CA-C-002214
23andMe — 23andMe Privacy Statement
Entity
Date detected
May 21, 2026
Effective date
May 21, 2026
Severity
Low
Direction
Neutral
Affected users
all users telehealth services users
Changes
+1 sentence added · 2 sentences modified
Share 𝕏 Share in Share 🔒 PDF
Watch 23andMe Get alerts when this policy changes.
Watch — Free

Event Summary

On May 21, 2026, 23andMe updated its Privacy Statement to reflect that the policy now applies to websites owned by 23andMe Research Institute rather than 23andMe generally. The update also adds a new disclosure stating that users who receive Telehealth Services will have a separate Medical Record Privacy Notice describing how medical information is handled. Additionally, the contact address was reformatted and the last update date was changed from October 17, 2025 to May 19, 2026.

LOW

Consumer Impact

The updated Privacy Statement now clarifies that it applies to 23andMe Research Institute and explicitly discloses that users receiving Telehealth Services are subject to a separate Medical Record Privacy Notice that describes how medical information is used and maintained. This addition makes the multi-document privacy framework more transparent at the point of entry to the main privacy policy. Users who use or plan to use Telehealth Services should review the separate Medical Record Privacy Notice to understand how clinical information will be handled.

Governance Analysis

The updated policy improves transparency by explicitly notifying users at the entry point to the main privacy statement that medical information from Telehealth Services is governed by a separate privacy document. This clarifies the multi-document privacy framework and ensures users seeking clinical services understand where to find applicable privacy terms.

Available Actions

If you use or plan to use 23andMe Telehealth Services, review the separate Medical Record Privacy Notice to understand how your medical information will be handled.

If No Action Is Taken

Telehealth Services users who do not review the separate Medical Record Privacy Notice may be unaware of provisions specific to how their medical information is processed and disclosed.

Key Clauses Affected

Telehealth Services Privacy Notice

Updated policy now explicitly discloses that users receiving Telehealth Services are subject to a separate Medical Record Privacy Notice.

Full clause-by-clause analysis available with Compliance.
These clauses may change again. Get alerted when they do. Watch 23andMe — Free

This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology

Evidence Verification

✓ Verified
Previous Version
63c2151dde4633ecb5dd07963f13c680243c0545eff1c5db6595cc32e105ce41
May 5, 2026 08:13 UTC
✓ Verified
Current Version
9f05d028e6874d9f14009f97aab94515eb5cfac429a038d9e1c3b790efe1a73f
May 21, 2026 00:16 UTC
✓ Verified
Change Detected
May 21, 2026 00:16 UTC
Analysis Methodology
✓ Verified
Source Document
https://www.23andme.com/legal/privacy/
Citation Record
Entity: 23andMe
Document: 23andMe Privacy Statement
Record ID: CA-C-002214
Captured: 2026-05-21 00:16:12 UTC
URL: https://conductatlas.com/change/2026-05-21-23andme-23andme-privacy-statement-2214/
Accessed: July 8, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
For legal and compliance teams

Institutional Analysis

Assessment

This change is primarily administrative and clarificatory. The updated language establishes that the main Privacy Statement applies to 23andMe Research Institute's operations and adds an explicit disclosure that Telehealth Services are subject to a separate privacy regime. No new substantive obligations appear to be created; rather, the change improves notice of existing document separation. For organizations that reference or rely on 23andMe's privacy framework in vendor assessments or privacy impact analyses, this clarification may warrant a brief review to confirm understanding of the multi-document structure, but no compliance action is indicated.

Regulatory Exposure

HIPAA may apply to any medical record or health information collected through Telehealth Services, depending on whether 23andMe or its clinical provider partners constitute covered entities or business associates. The separate Medical Record Privacy Notice would typically address HIPAA compliance. No federal privacy statute directly restricts the organizational restructuring reflected in this change.

Full compliance analysis

Obligation analysis, escalation trigger, board language, and recommended action.

Monitor $19/mo Compliance $249/mo

Monitor: regulatory citations + obligations. Compliance: full compliance memo.

ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-002214.

Clause-Level Changes

New Provisions Added
Research Participation Opt-In and Irreversible Data Sharing
High

This new provision emphasizes the irreversibility of opting out of research and data deletion, establishing a distinct high-severity provision around research participation consequences.

Full clause text available with Compliance. See Compliance →
Genetic Data De-Identification and Third-Party Research Sharing
High

This new provision clarifies user control over DNA sharing features, elevating genetic data sharing decisions to high severity by creating a separate named provision for this critical choice.

Full clause text available with Compliance. See Compliance →
Sample Storage Choice
Medium

This new provision adds granularity around physical sample storage decisions and irreversibility, giving users explicit awareness of sample destruction options post-analysis.

Full clause text available with Compliance. See Compliance →
Sharing Features Participation (DNA Relatives and Connections)
Medium

This addition explicitly separates DNA sharing feature participation from other provisions, emphasizing user control over secondary data uses like relative matching.

Full clause text available with Compliance. See Compliance →
Two-Factor Authentication Account Security
Low

This new provision highlights security measures as a standalone disclosure, building transparency around account protection mechanisms.

Full clause text available with Compliance. See Compliance →
Provisions Removed
Research Consent and Pharmaceutical Data Sharing
High

The removal of this high-severity provision regarding pharmaceutical data sharing represents a significant change in transparency about third-party research commercialization, though content may be integrated into other provisions.

Removed clause text available with Compliance. See Compliance →
Law Enforcement and Legal Process Disclosure
High

Removal of explicit law enforcement disclosure provision eliminates transparency about government access to genetic data, a critical privacy safeguard previously highlighted.

Removed clause text available with Compliance. See Compliance →
Business Asset Transfer in Bankruptcy or Acquisition
High

The removal of this distinct high-severity provision on data transfer during corporate events reduces clarity on what happens to genetic data in M&A or bankruptcy scenarios.

Removed clause text available with Compliance. See Compliance →
International Data Transfers
Medium

Removal of explicit international data transfer provision eliminates disclosure about cross-border data movement and associated regulatory frameworks affecting user privacy.

Removed clause text available with Compliance. See Compliance →
CCPA Rights for California Residents
Medium

The removal of this state-specific privacy rights provision reduces explicit guidance for California residents on their statutory rights and exercise mechanisms.

Removed clause text available with Compliance. See Compliance →
Genetic Data Retention After Account Deletion
Medium

Removal of explicit provision on post-deletion data retention eliminates clarity about how long genetic information persists after account termination.

Removed clause text available with Compliance. See Compliance →
Provisions Modified
Account Deletion and Sample Discard
Medium

Previous version had empty excerpt; current version now provides specific language about automatic opt-out from Research and irreversible sample discard upon account deletion.

Before/after clause text available with Compliance. See Compliance →
Telehealth Services and Separate Medical Record Privacy Notice
Medium

Previous version had empty excerpt; current version now provides detailed language specifying that telehealth involves licensed healthcare providers and references separate Medical Record Privacy Notice.

Before/after clause text available with Compliance. See Compliance →

Cross-platform context

See how other platforms handle similar provisions across the ConductAtlas archive.

Compare across platforms → Browse regulations →

Full Changes

See the full side-by-side comparison of every sentence added, removed, and modified.

🔒 Full diff — Monitor

Document Context

Version history → Policy drift analysis → Document page →
Document
23andMe Privacy Statement
Entity
23andMe
Captured
May 21, 2026
Source URL
https://www.23andme.com/legal/privacy/
Other changes to 23andMe Privacy Statement
Previous change May 5, 2026
23andMe removed a sentence that described separate privacy protections for telehealth services and updated references to the company name in …
Medium Negative
View full version history →
More from 23andMe
May 5, 2026 Medium
23andMe Privacy Statement

23andMe removed a sentence that described separate privacy protections for telehealth services and updated references to the company name in …

May 5, 2026 Medium
23andMe Terms of Service

23andMe restructured the opening section of its Terms of Service on May 5, 2026, making three operational changes: (1) The …

Apr 19, 2026 Low
23andMe Privacy Statement

23andMe updated its Privacy Statement on April 19, 2026 to clarify that the policy applies to websites owned and operated …

Related Analysis
Privacy · April 16, 2026
23andMe Is Bankrupt. What Happens to Your DNA Now?

Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do…

Track 23andMe policy changes

Get alerted when this policy changes again — including what changed and why it matters.

Prefer a weekly summary instead?

Get the biggest policy changes across 352+ platforms every Sunday.