from Hacker News

California Attorney General issues consumer alert for 23andMe customers

by thoughtpeddler on 3/22/25, 5:55 PM with 355 comments

  • by pmags on 3/22/25, 6:35 PM

    I work in population genomics (non-human organisms), and myself participated in an early near-whole genome genotyping study back when microarrays were still the predominant technology (academic NOT commercial).

    But for nearly 20 years I've been telling my extended family NOT to participate in any large scale genotyping with 23 and Me or similar commercial companies where they retain rights to your data, anticipating that something like the current scenario would likely play out.

    Somehow, 23 and Me genotyping became the "gift du jour" for Xmas some years back -- I never personally understood that or why someone would want to turn over so much data to a commercial entity.

    This is not to say that large scale sequence information is not appropriate for *some people*. But if that's something you need, make every effort to make sure you own your own data.

  • by Animats on 3/22/25, 7:29 PM

    The problem, not stated, is that a bankruptcy can wipe out the obligations of a company to its customers. This includes privacy obligations.[1] Especially if the assets are sold to a company outside California or outside the US.

    [1] https://harvardlawreview.org/print/vol-138/data-privacy-in-b...

  • by huitzitziltzin on 3/22/25, 7:53 PM

    The fact that 23andme is at risk as a going concern tells you what you need to know about the potential of monetizing large amounts of generic data. It turns out you can’t get much value from it. If you could, they would have.

    And no I don’t think all of that DNA data would be valuable to the likes of a large health insurer like Humana or Aetna either.

    The medical records you are imagining an insurer can link to genetic data are worth even less than these DNA sequences turned out to be worth.

    Sincerely,

    A former health economist who has worked both with tens of millions of inpatient discharge records, and (separately) a detailed survey which is complemented by genetic data.

  • by steelframe on 3/22/25, 7:27 PM

    Whenever I start feeling smug about how cagey I've been about data brokers in the past, I remind myself that enough of my relatives have handed over their DNA to operations like 23andMe so as to render my efforts futile.

  • by arjie on 3/22/25, 6:54 PM

    The practice of how this does damage isn't clear to me. But I'm going to test this in the very skin-in-the-game sense. My genome (sequenced by Nebula Genomics) is available to anyone who would like it. I have raw FASTQ files which you will have to pay a nominal fee to access.

    Once upon a time, a friend and I decided we should launch a site where people can submit their genomes and health information so that broad population scale studies can be done. I did submit my stuff to All Of Us and so on, but I think the fact that you need to be special-cased to access the data is probably a loss.

    So I think it's time to revisit this whole thing. Perhaps I should make VCFs available instead. They're much smaller and may be more accessible for people. In any case, if you want my FASTQs, just email me.

  • by carimura on 3/22/25, 10:03 PM

    Sure you can delete your data, but guess what, they'll retain it anyways under "regulatory obligations". I've gone back and forth with their privacy team and this is the last response:

        "This is a follow-up from the 23andMe Team. To clarify, we and our laboratory vendors are bound by various legal and regulatory obligations that may necessitate retention of certain information. We want to assure you that our data retention program adheres to applicable legal requirements which can vary depending on what country or state a customer lives in, the state a contracted laboratory is located in, and any applicable federal or state licensing obligations related to the ancestry and health products we sell. We can confirm that samples and genetic testing results are deleted in accordance with applicable law and any legal retention obligation serves as a proper exception related to a data deletion request under data privacy laws."

  • by ronnier on 3/22/25, 6:28 PM

    > The California-based company has publicly reported that it is in financial distress and stated in securities filings that there is substantial doubt about its ability to continue as a going concern

    This is one reason I use signal over other texting apps -- I don't want my private messages sitting in a database waiting to be sold during a fire sale when the company goes under. Also why I try to locally host my apps such as security cameras, password manager, home automation, storage, wiki, among others

  • by Guvante on 3/22/25, 6:33 PM

    If 23andme has an agreement with its consumers on how it will handle the data it should not matter whether they are bought that agreement should be maintained in perpetuity unless those consumers actively choose to change their agreement.

    After all we wouldn't talk about Dropbox being sold resulting in ransacking of your personal data why is that in the conversation with 23andme?

    (I am not being critical of the AG here but instead pointing out how lax consumer protections have gotten that we even need to have this be a talking point)

  • by jrm4 on 3/22/25, 11:17 PM

    A simple rule.

    When a company promises to never do a thing (e.g. be careless or sell off important data like this,) but there is no legal consequence or assurance, that company -- or some different company related to it -- is definitely, absolutely, going to do that thing.

  • by IncreasePosts on 3/22/25, 6:55 PM

    23andme stock is down 99.12% from 5 years ago. Sheesh. What happened? Is it just not a viable business model or was it extremely mismanaged?

  • by No1 on 3/23/25, 4:50 AM

    I have been wanting to get my genome sequenced for years, and had been thinking 23andme might be one of the better options because of the possibility of invoking the CCPA to get my data deleted after sequencing. Never did it because I wonder if they sell your info to some third party the second it comes off the sequencer, and also because I'm skeptical that they would fully comply with a deletion request.

    For people who would like to get their DNA sequenced but are actually concerned about privacy, are there any better options?

  • by teeray on 3/23/25, 3:19 AM

    This sucks the most for everyone that never consented to genetic data collection, but they have it all anyway. If you were the only holdout in your family to not use 23andme, it doesn’t really matter since they know a lot about you anyway. Genetic information is fundamentally shared among a group, so you shouldn’t really be able to consent to disclose it in a way that allows a company to do whatever it wants with it. They haven’t obtained all of the consent.

  • by robwwilliams on 3/23/25, 3:42 AM

    I do not understand the purpose of this alert. There are no explicit warnings, just a premonition. The alert merely says what all users should know that their genetic and survey data can be deleted if they request it to be deleted.

    That obligation to delete user data is persistent and will apply to any buyer of 23andMe. Or am I wrong?

    What is the AG of California intimating that the data is now at risk of being released into the wild or worse? That is how some will respond to this alert.

    What many customers may not know is that they can also download these valuable genotype data and store locally if they wish. Using these data is not easy, but it is possible with a but of research and help.

    Those who have used 23andMe should and can expect the security of their data to be maintained by the company, and that obligation would apply to any purchaser.

  • by timewizard on 3/22/25, 6:26 PM

    "Why would you spit into a tube then mail it to the internet?"

    -- Bill Burr

  • by scoofy on 3/22/25, 8:41 PM

    If only we had any actual privacy laws in the United States.

    I hate that I'm having my samples destroyed and removed from research. It feels wrong. But the idea that some company can quietly change the privacy terms on me is unacceptable. I would happily share my genetic data with researchers if I knew that the privacy agreement we had was irrevocable.

  • by josefritzishere on 3/24/25, 8:49 PM

  • by vishakh82 on 3/23/25, 1:13 AM

    We're launching a fully encrypted option for personal genomics called Monadic DNA.

    https://monadicdna.com/

    We use fully homomorphic encryption to ensure only you can see your data and your results.

    The app will be live in a few weeks.

  • by quantified on 3/22/25, 8:20 PM

    After you go through the steps to request deletion and physical destruction of the sample, you still need to trust them, a dying concern with the desire to monetize anything remaining, to actually carry it out.

  • by ashoeafoot on 3/23/25, 9:54 AM

    Thank you to everyone who sold out their families genetics, you are uninsureable for all found so far genetic diseases , sign here, here and here.

  • by fnord77 on 3/22/25, 7:06 PM

    Bonta himself is about to be indicted by the feds in relation to the Duong family/Sheng Thao corruption probe.

  • by svanschalkwyk on 3/23/25, 11:33 PM

    Trying to delete and no date matches my birthday. How convenient.

  • by sudoshred on 3/23/25, 12:22 AM

    Reminiscent of the movie Gattaca.

  • by sMarsIntruder on 3/23/25, 8:04 PM

    Early user. IIRC it was kind of early ‘10.

    Never gave consent for studies and asked for GDPR complete data removal I guess 5/6 yrs ago.

    Meanwhile I learned about privacy and promised myself to never get into this “things” again.

  • by levocardia on 3/22/25, 6:43 PM

    So, what rich billionaire wants to buy the company, anonymize the data, then release it open-source? Would be a genuine boon to biohackers everywhere, privacy be damned.

  • by slevis on 3/22/25, 7:23 PM

    It would be imo worse if the information just gets lost once 23andMe shuts down. Make genome and health information open access.

  • by ripped_britches on 3/22/25, 7:39 PM

    Why is it his prerogative to suggest this? Doesn’t he have better things to do?

  • by hayst4ck on 3/22/25, 6:28 PM

    It's worth pointing out that this is a pro-corporate attack by the US/california government against citizens who have their data in 23andme. This is one more item of clear evidence that it is not the citizens government, but corporations government. This is also why democrats lose. They can't even wrangle corporate power in their own stronghold states.

    Politicians have the responsibility of creating legislation to protect citizens, but by abandoning that responsibility and creating an "opt-out" system, those without knowledge or who aren't paying active attention lose, and companies win. The company loses almost nothing if a handful of people opt out, and only a handful of people at most will opt out, so corporations win, the politicians continue to have the support of corporations so they win, and citizens who have things being done with their data, that they absolutely would not consent to, lose.

    *edit: If you did 23andMe for health information or ancestry purposes, would you consent to that data being sold to an insurance company who might raise your rates, or in a crazy world, to a background check company that would inform a potential employer of any medical conditions that might be relevant to your stability as a worker?

    Of course not. You would absolutely not consent to that.

    This policy of warning people to delete their data instead of stopping action that no informed citizen would consent to not only doesn't scale, but it is an abandonment of responsibility in order to retain corporate support (such as donations to run a campaign).