23andMe · 23andMe Privacy Statement

De-Identification and Aggregation of Genetic Data

High severity
Share 𝕏 Share in Share 🔒 PDF

What it is

23andMe can use your genetic and health data with identifying details removed, and claims that this 'de-identified' data can be used without restriction — meaning it can be shared or sold without the usual consent requirements.

Consumer impact (what this means for users)

Because 23andMe can use and share de-identified genetic data without restriction, your DNA-derived information may flow to third parties in ways you cannot control or opt out of, and the re-identification risk for genetic data is scientifically recognized as non-trivial. This provision effectively enables broad commercial use of your genetic information outside the consent framework.

Cross-platform context

See how other platforms handle De-Identification and Aggregation of Genetic Data and similar clauses.

Compare across platforms →
Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

Multiple academic studies have demonstrated that genetic data can be re-identified even after standard de-identification, making the 'use without restriction' claim potentially risky — your de-identified DNA may not be as anonymous as the policy implies.

View original clause language
23andMe may use your Genetic Information and/or Self-Reported Information in a de-identified or aggregated form. De-identified data is data that has had all identifying information removed or altered so that a reasonable person would not be able to identify you from this data. Aggregated data is a collection of individual data that has been combined so that individual results are not visible. We may use de-identified or aggregated information without restriction.

Institutional analysis (Compliance & legal intelligence)

REGULATORY FRAMEWORK: GDPR Art. 4(1) and Recital 26 set the standard for anonymization (data must be irreversibly anonymized to fall outside GDPR scope). The FTC's 2012 Privacy Report guidance on de-identification requires reasonable technical and administrative safeguards, a commitment not to re-identify, and downstream contractual obligations. CCPA §1798.140(a) defines 'aggregate consumer information' as data that cannot reasonably be linked to a consumer, with the standard being a reasonable person test. OCR guidance under HIPAA establishes Safe Harbor and Expert Determination de-identification standards (45 CFR §164.514).

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

  • FTC
    The FTC has issued guidance on de-identification standards and has enforcement authority over deceptive claims about anonymization of consumer data under FTC Act Section 5.
    File a complaint →

Provision details

Document information
Document
23andMe Privacy Statement
Entity
23andMe
Document last updated
April 29, 2026
Tracking information
First tracked
April 27, 2026
Last verified
April 27, 2026
Record ID
CA-P-003466
Document ID
CA-D-00148
Evidence Provenance
Source URL
https://www.23andme.com/legal/privacy/
Wayback Machine
View archived versions →
SHA-256
dc3df5a6c7d5e8a0428d5086d3cf2f15f5072911b18402048166183c31b60dd4
Verified
✓ Snapshot stored   ✓ Change verified
How to Cite
ConductAtlas Policy Archive
Entity: 23andMe | Document: 23andMe Privacy Statement | Record: CA-P-003466
Captured: 2026-04-27 13:30:15 UTC | SHA-256: dc3df5a6c7d5e8a0…
URL: https://conductatlas.com/platform/23andme/23andme-privacy-statement/de-identification-and-aggregation-of-genetic-data/
Accessed: May 2, 2026
Classification
Severity
High
Categories
Unknown

Other provisions in this document