On May 21, 2026, 23andMe updated its Privacy Statement to reflect that the policy now applies to websites owned by 23andMe Research Institute rather than 23andMe generally. The update also adds a new disclosure stating that users who receive Telehealth Services will have a separate Medical Record Privacy Notice describing how medical information is handled. Additionally, the contact address was reformatted and the last update date was changed from October 17, 2025 to May 19, 2026.
The updated Privacy Statement now clarifies that it applies to 23andMe Research Institute and explicitly discloses that users receiving Telehealth Services are subject to a separate Medical Record Privacy Notice that describes how medical information is used and maintained. This addition makes the multi-document privacy framework more transparent at the point of entry to the main privacy policy. Users who use or plan to use Telehealth Services should review the separate Medical Record Privacy Notice to understand how clinical information will be handled.
The updated policy improves transparency by explicitly notifying users at the entry point to the main privacy statement that medical information from Telehealth Services is governed by a separate privacy document. This clarifies the multi-document privacy framework and ensures users seeking clinical services understand where to find applicable privacy terms.
→ If you use or plan to use 23andMe Telehealth Services, review the separate Medical Record Privacy Notice to understand how your medical information will be handled.
→ Telehealth Services users who do not review the separate Medical Record Privacy Notice may be unaware of provisions specific to how their medical information is processed and disclosed.
Updated policy now explicitly discloses that users receiving Telehealth Services are subject to a separate Medical Record Privacy Notice.
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
This change is primarily administrative and clarificatory. The updated language establishes that the main Privacy Statement applies to 23andMe Research Institute's operations and adds an explicit disclosure that Telehealth Services are subject to a separate privacy regime. No new substantive obligations appear to be created; rather, the change improves notice of existing document separation. For organizations that reference or rely on 23andMe's privacy framework in vendor assessments or privacy impact analyses, this clarification may warrant a brief review to confirm understanding of the multi-document structure, but no compliance action is indicated.
HIPAA may apply to any medical record or health information collected through Telehealth Services, depending on whether 23andMe or its clinical provider partners constitute covered entities or business associates. The separate Medical Record Privacy Notice would typically address HIPAA compliance. No federal privacy statute directly restricts the organizational restructuring reflected in this change.
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Monitor: regulatory citations + obligations. Compliance: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-002214.
This new provision emphasizes the irreversibility of opting out of research and data deletion, establishing a distinct high-severity provision around research participation consequences.
This new provision clarifies user control over DNA sharing features, elevating genetic data sharing decisions to high severity by creating a separate named provision for this critical choice.
This new provision adds granularity around physical sample storage decisions and irreversibility, giving users explicit awareness of sample destruction options post-analysis.
This addition explicitly separates DNA sharing feature participation from other provisions, emphasizing user control over secondary data uses like relative matching.
This new provision highlights security measures as a standalone disclosure, building transparency around account protection mechanisms.
The removal of this high-severity provision regarding pharmaceutical data sharing represents a significant change in transparency about third-party research commercialization, though content may be integrated into other provisions.
Removal of explicit law enforcement disclosure provision eliminates transparency about government access to genetic data, a critical privacy safeguard previously highlighted.
The removal of this distinct high-severity provision on data transfer during corporate events reduces clarity on what happens to genetic data in M&A or bankruptcy scenarios.
Removal of explicit international data transfer provision eliminates disclosure about cross-border data movement and associated regulatory frameworks affecting user privacy.
The removal of this state-specific privacy rights provision reduces explicit guidance for California residents on their statutory rights and exercise mechanisms.
Removal of explicit provision on post-deletion data retention eliminates clarity about how long genetic information persists after account termination.
Previous version had empty excerpt; current version now provides specific language about automatic opt-out from Research and irreversible sample discard upon account deletion.
Previous version had empty excerpt; current version now provides detailed language specifying that telehealth involves licensed healthcare providers and references separate Medical Record Privacy Notice.
Cross-platform context
See how other platforms handle similar provisions across the ConductAtlas archive.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — Monitor23andMe removed a sentence that described separate privacy protections for telehealth services and updated references to the company name in …
23andMe restructured the opening section of its Terms of Service on May 5, 2026, making three operational changes: (1) The …
23andMe updated its Privacy Statement on April 19, 2026 to clarify that the policy applies to websites owned and operated …
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do…
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 352+ platforms every Sunday.