California’s CPPA Urges Users to Delete 23andMe Data

The digital age gives us amazing ways to explore our heritage and health. Direct-to-consumer (DTC) genetic testing services like 23andMe offer easy access to this information. However, this convenience carries significant privacy risks. These risks recently became very clear. California’s dedicated privacy watchdog issued a strong warning as a result. The California Privacy Protection Agency (CPPA) released an enforcement advisory. It urges consumers to be extremely cautious with their genetic data. The agency specifically advises Californians to consider all options. This includes requesting to delete 23andMe data. This guidance follows a major data breach affecting millions. The incident highlights how sensitive and permanent genetic information truly is.

Understanding the CPPA Advisory on Genetic Data

The California Privacy Protection Agency (CPPA) implements and enforces California’s strong consumer privacy laws. These include the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Its recent enforcement advisory acts as a serious alert about genetic testing company practices. The agency clearly highlighted potential dangers. These dangers relate to collecting, using, and storing highly sensitive genetic material. Recent security events further increased these concerns.

The CPPA advisory provides important details. Reports like the one from Thorold Today cover the advisory. The agency’s concern arises from two main points. First, DNA data is inherently sensitive. Second, recent security failures exposed risks. The advisory clearly suggests that consumers actively manage their data. Recommendations include reviewing privacy settings and enabling multi-factor authentication. Consumers should also weigh the benefits against the risks. This careful evaluation could lead consumers to delete 23andMe data, which California law empowers them to control. This position shows a growing awareness. People understand that genetic information requires top-level protection.

The 23andMe Data Breach: A Closer Look

The CPPA did not issue its advisory in isolation. It directly followed a major security incident at 23andMe in late 2023. This breach exposed personal information for about 6.9 million users. This number represents a large part of the company’s customer base. Major news outlets like Reuters reported the breach details. Hackers accessed accounts, affecting nearly half of 23andMe’s users. Therefore, understanding this breach helps to grasp the CPPA’s recommendation.

Hackers did not breach 23andMe’s core systems directly. Instead, they used a technique called “credential stuffing.” This method uses username and password combinations leaked from other data breaches. Attackers tried these leaked credentials on 23andMe accounts. Many individuals, unfortunately, reuse passwords across different websites. This reuse made the attack alarmingly effective against 23andMe users.

Disturbingly, the attackers seemed to target specific data. They focused on users of Ashkenazi Jewish and Chinese descent. Attackers compiled lists using genetic ancestry information from compromised accounts. 23andMe stated that hackers did not download the raw genetic data this way. However, the accessed information included user profile details and ancestry reports. It also included family tree information and potentially sensitive data from features like DNA Relatives. This targeted harvesting causes serious concern. It opens possibilities for misuse, discrimination, or harassment based on ethnicity or genetics. Furthermore, reports suggest 23andMe updated its terms of service after the breach. These changes compel users into binding arbitration. This action could limit users’ legal options for seeking damages.

Why Genetic Data Requires Extraordinary Protection

Genetic information differs fundamentally from other personal data we share. Crucially, it is immutable. You cannot change your DNA sequence like a password. Genetic data reveals deeply personal details. It shows health predispositions and ancestry for an individual. It also reveals information about biological relatives. This includes relatives who never used a genetic testing service. This sensitivity and interconnectedness make it a prime target for bad actors. It also raises significant ethical questions about its collection and storage.

Potential misuse of genetic data is widespread and worrying. Laws like the Genetic Information Nondiscrimination Act (GINA) offer some U.S. protections. However, concerns remain about discrimination in other areas. For example, GINA may not fully cover life insurance, disability insurance, or long-term care insurance. Beyond discrimination, exposed genetic data could fuel targeted advertising based on health risks. Malicious actors could exploit it for even worse activities. Moreover, once exposed, you cannot effectively recall or change this data. The CPPA strongly focuses on this area. Their clear suggestion for consumers includes the option to delete 23andMe data that users provided. This underscores the unique and permanent risks involved. Therefore, robustly securing this information is absolutely vital.

Your Rights Under California Law (CCPA/CPRA)

Fortunately, California residents have some of the strongest data privacy rights in the U.S. The CCPA and the later CPRA grant these rights. These laws give consumers significant control over their personal information. This explicitly includes sensitive categories like genetic data. Key rights relevant here include:

• The Right to Know: You can ask businesses for details about the personal information they collect, use, disclose, and possibly sell about you.
• The Right to Delete: You generally have the right to request deletion of your personal information held by businesses. Certain exceptions apply, like data needed for transactions or legal compliance. This right is central to the CPPA’s advice regarding 23andMe data. Consider exercising this right to delete 23andMe data.
• The Right to Correct: You can ask businesses to correct inaccurate personal information they hold about you.
• The Right to Opt-Out: You can tell businesses not to sell or share your personal information with third parties.
• The Right to Limit Use of Sensitive Personal Information: You can instruct businesses to limit how they use and disclose sensitive data (like genetic information). They should only use it as necessary to provide the goods or services you requested.

These rights give Californians a solid legal framework. They can use it to regain control over genetic profiles held by companies like 23andMe. Exercising the right to delete is a powerful step. Individuals can take it if they feel the risks outweigh the benefits of keeping their data with the service.

Steps to Protect Information & Delete 23andMe Data California Residents Can Take

Given the CPPA advisory and genetic data risks, consumers should proactively manage their privacy. Consider taking these steps:

1. Review Privacy Policies and Settings Carefully: Read the privacy policy before using a genetic testing service. Review it periodically afterward. Understand what data they collect and how they process it. Know who they share it with (researchers, third parties) and their data retention policy. Adjust your privacy settings within the service to be as restrictive as you are comfortable with.
2. Strengthen Your Account Security: Never reuse passwords. Use a unique, strong password for your genetic testing account. Critically, enable multi-factor authentication (MFA) if the service offers it. MFA greatly reduces the risk of unauthorized account access through credential stuffing.
3. Exercise Your Right to Delete Your Data: If you worry about your genetic data’s security and privacy, especially after breaches, consider requesting its deletion. Companies operating in California, like 23andMe, must provide clear ways for users to submit deletion requests under CCPA/CPRA. Check the company’s privacy policy, account settings, or contact customer support for their specific process.
4. Be Cautious with Third-Party Sharing Consents: Pay close attention when consenting to share anonymized or aggregated data. Understand the implications and scope before agreeing to share with third-party researchers or other platforms.
5. Consider Risks Before You Test: If you haven’t used a DTC genetic testing service yet, weigh the benefits carefully. Compare them against the significant privacy and security risks before submitting your DNA sample and personal information.

KAASS LAW’s Perspective on Data Privacy

The CPPA’s pointed advisory about 23andMe is a critical reminder. Data privacy is increasingly important in our digital world. This is especially true for unique, irreplaceable information like our genetic blueprint. Data breaches involving sensitive personal information can cause far-reaching harm. This harm extends beyond financial loss. It includes risks of discrimination, identity theft, and significant emotional distress. Navigating complex data privacy laws and understanding your rights can often feel overwhelming.

At KAASS LAW, we understand the vital importance of strong data protection strategies and compliance. Businesses handling sensitive data must ensure adherence to regulations like CCPA/CPRA. They also need effective incident response plans. Simultaneously, empowering individuals to understand and use their consumer rights is crucial for trust and control. Do you have questions about your data privacy rights under California law? Do you need help navigating these complex legal issues? Consider consulting with an experienced attorney. For specific inquiries or professional consultation on privacy concerns, please Contact Us.

In conclusion, do not take the California Privacy Protection Agency’s strong warning lightly. Your genetic data is exceptionally sensitive. It warrants diligent, proactive protection. The large-scale 23andMe data breach clearly shows the real-world risks. Consumers, especially Californians with powerful CCPA/CPRA rights, must carefully evaluate their situation. Does continuing to store DNA data with commercial services align with your comfort level for privacy and security? Taking decisive steps is increasingly essential. This may include exercising the option to delete 23andMe data, safeguarding your most personal information.