Deleting Your Online DNA Data Is Brutally Difficult
(Bloomberg) -- In the name of journalism, I have spit into a lot of test tubes.
I’ve sent samples of my saliva to Ancestry and 23andMe Inc. to find out about my heritage; mailed my spit to Helix for insight into my athletic ability, diet and sleep patterns; and uploaded my DNA to the website of a startup that said it could craft a skin care routine genetically optimized to give me perfect skin.
Overall, I’ve shared my genetic information with nearly a dozen companies. You might call me an oversharer.
I’m not alone. The direct-to-consumer genetic-testing industry has grown from some $15 million in sales in 2010 to more than $99 million in 2017, and is projected to reach $310 million by 2022, according to one industry estimate.
Your genetic code includes details about not only your own health and family, but also similarly intimate information about your relatives. When police recently used a genetic genealogy website to find a suspect in the case of the Golden State Killer, it illuminated the unexpected ways that your genetic data can be used by people you had no idea you were sharing it with.
Recently, I started feeling uneasy about how freely my DNA data flowed. So I decided to try to erase my DNA data footprint from all the websites and databases and laboratories in which it was stored. It turns out that isn’t so easy.
When you send your DNA to consumer genetic-testing companies, the sample typically is stripped of identifying details and sent to a third-party laboratory. There, DNA is extracted and purified from your saliva and analyzed. Then the anonymized data is stored and the sample is stashed for future tests.
Most companies’ privacy policies and terms of service assert the right to share data with business partners or law enforcement, if compelled. If you agree to take part in research, your information can be shared with groups involved in scientific studies.
“The language in their policies permits selling or sharing information with third parties in many cases. That could be, in theory, anyone,” James Hazel, a researcher at Vanderbilt University who surveyed the privacy policies of 90 direct-to-consumer genetic-testing companies for a forthcoming paper in the Cornell Journal of Law and Public Policy, said in an interview with Bloomberg.
It was possible my data was stored in places I might not have any way to know about.
I started with Ancestry.com, which offers DNA-based insights into your family tree. Deleting my data there was simple: With a click, it disappeared from view. But to get my sample destroyed, I had to call.
The customer-service representative I spoke with had never deleted a sample and had no idea how to. After 20 minutes, she said she’d completed my request. She assured me that Ancestry would keep no record of my genes, that my sample would be destroyed—when, she didn’t say—and that I’d receive an email confirmation.
A follow-up call a week later revealed only that things were “in process.”
Next, I tackled 23andMe, where—along with family information—customers can get information about disease risk and other aspects of their health. After a long time clicking around the site, I found an email address to send in my request. But I was told that the tools for deleting my data and sample from 23andMe’s records were “not currently available.” I had to wait until May 25, when the company planned to roll out new privacy tools in compliance with Europe’s data-protection regulations, the GDPR.
On the morning of May 25, 23andMe’s email arrived, heralding how easy it now was to delete your data. There was just one caveat: You can’t fully delete it.
For one thing, I’d agreed to contribute my information to research, and the company couldn’t retract it from studies in progress. And there was another problem: Deleting my genetic information at my request is against federal law. 23andMe, and any other company that uses facilities meeting federal standards for clinical laboratories, can’t just toss out your data.
“The federal Clinical Laboratory Improvement Amendments (CLIA) of 1988 and California laboratory regulations require the lab store your de-identified genotyping test results and to keep a minimal amount of test result or analysis information,” an email from 23andMe said. “Our laboratory will retain your genetic information and a randomized identifier on their secure servers for a limited period of time, 10 years pursuant to CLIA regulations.”
Fourteen frustrating customer-service emails later, I ascertained that the “minimal amount” of information the company was required to keep on hand was, essentially, all of my raw genetic information. 23andMe may tell you that you can delete your data, but in reality, the law says you can’t.
A spokesperson from the Centers for Medicare and Medicaid Services, which oversees CLIA regulations, confirmed this. The regulations are meant as a form of quality control. If something goes wrong with a laboratory test, CMS wants to be able to figure out why.
“If a laboratory subject to CLIA regulations performs a test, all records pertaining to the performed test must be retained for at least two years,” a CMS spokesperson said. Most of the major consumer DNA-testing companies that offer health-related services use CLIA-certified labs.
Still, I decided to see what the other companies I tested with had to say.
Customer-service representatives at Orig3n, which recently began using a CLIA lab after getting a scolding from the federal government, assured me that somehow all my data would be deleted. Helix confirmed that it may “retain backup copies and archival files” to meet regulatory requirements, then stopped responding to my inquiries.
Helix, which bills itself as the “app store” for DNA, processes the DNA sample and then shares the relevant data with other companies from which consumers purchase tests for interpretation. I had tested with three companies on the Helix platform.
Only one, Exploragen, told me it would delete my information entirely. DNAfit told me it would retain some of my information for legal and regulatory purposes. Everlywell told me that, while they could remove my results from my account so that I could not access them, the “results remain stored on the back end due to regulatory reasons.”
This seemed to spell it out most clearly: When you delete your DNA information, you are mainly hiding your information from yourself.
Major DNA testing companies are changing their ways. Where, for example, Ancestry used to say that it holds “a royalty-free, worldwide, sublicensable, transferable license to host, transfer, process, analyze, distribute, and communicate your Genetic Information,” it now spells out that users own their data, with the company keeping certain rights to it.
Hazel, the researcher studying the privacy policies, said even if a company did offer to delete all your data, it’s unlikely that it could really purge your information from all the places it had already wound up.
“They've already bundled it with other users’ data and stripped it of your name and aggregated it, and either sold it or shared it with other third parties,” he said.
Even that kind of anonymity might not be enough to shield your information from prying eyes. In two studies in 2013, researchers showed it was possible to identify people from anonymous DNA information.
It’s a lesson we’re destined to keep learning: Once you share something online, you can’t really ever unshare it.
©2018 Bloomberg L.P.