How does 23andMe's 23andMe Privacy Statement affect users?

The policy establishes that 23andMe collects genetic information, self-reported health and demographic data, device identifiers, and payment information, and authorizes disclosure of this data to service providers, research partners, and successor entities in defined circumstances. Users who participate in Research consent to sharing de-identified genetic and health data with third parties; this shared data remains subject to third-party terms and cannot be recovered through account deletion. T…

How often is 23andMe's 23andMe Privacy Statement updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when 23andMe updates this document?

Yes. Watcher subscribers ($9.99/month) can add 23andMe to their watchlist and receive same-day email alerts whenever this document or any other 23andMe document changes.

CA-D-000148

23andMe Privacy Statement

23andMe

Last change detected May 5, 2026 Privacy policy

SHA-256: 63c2151dde4633ecb5d… 4 versions captured 3 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at 23andMe ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

8 Total

3 High severity

4 Medium severity

1 Low severity

Summary

This document establishes 23andMe's data collection, use, and sharing practices for genetic testing services, including DNA information, health data, and personal identifiers. The policy authorizes sharing genetic and health data with third-party research partners in de-identified form when users opt into Research participation, and permits transfer of personal and genetic data to successor entities in the event of merger, acquisition, or bankruptcy. Users may modify Research participation status, sample storage preferences, and request account deletion through account settings, though the policy specifies that data already incorporated into completed research or previously shared with third parties cannot be recalled upon deletion.

Technical / Legal Breakdown

This Privacy Statement, published by 23andMe Research Institute, governs the collection, use, storage, processing, and transfer of personal information across all 23andMe websites, the mobile app, and related services, including genetic testing and optional telehealth services for which a separate Medical Record Privacy Notice applies. The agreement states that 23andMe collects genetic information, self-reported health and demographic data, web and app usage data, device identifiers, and payment information; the terms authorize use of this data for product improvement, research (with separate consent), and sharing with service providers, business partners, and successors in interest. The policy discloses that genetic and health data contributed to Research may be shared with third-party research partners in de-identified or aggregated form, and that in a business transfer scenario such as a merger or bankruptcy, personal and genetic data may be transferred to an acquiring entity, creating operationally distinct exposure given the sensitivity of genomic information; the agreement asserts that users retain certain deletion rights but notes that data already incorporated into research or shared with third parties prior to deletion may not be fully recoverable. This document engages GDPR for EU/EEA users, CCPA and California Genetic Information Privacy Act for California residents, HIPAA considerations arise at the margins given the health-related nature of data though 23andMe is not a covered entity for its primary DTC service, and the FTC has authority over unfair or deceptive privacy practices applicable to this document. Given 23andMe's pending bankruptcy proceedings and the sensitivity of genomic data held at scale, compliance teams should evaluate data transfer obligations, successor entity consent requirements, and the adequacy of de-identification standards used prior to third-party research sharing.

Institutional Analysis

Institutional analysis available with Professional

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Start Professional free trial

3 important changes detected

4 versions captured · Last updated: May 2026

May 5, 2026

medium

What changed 23andMe removed a sentence that described separate privacy protections for telehealth services and updated references to the company name in the scope statement and contact section. The removed language previously directed users to a separate Medical Record Privacy Notice for telehealth-related medical information. The updated privacy statement no longer explicitly references this separate notice or explains how medical information collected through telehealth services is handled under different privacy rules.

Why this matters The updated privacy statement no longer explicitly directs users to a separate Medical Record Privacy Notice for telehealth services or explains that medical information collected through telehealth is governed by different privacy rules. Previously, the policy stated that users choosing telehealth services coordinated through 23andMe would find healthcare privacy protections described in a separate notice. That reference is now absent from the main privacy statement. Users seeking privacy information specific to telehealth services will need to determine independently whether a separate notice exists or contact 23andMe directly using the provided contact information.

View full change record →

April 19, 2026

low

What changed 23andMe updated its Privacy Statement on April 19, 2026 to clarify that the policy applies to websites owned and operated by 23andMe Research Institute rather than 23andMe broadly. The update also adds disclosure that users who receive Telehealth Services through licensed healthcare providers are subject to a separate Medical Record Privacy Notice describing how medical information is handled. A minor address formatting change was also made.

Why this matters The updated Privacy Statement now clarifies that it is issued by 23andMe Research Institute and applies to the company's websites and services. Users who receive Telehealth Services through licensed healthcare providers are now explicitly directed to a separate Medical Record Privacy Notice that governs how their medical information is used and maintained. This clarification distinguishes general privacy practices from medical record handling practices.

View full change record →

March 23, 2026 medium

23andMe removed a reference to its Research Institute from the opening scope statement, changing 'websites owned and operated by 23andMe Research Institute' to 'websites owned and operated by 23andMe'. The …

View change record →

High — 3 provisions

Business Transfer and Bankruptcy Data Transfer Compare →

If 23andMe is sold, merges with another company, or goes through bankruptcy, your genetic and personal data may be transferred to the new owner as part of that transaction.

Added May 12, 2026 Standard Seen across 246 platforms
Research Participation Opt-In and Irreversible Data Sharing Compare →

If you previously opted into Research, genetic and health data you contributed may already have been shared with third-party research partners and cannot be recalled, even if you later withdraw consent or delete your account.

Added May 12, 2026 Standard Seen across 246 platforms
Genetic Data De-Identification and Third-Party Research Sharing Compare →

With Research consent, 23andMe may share your genetic and self-reported health data with third-party academic or commercial research partners in de-identified or aggregated form.

Added May 12, 2026 Standard Seen across 246 platforms

Medium — 4 provisions

Account Deletion and Sample Discard Compare →

You can permanently delete your 23andMe account, which also removes you from Research and destroys your physical DNA sample, but this action is irreversible and cannot be undone.

Added May 10, 2026 Standard Seen across 223 platforms
Sample Storage Choice

You can choose whether 23andMe stores your physical DNA sample for potential future testing; if you choose to discard it, the sample is destroyed after lab processing and that choice cannot be undone.

Added May 10, 2026 Rare
Sharing Features Participation (DNA Relatives and Connections) Compare →

Participation in features like DNA Relatives, which connects you with genetic relatives identified in the 23andMe database, is optional and user-controlled.

Added May 12, 2026 Standard Seen across 198 platforms
Telehealth Services and Separate Medical Record Privacy Notice Compare →

If you use 23andMe's optional telehealth services, a separate privacy notice applies to your medical information, because the clinical services are provided through licensed healthcare providers subject to additional regulations.

Added May 12, 2026 Standard Seen across 262 platforms

Low — 1 provision

Two-Factor Authentication Account Security Compare →

23andMe requires two-factor authentication to protect user accounts, which provides an additional security layer beyond a password.

Added May 12, 2026 Standard Seen across 262 platforms

Monitoring

23andMe has updated this document before.

Watcher includes same-day alerts, structured change summaries, and monitoring for up to 10 platforms.

Start Watcher free trial Or create a free account →

Professional Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Professional includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Professional free trial

Cross-platform context

See how other platforms handle Business Asset Transfer in Bankruptcy or Acquisition and similar clauses.

Compare across platforms →

Related Analysis

Privacy · April 16, 2026

23andMe Is Bankrupt. What Happens to Your DNA Now?

Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do…

Archival ProvenanceSource & Archival Record

Last Captured May 5, 2026 08:13 UTC

Capture Method Automated scheduled archival capture

Document ID CA-D-000148

Version ID CA-V-002162

Source URL https://www.23andme.com/legal/privacy/

Wayback Machine View external archival references →

SHA-256 63c2151dde4633ecb5dd07963f13c680243c0545eff1c5db6595cc32e105ce41

✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Hash verified

23andMe Privacy Statement

May 5, 2026

April 19, 2026

Related Analysis

Monitor governance changes across the platforms you rely on.