23andMe updated its Privacy Statement on April 19, 2026 to clarify that the policy applies to websites owned and operated by 23andMe Research Institute rather than 23andMe broadly. The update also adds disclosure that users who receive Telehealth Services through licensed healthcare providers are subject to a separate Medical Record Privacy Notice describing how medical information is handled. A minor address formatting change was also made.
The updated Privacy Statement now clarifies that it is issued by 23andMe Research Institute and applies to the company's websites and services. Users who receive Telehealth Services through licensed healthcare providers are now explicitly directed to a separate Medical Record Privacy Notice that governs how their medical information is used and maintained. This clarification distinguishes general privacy practices from medical record handling practices.
The updated Privacy Statement now explicitly directs telehealth users to a separate Medical Record Privacy Notice, establishing clear separation between general privacy practices and medical information handling. This clarification ensures users understand that medical data from licensed healthcare providers is governed by distinct privacy rules documented elsewhere.
→ If you use 23andMe telehealth services, review the separate Medical Record Privacy Notice referenced in the updated statement
→ Telehealth users may not be aware that medical information handling is documented in a separate notice rather than this general privacy policy
Users accessing telehealth services are directed to a separate notice describing medical information handling
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
The change is primarily clarificatory and organizational in nature. 23andMe adds explicit disclosure of a separate Medical Record Privacy Notice for telehealth users, which aligns with standard privacy practice when medical services are offered through third-party licensed providers. The reference to 23andMe Research Institute as the policy issuer reflects corporate structure. No new substantive privacy obligations are created by this change; it identifies where existing medical privacy obligations are documented. Jurisdictions with medical privacy requirements (e.g., HIPAA in the US) may already apply to medical information handling regardless of this disclosure.
HIPAA (if applicable to clinical services provided), state medical privacy laws, GDPR (if EU residents access telehealth services), CCPA (if California residents access telehealth services)
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Watcher: regulatory citations + obligations. Professional: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-001330.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — Watcher23andMe removed a sentence that described separate privacy protections for telehealth services and updated references to the company name in …
23andMe restructured the opening section of its Terms of Service on May 5, 2026, making three operational changes: (1) The …
23andMe restructured its Terms of Service on April 19, 2026, making several material changes to scope and dispute resolution. The …
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do…
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.