23andMe removed a reference to its Research Institute from the opening scope statement, changing 'websites owned and operated by 23andMe Research Institute' to 'websites owned and operated by 23andMe'. The company also removed an entire sentence describing a separate Medical Record Privacy Notice for telehealth services and made minor formatting corrections to the contact address. These changes narrow the explicit organizational scope and remove disclosure of a parallel privacy notice that previously applied to certain healthcare-related services.
The updated privacy statement no longer explicitly discloses a separate Medical Record Privacy Notice that previously described how medical information is used, disclosed, and maintained for telehealth services. Users who receive telehealth services coordinated through 23andMe may now lack clear notice of which privacy framework governs their medical records, since the reference to that parallel notice has been removed. The organizational scope change from '23andMe Research Institute' to '23andMe' narrows the explicitly named entities responsible for the policy, though operational impact depends on how these entities actually function.
The removal of Medical Record Privacy Notice disclosure eliminates explicit notice to users that their medical records are governed by a separate privacy framework. Under HIPAA and state medical privacy laws, healthcare providers and business associates must clearly disclose privacy practices for protected health information. If 23andMe continues telehealth services, this removal creates regulatory compliance risk and leaves users without clear notice of how medical data is protected.
→ If you use 23andMe telehealth services, request a copy of the Medical Record Privacy Notice directly from 23andMe to confirm what privacy protections apply to your medical records.
→ Review whether your own medical provider or health plan references 23andMe's privacy policies in their disclosures to you, and confirm the scope of what privacy rules actually govern your records.
→ Without explicit notice of a separate Medical Record Privacy Notice, telehealth users may not understand which privacy rules govern their medical records or how their data differs from genetic data.
→ If the notice no longer exists or is not accessible, users lack clear disclosure of medical information privacy practices as required by HIPAA and state law.
Removed language stating that a separate Medical Record Privacy Notice describes privacy practices for telehealth services and medical information.
Changed from '23andMe Research Institute' to '23andMe', narrowing explicit organizational identification in policy scope.
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
Users of telehealth services are no longer explicitly told in the main privacy statement that a separate, more detailed privacy notice describes how their medical records are handled.
23andMe removed explicit reference to a separate Medical Record Privacy Notice that previously disclosed privacy protections for telehealth services. This removal may create regulatory exposure under HIPAA and state medical privacy laws if telehealth services continue and medical records are still collected and maintained. The removal also potentially impacts GDPR and CCPA compliance obligations, which generally require clear notice of separate or parallel processing activities affecting different categories of personal data. A compliance team should verify whether telehealth services remain operational and, if so, confirm that a separate medical privacy notice still exists and is accessible to affected users. If the notice has been eliminated entirely, the policy may no longer adequately disclose medical record handling practices required under applicable law.
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Watcher: regulatory citations + obligations. Professional: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-001149.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — Watcher23andMe removed a sentence that described separate privacy protections for telehealth services and updated references to the company name in …
23andMe restructured the opening section of its Terms of Service on May 5, 2026, making three operational changes: (1) The …
23andMe updated its Privacy Statement on April 19, 2026 to clarify that the policy applies to websites owned and operated …
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do…
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.