With Research consent, 23andMe may share your genetic and self-reported health data with third-party academic or commercial research partners in de-identified or aggregated form.
This analysis describes what 23andMe's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The policy authorizes sharing of genetic data with external research partners, and the practical protection depends entirely on the robustness of the de-identification method used, which the summary document does not detail.
Interpretive note: The summary version of the document references research participation and data sharing generally; the specific de-identification methodology and third-party partner categories are described in the full Privacy Statement which was not fully provided.
The updated privacy statement no longer explicitly directs users to a separate Medical Record Privacy Notice for telehealth services or explains that medical information collected through telehealth is governed by different privacy rules. Previously, the policy stated that users choosing telehealth services coordinated through 23andMe would find healthcare privacy protections described in a separate notice. That reference is now absent from the main privacy statement. Users seeking privacy information specific to telehealth services will need to determine independently whether a separate notice exists or contact 23andMe directly using the provided contact information.
View change record →The updated privacy statement no longer explicitly discloses a separate Medical Record Privacy Notice that previously described how medical information is used, disclosed, and maintained for telehealth services. Users who receive telehealth services coordinated through 23andMe may now lack clear notice of which privacy framework governs their medical records, since the reference to that parallel notice has been removed. The organizational scope change from '23andMe Research Institute' to '23andMe' narrows the explicitly named entities responsible for the policy, though operational impact depends on how these entities actually function.
View change record →This new provision clarifies user control over DNA sharing features, elevating genetic data sharing decisions to high severity by creating a separate named provision for this critical choice.
View full change record →Users who opt into Research authorize 23andMe to share de-identified genetic and health data with third-party partners, and the degree of re-identification risk depends on the specific de-identification methodology applied, which is not described in the summary version of this policy.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
23andMe has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"You decide whether you want to participate in our sharing features, like DNA Relatives and Your Connections.— Excerpt from 23andMe's 23andMe Privacy Statement
REGULATORY LANDSCAPE: De-identification of genetic data for research purposes engages HIPAA Safe Harbor and Expert Determination standards in the US, GDPR anonymization requirements in Europe (which are more stringent than HIPAA Safe Harbor), and California Genetic Information Privacy Act provisions. Regulatory bodies including HHS OCR and the FTC have published guidance on re-identification risk for genetic data. GOVERNANCE EXPOSURE: High. Genetic data has well-documented re-identification risk even when de-identified under standard methods; research published in peer-reviewed literature has demonstrated that genomic datasets can be re-identified using publicly available reference data. The adequacy of 23andMe's de-identification methodology is therefore a material governance question that the summary policy does not resolve. JURISDICTION FLAGS: EU and UK data protection authorities may not consider HIPAA Safe Harbor de-identification to meet the GDPR standard for anonymization, meaning genetic data shared with research partners could still constitute personal data under GDPR, requiring lawful basis for transfer and adequate safeguards for international transfers. California and Illinois impose additional genetic data protections. CONTRACT AND VENDOR IMPLICATIONS: Research partner agreements should be reviewed for data use limitations, prohibition on re-identification attempts, and data destruction timelines. B2B contracts with research partners should address indemnification for re-identification events and compliance with applicable law in the partner's jurisdiction. COMPLIANCE CONSIDERATIONS: Compliance teams should request the full Privacy Statement and any supplementary Research Consent Documents to evaluate the specific de-identification methodology and compare it against GDPR anonymization standards. Data mapping should track which third-party partners have received genetic data and under what contractual terms.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The policy authorizes sharing of genetic data with external research partners, and the practical protection depends entirely on the robustness of the de-identification method used, which the summary document does not detail.
Users who opt into Research authorize 23andMe to share de-identified genetic and health data with third-party partners, and the degree of re-identification risk depends on the specific de-identification methodology applied, which is not described in the summary version of this policy.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by 23andMe.