Whether in search of relatives, a family’s country of origin, or to understand personal disease risk, 15 million people have shared their DNA with 23andMe since the genetic test site launched in 2006. However, many who gave their saliva in exchange for genetic information and family history now wonder where that data will go, and how it will be used given that the future of the company is unclear.
Last year, 23andMe came under fire following a massive data breach affecting 7 million customers that led to a class action lawsuit and a $30 million settlement. To make matters worse, last month, all seven independent board members of the biotech company, whose shares have plummeted, resigned, citing hesitancy over CEO Anne Wojcicki’s strategy for the company.
With an uncertain path forward for the at-home testing giant, it’s understandable that the genetic information of millions of people also feels at stake. And more, HIPAA, which protects Americans’ sensitive health information, does not apply to direct-to-consumer genetic tests, experts warn.
“In the United States, if you’re talking about genetic data that’s generated outside of the health care setting, there’s a relatively low baseline of protection,” Dr. James Hazel, a postdoctoral fellow at the Center for Genetic Privacy and Identity in Community Settings, told the New York Times. “And that’s provided generally by the Federal Trade Commission. So the Federal Trade Commission, although it’s not specific to genetic data, has the ability to police unfair and deceptive business practices across all industries. Other than that, there are really no laws in the United States that apply specifically.”
What data does 23andMe have?
After providing a saliva sample and consenting to 23andMe’s at-home testing, the company will have your registration information, such as sex and date of birth. It will also have genetic information, the percentage of your DNA that comes from all parts of the world, traits such as eye and hair color, along with health predisposition and carrier status. You can find more information about the data collected in the company’s privacy statement.
“We strive to provide transparency and choice for customers throughout their entire experience with 23andMe. Customers can choose how their data is used and shared, if at all,” a company spokesperson tells Fortune, adding that about 80% of customers do opt for their data to be used for research. “Beyond the laboratories that are necessary to process customer samples, customers’ information is not shared with any other entity unless they provide us with consent to do so. We do not share any information with employers or insurance companies, and we’ve never shared customer data with law enforcement.”
Still, for those who have already shared genetic information that they no longer want a company to have, you can delete it.
How do I delete my personal information from 23andMe?
It is possible to delete your information from 23andMe. Under “Settings,” go to “23andMe Data,” and select “Delete Your Data.”
“While we will delete the majority of your personal information, we are required to retain some information to comply with our legal obligations,” reads the company’s website, which refers users to their Privacy Statement to learn more about what information is retained. After deleting your information, you must confirm your request via email.
According to the company, once this step is completed, your information won’t be used for research even if you opted in to 23andMe Research; and if you agreed to have your sample saved, it will also be destroyed.
“Customers always have the option to delete their account at any time, and can elect to do so from their account settings,” according to the company spokesperson. “Once we confirm the request, we will immediately and automatically begin the deletion process.”
This story was originally featured on Fortune.com