of the company's bankruptcy and subsequent acquisition by Regeneron. The security recommendations derived from this context are primarily concerned with **Data Subject Rights (DSR) fulfillment, privacy management in third-party data transfers, and user awareness regarding sensitive personal information (SPI)**.
# Best Practices: Managing Sensitive Data Rights and Exiting Data Broker Services
## Overview
These practices address the control individuals have over their sensitive personal information (SPI), specifically genetic data, when a data custodian company undergoes significant corporate events like bankruptcy or acquisition. The focus is on proactive assertion of data deletion rights and understanding the implications of data usage agreements.
## Key Recommendations
### Immediate Actions
1. **Verify Data Transfer Status:** Immediately check your service provider’s (e.g., 23andMe) official communications regarding any acquisition or bankruptcy proceedings to understand whether your data is involved in a transfer or sale.
2. **Execute Data Deletion Requests:** Log into your account settings immediately and follow the established procedure to request the permanent deletion of all stored data, including genetic information, profiles, and associated personal identifiers.
3. **Download Local Records:** If permitted by the service, download any non-genetic profile data (e.g., ancestry reports or family tree information) to a local, encrypted storage device before initiating deletion, as deletion requests are often permanent.
### Short-term Improvements (1-3 months)
1. **Review Terms of Service (ToS) and Privacy Policies:** Review the current ToS and Privacy Policy of the service provider, paying close attention to clauses regarding data retention, transfer upon change of control, and monetization of anonymized/aggregated data.
2. **Check for Opt-Out Mechanisms:** Systematically identify and utilize all available opt-out mechanisms for secondary data uses, such as research participation, drug discovery, or third-party sharing, even if deletion is the primary goal.
3. **Establish an Inventory of Sensitive Data Hosts:** Create a register of all third-party services holding highly sensitive information (e.g., health, biometric, or genetic data) and schedule annual reviews for their status and associated risks.
### Long-term Strategy (3+ months)
1. **Develop a Data Exit Strategy:** Pre-plan the procedure for requesting data deletion from high-risk services *before* signing up, noting where the "Delete Account" function is typically located and what verification steps are required.
2. **Advocate for Data Ownership Standards:** Support regulatory efforts that mandate explicit, granular consent for data transfers during corporate restructuring (mergers, acquisitions, bankruptcies) rather than relying on implied consent.
3. **Implement Data Minimization:** For future services, only provide the absolute minimum data required for core functionality, avoiding optional collection fields, especially those related to health or genetic attributes.
## Implementation Guidance
### For Small Organizations
* **Focus on Awareness:** Ensure all personnel understand that company data shared with third-party SaaS providers remains subject to the provider's handling procedures, especially if those providers face operational instability.
* **Vendor Due Diligence (Limited Scope):** When selecting vendors, prioritize those with clear, easily accessible protocols for data subject requests (DSRs) and demonstrably strong breach notification policies.
### For Medium Organizations
* **Formalize DSR Procedures:** Document the internal process for handling customer or employee requests related to data deletion or porting, ensuring adherence to defined timescales (e.g., 30 days).
* **Contractual Review Triggers:** Mandate that legal/compliance teams formally review the agreements of any critical third-party service provider whose financial stability or operational control changes.
### For Large Enterprises
* **Automate Data Subject Rights Fulfillment:** Implement a dedicated platform or system to track, process, and audit Data Subject Access Requests (DSARs) and erasure requests (Right to Erasure) efficiently across all data stores.
* **Establish Buyout/Bankruptcy Contingency Plans:** Include explicit data handling clauses in M&A due diligence checklists, specifically requiring the acquirer to adhere to the pre-existing privacy commitments until a formal data migration or destruction plan is executed.
## Configuration Examples
The article explicitly details the necessary steps within the 23andMe interface for data deletion:
1. Log into the 23andMe account.
2. Navigate to **Settings** in the profile section.
3. Select the option labeled **23andMe Data**.
4. Click **View**.
5. Scroll to the **Delete Data** section.
6. Select the **Permanent** deletion option.
***(Note: No specific technical security configurations like firewalls or encryption standards were provided in the source text, only application-specific user interface navigation.)***
## Compliance Alignment
* **General Data Protection Regulation (GDPR) / CCPA:** The need to delete data upon request directly aligns with the "Right to Erasure" (GDPR Article 17) and similar privacy mandates like the CCPA’s Right to Delete.
* **HIPAA/HITECH (If applicable to data use):** While genetic testing companies are often outside direct HIPAA jurisdiction, the underlying principles of data protection and access control remain relevant, especially concerning health information portability.
## Common Pitfalls to Avoid
* **Assuming Deletion is Automatic Post-Acquisition:** Do not rely on the assumption that a company ceasing operations or being sold will automatically erase your data; explicit action is required.
* **Confusing Profile Deletion with Data Deletion:** Ensure the steps taken result in *genetic (raw) data* destruction, not just logging out or closing the account interface, which may leave raw data retained by the custodian.
* **Ignoring Secondary Usage Consent:** Failing to review and rescind consent for secondary uses (like drug discovery) means that even if your account is dormant, your anonymized data may continue to be monetized.
## Resources
* **Data Subject Access Request (DSAR) Portals:** Utilize the specific portals or settings provided by data custodians for initiating erasure requests.
* **Regulatory Body Resources:** Consult resources provided by relevant Data Protection Authorities (DPAs) or State Attorneys General offices regarding consumer rights concerning data sales.