With Research consent, 23andMe may share your genetic and self-reported health data with third-party academic or commercial research partners in de-identified or aggregated form.
This analysis describes what 23andMe's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The policy authorizes sharing of genetic data with external research partners, and the practical protection depends entirely on the robustness of the de-identification method used, which the summary document does not detail.
Interpretive note: The summary version of the document references research participation and data sharing generally; the specific de-identification methodology and third-party partner categories are described in the full Privacy Statement which was not fully provided.
The updated privacy statement no longer explicitly directs users to a separate Medical Record Privacy Notice for telehealth services or explains that medical information collected through telehealth …
The updated privacy statement no longer explicitly discloses a separate Medical Record Privacy Notice that previously described how medical information is used, disclosed, and maintained for teleheal…
Users who opt into Research authorize 23andMe to share de-identified genetic and health data with third-party partners, and the degree of re-identification risk depends on the specific de-identification methodology applied, which is not described in the summary version of this policy.
How other platforms handle this
We may share your information with third-party advertising partners to provide you with targeted advertising. We also work with third-party analytics providers who help us understand how users interact with our Services. These third parties may use cookies, web beacons, and similar tracking technolo...
We process personal data you provide to Oura to enable third party integrations, services, features, and offerings. For example, with your permission, our Services may integrate with third-party services like Google Health Connect and Apple HealthKit, or those of our partners. Oura takes measures to...
We may share your personal data with third-party vendors, service providers, contractors, or agents who perform services for us or on our behalf and require access to such information to do that work. We may also share your personal data with advertising partners to display relevant advertising to y...
Monitoring
23andMe has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"You decide whether you want to participate in our sharing features, like DNA Relatives and Your Connections.— Excerpt from 23andMe's 23andMe Privacy Statement
REGULATORY LANDSCAPE: De-identification of genetic data for research purposes engages HIPAA Safe Harbor and Expert Determination standards in the US, GDPR anonymization requirements in Europe (which are more stringent than HIPAA Safe Harbor), and California Genetic Information Privacy Act provisions. Regulatory bodies including HHS OCR and the FTC have published guidance on re-identification risk for genetic data. GOVERNANCE EXPOSURE: High. Genetic data has well-documented re-identification risk even when de-identified under standard methods; research published in peer-reviewed literature has demonstrated that genomic datasets can be re-identified using publicly available reference data. The adequacy of 23andMe's de-identification methodology is therefore a material governance question that the summary policy does not resolve. JURISDICTION FLAGS: EU and UK data protection authorities may not consider HIPAA Safe Harbor de-identification to meet the GDPR standard for anonymization, meaning genetic data shared with research partners could still constitute personal data under GDPR, requiring lawful basis for transfer and adequate safeguards for international transfers. California and Illinois impose additional genetic data protections. CONTRACT AND VENDOR IMPLICATIONS: Research partner agreements should be reviewed for data use limitations, prohibition on re-identification attempts, and data destruction timelines. B2B contracts with research partners should address indemnification for re-identification events and compliance with applicable law in the partner's jurisdiction. COMPLIANCE CONSIDERATIONS: Compliance teams should request the full Privacy Statement and any supplementary Research Consent Documents to evaluate the specific de-identification methodology and compare it against GDPR anonymization standards. Data mapping should track which third-party partners have received genetic data and under what contractual terms.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The policy authorizes sharing of genetic data with external research partners, and the practical protection depends entirely on the robustness of the de-identification method used, which the summary document does not detail.
Users who opt into Research authorize 23andMe to share de-identified genetic and health data with third-party partners, and the degree of re-identification risk depends on the specific de-identification methodology applied, which is not described in the summary version of this policy.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by 23andMe.