I'm quite concerned about 23andme. I deleted my account a year ago, but deep in their privacy statements they say they must retain data due to regulatory obligations. I've exchanged multiple emails with them asking what it means. I'll post their response below. Am I / are we... up a creek with no recourse?
"Thank you for your reply. Your inquiry has recently been
escalated to me for review. Please note that once you
confirm your request to delete your account, we will
delete your data from our systems within 30 days, unless
we are required by law or regulation to maintain limited
data for a given timeframe, as described in our Privacy
Statement.
For example, archival files of information needed to
satisfy state and federal legal requirements are retained,
such as those set by the U.S. Federal Clinical Laboratory
Improvement Amendments of 1988 (CLIA) and College of
American Pathologists accreditation requirements.
Your de-identified Genetic Information and a randomized
identifier are retained on secure servers as required by
law and any biobanked samples are discarded. The Genetic
Information is not accessed, used, or disclosed for any
purpose other than as needed to comply with the
requirements referenced above.
It is important to understand that the retained
information is distinct from the genotyped data available
within your account and is stripped from registration
information. This data has not been processed by our
interpretation software to produce your individual-level
genotyped data (in your account).
If you participated in telehealth services coordinated
through your 23andMe account, your Medical Record will be
retained in accordance with applicable law and is subject
to the Medical Record Privacy Notice.
You can read more about these retention requirements in
the Privacy Statement."What law requires them to keep genetic information?
I don't know. I do know that I used their process to delete my data (and account), and they claimed they complied. Whether or not they did, I have no way to know.
I wonder, though, if what they're talking about is that they have to keep the data as long as you have an account with them. The fact that you can't delete your data and keep your account hints that may be the case.
What is your threat model or the risk you are attempting to mitigate?