So this is a story about me and 23andme, and why I can’t seem to have a clean breakup with them.
A few years ago, I emailed 23andme to ask some questions as a privacy blogger/advocate. I have never had any other relationship with them. This past week, though, I received an email from them with the promising subject line, “Privacy Updates: Greater Transparency. More Control.”
As part of their updates, they claimed that they had:
added new tools to your Account Settings page to further empower you to be in control over your information. You can now access, download, and request deletion of your 23andMe data at anytime, directly within your account.
OK, you think, but keep reading:
To learn more about 23andMe’s approach to privacy and data protection, please
visit our https://click.mail.23andme.com/[redacted]Privacy Center .
You are receiving this email because you are a customer of 23andMe. We are legally required to notify all 23andMe customers via email when we make a change to our policies. Unlike for other 23andMe emails, we do not provide an unsubscribe link for transactional or fundamental updates, such as this one.
So I can’t unsubscribe from their update notifications, even though I am not really a customer? No problem, I’ll just trot over to their updated privacy material for the United States and delete my account or whatever they think they have on me, right?
Oh. I can’t do that, either, it seems:
While we will delete the majority of your personal information, we must retain some information to comply with our legal obligations. Notably, the following limitations apply:
[…]
- Limited information related to your account and data deletion request will also be retained by 23andMe, including but not limited to, your email address, account deletion request identifier, and record of legal agreements for a limited period of time as required by contractual obligations, and/or as necessary for the establishment, exercise or defense of legal claims and for audit and compliance purposes.
So I can’t delete the only information they have on me, because of “contractual obligations, and/or as necessary for the establishment, exercise or defense of legal claims and for audit and compliance purposes.”
What “contractual obligations?” With whom did they contract for my information? I just sent them a media inquiry at some point. Why wouldn’t they delete my data or unsubscribe me?
Always use a new email alias whenever dealing with a new company.
Yes, and I generally do that, but not for when I’m sending press/media inquiries. Oh well…