23andMe Privacy Statement — 23andMe

8 Total

3 High severity

5 Medium severity

0 Low severity

Summary

This is 23andMe's privacy policy — the document that explains what personal and genetic information they collect when you use their DNA testing service, how they use it, and who they share it with. When you send in your DNA sample, 23andMe stores your genetic data and may use it for research (with your separate consent) or share it with law enforcement under certain circumstances. You have the right to delete your account, request your data be discarded, and opt out of research participation at any time.

Technical Summary

23andMe's Privacy Statement governs the collection, use, storage, processing, and transfer of personal and genetic information across its websites, mobile app, and related services, including DNA testing and telehealth offerings. The document describes multiple categories of data collected — including genetic data, self-reported health information, web usage data, and biometric identifiers — and outlines lawful bases for processing including consent, contractual necessity, and legitimate interests. Key provisions address the optional Research consent program (which allows de-identified genetic data to be shared with third-party researchers and pharmaceutical partners), law enforcement disclosure protocols, data retention practices, and consumer rights including account deletion, sample discard, and data portability. A separate Medical Record Privacy Notice governs telehealth-related health data. The policy extends jurisdiction-specific rights to California residents (CCPA), EU/EEA users (GDPR), and UK users, and notes that genetic data may be transferred internationally.

Institutional Analysis

This policy engages CCPA (California residents' rights to access, deletion, and opt-out of data sale), GDPR/UK GDPR (lawful bases, data subject rights, international transfers, and DPA appointment for EEA/UK users), and HIPAA-adjacent frameworks via a separate Medical Record Privacy Notice for tele…

🔒

Compliance intelligence locked

Regulatory exposure, material risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Evidence Provenance

Captured March 23, 2026 06:06 UTC

Document ID CA-D-000148

Version ID CA-V-000262

Source URL https://www.23andme.com/legal/privacy/

Wayback Machine View archived versions →

SHA-256 be863c02dd341ceefbb481ae19e75d132ba37ad264b47f9c54852f31b6a0bcae

✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Cryptographically signed

Change Timeline

March 23, 2026 — Document updated medium

On March 23, 2026, 23andMe updated their privacy policy with several small but notable changes. The company removed a sentence about a separate Medical Record Privacy Notice for Telehealth Services, changed references from '23andMe Research Institute' to simply '23andMe' in the policy's scope statement, and made a minor formatting adjustment to the mailing address. The removal of the Telehealth notice reference is the most significant change, as users who previously relied on that separate notice for their medical information protections may no longer be clearly directed to those protections.

· 1 removed · 3 modified
View changes → View record →
be863c02…
March 19, 2026 — Initial capture

First snapshot archived

b37a7553…

Analyzed Changes

1 change analyzed since monitoring began.

Updated March 23, 2026

medium

What changed 23andMe updated their 23andMe Privacy Statement on March 23, 2026. Change detected: 1 sentence(s) removed, 3 sentence(s) modified. Document contained 33 sentences after update.

Consumer impact 23andMe removed explicit mention of a separate Medical Record Privacy Notice that previously informed Telehealth users how their medical information would be used, disclosed, and maintained. This means users who have received or plan to receive Telehealth Services through 23andMe are no longer clearly directed to dedicated medical record privacy protections within this policy. You can contact 23andMe's Privacy Administrator at privacy@23andme.com to ask whether a Medical Record Privacy Notice still exists and how your medical data is being handled.

Why it matters The removal of the Telehealth Medical Record Privacy Notice reference means users who have shared sensitive health and medical data through 23andMe's clinical services are no longer explicitly informed of dedicated protections for that data. This is particularly significant given the sensitivity of genetic and medical information and the heightened legal protections that apply to it.

High Severity — 3 provisions

Research Consent and Pharmaceutical Data Sharing
If you opt into the Research program, 23andMe may share your de-identified genetic and health data with third-party researchers, including pharmaceutical and biotech companies, to conduct studies on disease and drug development.

Added March 20, 2026
Law Enforcement and Legal Process Disclosure
23andMe may disclose your personal and genetic data to law enforcement, government agencies, or courts in response to valid legal requests such as subpoenas, warrants, or court orders.

Added March 20, 2026
Business Asset Transfer in Bankruptcy or Acquisition
If 23andMe is acquired, merges with another company, or goes through bankruptcy, your personal and genetic data may be transferred to the new owner as a business asset.

Added March 20, 2026

Medium Severity — 5 provisions

Account Deletion and Irreversible Sample Discard
You can delete your 23andMe account at any time, which will also discard your physical DNA sample — but once you make these choices, they cannot be undone.

Added March 20, 2026
Separate Medical Record Privacy Notice for Telehealth
If you use 23andMe's telehealth services, your medical information is governed by a separate Medical Record Privacy Notice, not this main Privacy Statement.

Added March 20, 2026
International Data Transfers
Your personal and genetic data may be transferred to and processed in countries outside your home country, including the United States, which may have different privacy protections.

Added March 20, 2026
CCPA Rights for California Residents
California residents have the right to know what personal data 23andMe collects, request deletion of their data, opt out of the sale or sharing of their data, and not be discriminated against for exercising these rights.

Added March 20, 2026
Genetic Data Retention After Account Deletion
When you delete your account, 23andMe will discard your physical sample and remove your personal data, but certain de-identified or aggregated data derived from your genetic information may be retained.

Added March 20, 2026