How does 23andMe's 23andMe Privacy Statement affect users?

The policy establishes that 23andMe collects genetic information, self-reported health and demographic data, device identifiers, and payment information, and authorizes disclosure of this data to service providers, research partners, and successor entities in defined circumstances. Users who participate in Research consent to sharing de-identified genetic and health data with third parties; this shared data remains subject to third-party terms and cannot be recovered through account deletion. T…

How often is 23andMe's 23andMe Privacy Statement updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when 23andMe updates this document?

Yes. Monitor subscribers ($19/month) can add 23andMe to their watchlist and receive same-day email alerts whenever this document or any other 23andMe document changes.

CA-D-000148

23andMe Privacy Statement

23andMe

Last change detected May 21, 2026 Privacy policy

SHA-256: 9f05d028e6874d9f140… 5 versions captured 4 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at 23andMe ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

8 Total

3 High severity

4 Medium severity

1 Low severity

Summary

This document establishes 23andMe's data collection, use, and sharing practices for genetic testing services, including DNA information, health data, and personal identifiers. The policy authorizes sharing genetic and health data with third-party research partners in de-identified form when users opt into Research participation, and permits transfer of personal and genetic data to successor entities in the event of merger, acquisition, or bankruptcy. Users may modify Research participation status, sample storage preferences, and request account deletion through account settings, though the policy specifies that data already incorporated into completed research or previously shared with third parties cannot be recalled upon deletion.

Technical / Legal Breakdown

This Privacy Statement, published by 23andMe Research Institute, governs the collection, use, storage, processing, and transfer of personal information across all 23andMe websites, the mobile app, and related services, including genetic testing and optional telehealth services for which a separate Medical Record Privacy Notice applies. The agreement states that 23andMe collects genetic information, self-reported health and demographic data, web and app usage data, device identifiers, and payment information; the terms authorize use of this data for product improvement, research (with separate consent), and sharing with service providers, business partners, and successors in interest. The policy discloses that genetic and health data contributed to Research may be shared with third-party research partners in de-identified or aggregated form, and that in a business transfer scenario such as a merger or bankruptcy, personal and genetic data may be transferred to an acquiring entity, creating operationally distinct exposure given the sensitivity of genomic information; the agreement asserts that users retain certain deletion rights but notes that data already incorporated into research or shared with third parties prior to deletion may not be fully recoverable. This document engages GDPR for EU/EEA users, CCPA and California Genetic Information Privacy Act for California residents, HIPAA considerations arise at the margins given the health-related nature of data though 23andMe is not a covered entity for its primary DTC service, and the FTC has authority over unfair or deceptive privacy practices applicable to this document. Given 23andMe's pending bankruptcy proceedings and the sensitivity of genomic data held at scale, compliance teams should evaluate data transfer obligations, successor entity consent requirements, and the adequacy of de-identification standards used prior to third-party research sharing.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

4 important changes detected

5 versions captured · Last updated: May 2026

May 21, 2026

low

What changed On May 21, 2026, 23andMe updated its Privacy Statement to reflect that the policy now applies to websites owned by 23andMe Research Institute rather than 23andMe generally. The update also adds a new disclosure stating that users who receive Telehealth Services will have a separate Medical Record Privacy Notice describing how medical information is handled. Additionally, the contact address was reformatted and the last update date was changed from October 17, 2025 to May 19, 2026.

Why this matters The updated Privacy Statement now clarifies that it applies to 23andMe Research Institute and explicitly discloses that users receiving Telehealth Services are subject to a separate Medical Record Privacy Notice that describes how medical information is used and maintained. This addition makes the multi-document privacy framework more transparent at the point of entry to the main privacy policy. Users who use or plan to use Telehealth Services should review the separate Medical Record Privacy Notice to understand how clinical information will be handled.

View full change record →

May 5, 2026

medium

What changed 23andMe removed a sentence that described separate privacy protections for telehealth services and updated references to the company name in the scope statement and contact section. The removed language previously directed users to a separate Medical Record Privacy Notice for telehealth-related medical information. The updated privacy statement no longer explicitly references this separate notice or explains how medical information collected through telehealth services is handled under different privacy rules.

Why this matters The updated privacy statement no longer explicitly directs users to a separate Medical Record Privacy Notice for telehealth services or explains that medical information collected through telehealth is governed by different privacy rules. Previously, the policy stated that users choosing telehealth services coordinated through 23andMe would find healthcare privacy protections described in a separate notice. That reference is now absent from the main privacy statement. Users seeking privacy information specific to telehealth services will need to determine independently whether a separate notice exists or contact 23andMe directly using the provided contact information.

View full change record →

April 19, 2026 low

23andMe updated its Privacy Statement on April 19, 2026 to clarify that the policy applies to websites owned and operated by 23andMe Research Institute rather than 23andMe broadly. The update …

View change record →

March 23, 2026 medium

23andMe removed a reference to its Research Institute from the opening scope statement, changing 'websites owned and operated by 23andMe Research Institute' to 'websites owned and operated by 23andMe'. The …

View change record →

Recent Provision Changes May 21, 2026

Added (5)

Research Participation Opt-In and Irreversible Data Sharing High

This new provision emphasizes the irreversibility of opting out of research and data deletion, establishing a distinct high-severity provision around research participation consequences.

Genetic Data De-Identification and Third-Party Research Sharing High

This new provision clarifies user control over DNA sharing features, elevating genetic data sharing decisions to high severity by creating a separate named provision for this critical choice.

Sample Storage Choice Medium

This new provision adds granularity around physical sample storage decisions and irreversibility, giving users explicit awareness of sample destruction options post-analysis.

Sharing Features Participation (DNA Relatives and Connections) Medium

This addition explicitly separates DNA sharing feature participation from other provisions, emphasizing user control over secondary data uses like relative matching.

Two-Factor Authentication Account Security Low

This new provision highlights security measures as a standalone disclosure, building transparency around account protection mechanisms.

Removed (6)

Research Consent and Pharmaceutical Data Sharing

The removal of this high-severity provision regarding pharmaceutical data sharing represents a significant change in transparency about third-party research commercialization, though content may be integrated into other provisions.

Law Enforcement and Legal Process Disclosure

Removal of explicit law enforcement disclosure provision eliminates transparency about government access to genetic data, a critical privacy safeguard previously highlighted.

Business Asset Transfer in Bankruptcy or Acquisition

The removal of this distinct high-severity provision on data transfer during corporate events reduces clarity on what happens to genetic data in M&A or bankruptcy scenarios.

International Data Transfers

Removal of explicit international data transfer provision eliminates disclosure about cross-border data movement and associated regulatory frameworks affecting user privacy.

CCPA Rights for California Residents

The removal of this state-specific privacy rights provision reduces explicit guidance for California residents on their statutory rights and exercise mechanisms.

Modified (2)

Account Deletion and Sample Discard

Previous version had empty excerpt; current version now provides specific language about automatic opt-out from Research and irreversible sample discard upon account deletion.

Telehealth Services and Separate Medical Record Privacy Notice

Previous version had empty excerpt; current version now provides detailed language specifying that telehealth involves licensed healthcare providers and references separate Medical Record Privacy Notice.

View full change record →

High — 3 provisions

Business Transfer and Bankruptcy Data Transfer Compare →

If 23andMe is sold, merges with another company, or goes through bankruptcy, your genetic and personal data may be transferred to the new owner as part of that transaction.

Added May 12, 2026 Standard Seen across 284 platforms
Research Participation Opt-In and Irreversible Data Sharing Compare →

If you previously opted into Research, genetic and health data you contributed may already have been shared with third-party research partners and cannot be recalled, even if you later withdraw consent or delete your account.

Added May 12, 2026 Standard Seen across 284 platforms
Genetic Data De-Identification and Third-Party Research Sharing Compare →

With Research consent, 23andMe may share your genetic and self-reported health data with third-party academic or commercial research partners in de-identified or aggregated form.

Added May 12, 2026 Standard Seen across 284 platforms

Medium — 4 provisions

Account Deletion and Sample Discard Compare →

You can permanently delete your 23andMe account, which also removes you from Research and destroys your physical DNA sample, but this action is irreversible and cannot be undone.

Added May 10, 2026 Standard Seen across 284 platforms
Sample Storage Choice Compare →

You can choose whether 23andMe stores your physical DNA sample for potential future testing; if you choose to discard it, the sample is destroyed after lab processing and that choice cannot be undone.

Added May 10, 2026 Standard Seen across 284 platforms
Sharing Features Participation (DNA Relatives and Connections) Compare →

Participation in features like DNA Relatives, which connects you with genetic relatives identified in the 23andMe database, is optional and user-controlled.

Added May 12, 2026 Standard Seen across 284 platforms
Telehealth Services and Separate Medical Record Privacy Notice Compare →

If you use 23andMe's optional telehealth services, a separate privacy notice applies to your medical information, because the clinical services are provided through licensed healthcare providers subject to additional regulations.

Added May 12, 2026 Standard Seen across 284 platforms

Low — 1 provision

Two-Factor Authentication Account Security Compare →

23andMe requires two-factor authentication to protect user accounts, which provides an additional security layer beyond a password.

Added May 12, 2026 Standard Seen across 284 platforms

Monitoring

23andMe has updated this document before.

Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

Compliance Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Compliance free trial

Cross-platform context

See how other platforms handle Business Asset Transfer in Bankruptcy or Acquisition and similar clauses.

Compare across platforms →

Related Analysis

Privacy · April 16, 2026

23andMe Is Bankrupt. What Happens to Your DNA Now?

Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do…

Archival ProvenanceSource & Archival Record

Last Captured May 21, 2026 00:16 UTC

Capture Method Automated scheduled archival capture

Document ID CA-D-000148

Version ID CA-V-002815

Source URL https://www.23andme.com/legal/privacy/

Wayback Machine View external archival references →

SHA-256 9f05d028e6874d9f14009f97aab94515eb5cfac429a038d9e1c3b790efe1a73f

✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Hash verified

23andMe Privacy Statement

May 21, 2026

May 5, 2026

Recent Provision Changes May 21, 2026

Related Analysis

Monitor governance changes across the platforms you rely on.