What are the institutional and regulatory implications of this document?

REGULATORY EXPOSURE: This document engages GDPR Art. 9 (special category genetic and health data processing requiring explicit consent), GDPR Art. 17 (right to erasure with research exemption under Art. 17(3)(d)), CCPA/CPRA Cal. Civ. Code §1798.100, §1798.121 (sensitive personal information including genetic data and biometric data), HIPAA 45 CFR Parts 160/164 (engaged tangentially via Telehealth/Medical Record Privacy Notice), FTC Act Section 5 (unfair or deceptive practices), and potentially …

How does 23andMe's 23andMe Privacy Statement affect users?

23andMe collects highly sensitive genetic, health, and self-reported data that can be shared with third-party pharmaceutical and biotech research partners if users opt into the Research program, creating significant and potentially irreversible privacy exposure given the unique identifiability of genetic data. Account deletion triggers sample discard and research opt-out, but data already contributed to research studies may remain in use in de-identified form, meaning consumers cannot fully rec…

How often is 23andMe's 23andMe Privacy Statement updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when 23andMe updates this document?

Yes. Watcher subscribers ($9.99/month) can add 23andMe to their watchlist and receive same-day email alerts whenever this document or any other 23andMe document changes.

23andMe Privacy Statement — 23andMe

9 Total

4 High severity

5 Medium severity

0 Low severity

Summary

This is 23andMe's privacy policy, explaining how the company collects and uses your DNA, health history, and personal information when you use their genetic testing service. The most important thing to know is that if you opt into their Research program, your genetic data and health information may be shared with pharmaceutical and biotech companies for drug development — and data already contributed to research may not be fully deleted even if you close your account. You should review your Research participation settings in your account and consider whether to opt out of the Research program if you do not want your genetic data used for commercial research purposes.

Technical Summary

This Privacy Statement governs 23andMe Research Institute's collection, use, storage, processing, and transfer of personal information — including genetic data, health information, and self-reported data — across all 23andMe websites, mobile applications, and Services, with legal basis grounded in user consent, contractual necessity, and legitimate interests depending on jurisdiction. The most significant obligations created include 23andMe's right to share de-identified or aggregated genetic and phenotypic data with third-party research partners, including pharmaceutical and biotech companies, subject to user opt-in consent for the Research program; to store biometric/genetic samples unless users affirmatively elect destruction; and to retain certain data even after account deletion. Notable provisions that deviate from industry standard include the explicit commercial research use of genetic data (including potential sharing with drug development partners), the collection of data about non-users through the DNA Relatives feature, and the fact that deletion of an account does not guarantee deletion of already-contributed research data or derived research outputs. The policy engages CCPA/CPRA (Cal. Civ. Code §1798.100 et seq.) for California residents, GDPR and UK GDPR for EU/UK users, HIPAA tangentially via a separate Medical Record Privacy Notice for Telehealth users, and FTC Act Section 5 unfair or deceptive practices standards; material compliance considerations include the sensitivity of genetic data as a special category under GDPR Art. 9, CCPA's treatment of biometric and health information as sensitive personal information, and ongoing scrutiny following 23andMe's 2023 data breach affecting approximately 6.9 million users.

Evidence Provenance

Captured April 19, 2026 06:10 UTC

Document ID CA-D-000148

Version ID CA-V-000707

Source URL https://www.23andme.com/legal/privacy/

Wayback Machine View archived versions →

SHA-256 4851ad5bc2887091dff5a5fdc05b1c8baf2f5ae01a36da01d5f8c2bc3e1ced68

✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Cryptographically signed

Institutional Analysis

🔒 Institutional analysis locked

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Upgrade to Professional — $149/mo

Change Timeline

April 19, 2026 — Document updated medium

On April 19, 2026, 23andMe updated their Privacy Statement to clarify that the policy now applies to '23andMe Research Institute' rather than simply '23andMe,' and added a notice that users who opt into Telehealth Services will have a separate Medical Record Privacy Notice governing their medical information. A minor formatting fix was also made to the mailing address. The telehealth addition is the most significant change, as it signals that medical data collected through telehealth is handled under a distinct privacy framework.

1 added · 2 modified
View diff → View full record →
4851ad5b…
March 23, 2026 — Document updated medium

On March 23, 2026, 23andMe updated their privacy statement in several small but notable ways. They removed a sentence explaining that a separate Medical Record Privacy Notice exists for users of their Telehealth Services, changed the document title to include 'International,' and updated the controlling entity name from '23andMe Research Institute' to simply '23andMe' in one clause. The removal of the telehealth notice reference means users may no longer be clearly directed to information about how their medical records are handled.

· 1 removed · 3 modified
View diff → View full record →
be863c02…
March 19, 2026 — Initial capture

Initial snapshot — monitoring begins

b37a7553…

View full version history (0 captures) →

Analyzed Changes

2 changes analyzed since monitoring began.

Updated April 19, 2026

medium

What changed 23andMe updated their 23andMe Privacy Statement on April 19, 2026. Change detected: 1 sentence(s) added, 2 sentence(s) modified. Document contained 34 sentences after update.

Consumer impact If you use 23andMe's Telehealth Services, your medical information is now explicitly governed by a separate Medical Record Privacy Notice, not just the general Privacy Statement — meaning different rules may apply to how your health data is used and shared. The renaming of the controller to '23andMe Research Institute' may also affect how your rights are exercised against the entity holding your data. You can review the separate Medical Record Privacy Notice on 23andMe's website to understand how your telehealth medical information is specifically handled.

Why it matters The introduction of a separate Medical Record Privacy Notice for telehealth users means that the rules governing your most sensitive health data are no longer consolidated in a single document, requiring users to seek out and review an additional policy. The controller rename to '23andMe Research Institute' also clarifies the legal entity responsible for your data, which matters if you ever need to exercise privacy rights or pursue a legal remedy.

Updated March 23, 2026

medium

What changed 23andMe updated their 23andMe Privacy Statement on March 23, 2026. Change detected: 1 sentence(s) removed, 3 sentence(s) modified. Document contained 33 sentences after update.

Consumer impact 23andMe removed a sentence that previously informed users that a separate Medical Record Privacy Notice governs how their medical information is used when accessing Telehealth Services. Without this explicit pointer, users may not know a separate notice exists or where to find it, reducing transparency around sensitive health data handling. If you use or have used 23andMe's Telehealth Services, you should proactively contact privacy@23andme.com to ask how your medical records are currently governed.

Why it matters Removing the explicit reference to a separate Medical Record Privacy Notice leaves Telehealth Services users without a clear guide to how their sensitive medical data is governed, which is a meaningful transparency reduction for one of the most sensitive categories of personal information. The entity name change may also invalidate existing legal agreements referencing '23andMe Research Institute.'

Recent Clause-Level Changes Apr 19, 2026

8 provisions unchanged.

View full change record →

High Severity — 4 provisions

Research Program Genetic Data Sharing

If you opt into 23andMe's Research program, your DNA and health information can be shared with drug companies and biotech firms for research and drug development purposes.

Added April 27, 2026
Post-Deletion Research Data Retention

Even if you delete your 23andMe account or request your DNA sample be destroyed, any genetic data already contributed to research studies may continue to be used — you cannot get it back.

Added April 27, 2026
Law Enforcement Disclosure Without Notice

23andMe can hand over your DNA and personal information to police or government agencies in response to legal demands, and in some cases may do so without a court order if the company believes it's necessary to prevent harm or fraud.

Added April 27, 2026
De-Identification and Aggregation of Genetic Data

23andMe can use your genetic and health data with identifying details removed, and claims that this 'de-identified' data can be used without restriction — meaning it can be shared or sold without the usual consent requirements.

Added April 27, 2026

Medium Severity — 5 provisions

DNA Sample Storage Choice

You can decide whether 23andMe keeps your physical DNA sample after testing or destroys it — but once you choose destruction, that decision is permanent and cannot be undone.

Added April 27, 2026
California Consumer Privacy Rights

If you live in California, you have specific legal rights over your data including the right to know what 23andMe has, the right to delete it, to correct errors, and to opt out of your data being sold or shared.

Added April 27, 2026
Data Sharing with Third-Party Service Providers

23andMe shares your personal information with outside companies that help run their business, like cloud storage providers, payment processors, and marketing companies, with a requirement that those companies only use your data for the contracted purpose.

Added April 27, 2026
Telehealth and Medical Record Privacy Notice

If you use 23andMe's telehealth service, a completely separate privacy document — not this one — governs your medical records and clinical health information.

Added April 27, 2026
Account Deletion and Irreversibility

You can close your 23andMe account at any time, which will stop your participation in research and destroy your DNA sample — but once you do this, it cannot be undone and you will lose access to all your genetic results.

Added April 27, 2026