23andMe · 23andMe Privacy Statement

Data Sharing with Third-Party Service Providers

Medium severity
Share 𝕏 Share in Share 🔒 PDF

What it is

23andMe shares your personal information with outside companies that help run their business, like cloud storage providers, payment processors, and marketing companies, with a requirement that those companies only use your data for the contracted purpose.

Consumer impact (what this means for users)

Your genetic and personal data is shared with an unspecified number of third-party vendors for cloud storage, payments, marketing, and analytics purposes, expanding the surface area of potential data exposure beyond 23andMe's own systems. The contractual use limitation provides some protection but does not give consumers visibility into which specific vendors receive what data.

Cross-platform context

See how other platforms handle Data Sharing with Third-Party Service Providers and similar clauses.

Compare across platforms →
Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

Every additional company that receives your data — including your genetic and health information — represents another potential point of exposure in the event of a breach or unauthorized use.

View original clause language
We share your information with third-party service providers, business partners, and other vendors that help us provide our Services, operate our business, and communicate with you. These third parties may include, for example, companies that provide services like cloud computing and storage, payment processing, customer support, marketing, and analytics. We require these third parties to use your personal information only as necessary to provide the service or perform the function for which we've contracted with them.

Institutional analysis (Compliance & legal intelligence)

REGULATORY FRAMEWORK: GDPR Art. 28 requires written data processing agreements with all processors handling personal data on behalf of the controller, including mandatory provisions on security, subprocessing, audit rights, and data return/deletion. CCPA §1798.140 distinguishes between service providers (subject to contractual use limitations) and third parties (not subject to such limitations) — misclassification creates liability. FTC Act Section 5 requires reasonable data security across the vendor chain.

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

  • FTC
    The FTC has authority to investigate inadequate vendor oversight and data security practices under FTC Act Section 5, particularly where third-party data sharing leads to consumer harm.
    File a complaint →

Provision details

Document information
Document
23andMe Privacy Statement
Entity
23andMe
Document last updated
April 29, 2026
Tracking information
First tracked
April 27, 2026
Last verified
April 27, 2026
Record ID
CA-P-003468
Document ID
CA-D-00148
Evidence Provenance
Source URL
https://www.23andme.com/legal/privacy/
Wayback Machine
View archived versions →
SHA-256
dc3df5a6c7d5e8a0428d5086d3cf2f15f5072911b18402048166183c31b60dd4
Verified
✓ Snapshot stored   ✓ Change verified
How to Cite
ConductAtlas Policy Archive
Entity: 23andMe | Document: 23andMe Privacy Statement | Record: CA-P-003468
Captured: 2026-04-27 13:30:15 UTC | SHA-256: dc3df5a6c7d5e8a0…
URL: https://conductatlas.com/platform/23andme/23andme-privacy-statement/data-sharing-with-third-party-service-providers/
Accessed: May 2, 2026
Classification
Severity
Medium
Categories
Unknown

Other provisions in this document