On May 21, 2026, 23andMe updated its Privacy Statement to reflect that the policy now applies to websites owned by 23andMe Research Institute rather than 23andMe generally. The update also adds a new disclosure stating that users who receive Telehealth Services will have a separate Medical Record Privacy Notice describing how medical information is handled. Additionally, the contact address was reformatted and the last update date was changed from October 17, 2025 to May 19, 2026.
The updated Privacy Statement now clarifies that it applies to 23andMe Research Institute and explicitly discloses that users receiving Telehealth Services are subject to a separate Medical Record Privacy Notice that describes how medical information is used and maintained. This addition makes the multi-document privacy framework more transparent at the point of entry to the main privacy policy. Users who use or plan to use Telehealth Services should review the separate Medical Record Privacy Notice to understand how clinical information will be handled.
The updated policy improves transparency by explicitly notifying users at the entry point to the main privacy statement that medical information from Telehealth Services is governed by a separate privacy document. This clarifies the multi-document privacy framework and ensures users seeking clinical services understand where to find applicable privacy terms.
→ If you use or plan to use 23andMe Telehealth Services, review the separate Medical Record Privacy Notice to understand how your medical information will be handled.
→ Telehealth Services users who do not review the separate Medical Record Privacy Notice may be unaware of provisions specific to how their medical information is processed and disclosed.
Updated policy now explicitly discloses that users receiving Telehealth Services are subject to a separate Medical Record Privacy Notice.
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
This change is primarily administrative and clarificatory. The updated language establishes that the main Privacy Statement applies to 23andMe Research Institute's operations and adds an explicit disclosure that Telehealth Services are subject to a separate privacy regime. No new substantive obligations appear to be created; rather, the change improves notice of existing document separation. For organizations that reference or rely on 23andMe's privacy framework in vendor assessments or privacy impact analyses, this clarification may warrant a brief review to confirm understanding of the multi-document structure, but no compliance action is indicated.
HIPAA may apply to any medical record or health information collected through Telehealth Services, depending on whether 23andMe or its clinical provider partners constitute covered entities or business associates. The separate Medical Record Privacy Notice would typically address HIPAA compliance. No federal privacy statute directly restricts the organizational restructuring reflected in this change.
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Monitor: regulatory citations + obligations. Compliance: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-002214.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — Monitor23andMe removed a sentence that described separate privacy protections for telehealth services and updated references to the company name in …
23andMe restructured the opening section of its Terms of Service on May 5, 2026, making three operational changes: (1) The …
23andMe updated its Privacy Statement on April 19, 2026 to clarify that the policy applies to websites owned and operated …
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do…
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.