If you agree to participate in 23andMe's research program, your genetic and health information (with your name and direct identifiers removed) may be combined with other users' data and shared with outside research partners, including pharmaceutical companies and academic institutions. You can withdraw this consent at any time, but research already done using your data cannot be undone.
This analysis describes what 23andMe's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision defines the operational scope of 23andMe's research data sharing practices and establishes the procedural framework through which participant data may be aggregated and used for research initiatives. The opt-out structure determines how participants can control their ongoing participation in the research component of the service.
Interpretive note: The full text of the research consent terms and third-party partner agreements is not reproduced in the document excerpt reviewed; the adequacy of deidentification and specific scope of pharmaceutical partnerships may be detailed in supplemental documents.
The updated privacy statement no longer explicitly directs users to a separate Medical Record Privacy Notice for telehealth services or explains that medical information collected through telehealth is governed by different privacy rules. Previously, the policy stated that users choosing telehealth services coordinated through 23andMe would find healthcare privacy protections described in a separate notice. That reference is now absent from the main privacy statement. Users seeking privacy information specific to telehealth services will need to determine independently whether a separate notice exists or contact 23andMe directly using the provided contact information.
View change record →The updated privacy statement no longer explicitly discloses a separate Medical Record Privacy Notice that previously described how medical information is used, disclosed, and maintained for telehealth services. Users who receive telehealth services coordinated through 23andMe may now lack clear notice of which privacy framework governs their medical records, since the reference to that parallel notice has been removed. The organizational scope change from '23andMe Research Institute' to '23andMe' narrows the explicitly named entities responsible for the policy, though operational impact depends on how these entities actually function.
View change record →If you opt into research, your deidentified genetic and phenotypic data may be shared with pharmaceutical and academic partners for studies you are not individually informed about; withdrawing consent stops future use but cannot reverse research already completed using your data.
How other platforms handle this
By using the Services, you authorize Affirm to share your information, including personal information and information related to your transactions and use of the Services, with merchants, service providers, and other third parties as further described in our Privacy Policy.
We may receive information, including the following, from third party sources and combine it with information we already directly collect from you. We will handle the information in accordance with this Privacy Policy. Game, social media, or other information, from those third parties or services yo...
We may share your personal information with our affiliates, meaning entities that control, are controlled by, or are under common control with Consensys. We also share information with service providers who assist in operating our services, subject to confidentiality obligations.
Monitoring
23andMe has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"If you choose to participate in research, your deidentified data will be pooled with data from other participants. You can opt out at any time.— Excerpt from 23andMe's 23andMe Privacy Statement
REGULATORY LANDSCAPE: This provision implicates GDPR Article 9 (special category data including genetic data) and the explicit consent requirement under Article 9(2)(a) for EU/EEA users, as well as UK GDPR equivalents. For US users, the California Genetic Information Privacy Act and analogous state statutes impose specific consent and use limitations on genetic data that may exceed CCPA. The FTC has issued guidance on the sensitivity of health and genetic data under its consumer protection authority. The research partnership model engages considerations around whether deidentified data meets applicable anonymization standards under GDPR and whether onward transfer obligations apply to third-party research recipients. GOVERNANCE EXPOSURE: High. The combination of highly sensitive genetic data, consent-based sharing with commercial pharmaceutical partners, and the acknowledged irreversibility of past research use creates significant compliance exposure. The adequacy of deidentification as a protective measure is subject to ongoing regulatory and scientific debate, particularly as genetic data can potentially be re-identified. The consent framework must be evaluated for granularity, specificity, and genuine withdrawability under applicable law. JURISDICTION FLAGS: EU/EEA users are protected by GDPR's explicit consent requirement for special category data; any deficiency in consent quality or granularity could expose 23andMe to enforcement by national data protection authorities. California users are subject to the California Genetic Information Privacy Act. UK users are subject to UK GDPR. Users in jurisdictions with standalone genetic privacy laws (Texas, Illinois, Washington) face additional layered protections. The irreversibility disclosure may be legally insufficient in jurisdictions that treat the right to erasure as a continuing obligation. CONTRACT AND VENDOR IMPLICATIONS: Procurement and legal teams should assess whether data sharing agreements with pharmaceutical and academic partners include appropriate data processing agreements, use limitation clauses, and re-identification prohibitions consistent with GDPR Article 28 requirements and equivalent US standards. The commercial nature of pharmaceutical partnerships raises questions about whether data subjects are adequately informed of potential commercial benefit derived from their data. COMPLIANCE CONSIDERATIONS: Compliance teams should audit the consent mechanism for research participation against GDPR's explicit consent standard, including whether consent is freely given, specific, informed, and unambiguous. The policy's statement that past research cannot be reversed should be evaluated against the right to erasure under GDPR and equivalent US state rights. Data mapping should trace the full lifecycle of research data from collection through third-party use. A review of research partner agreements for use limitation and re-identification protections is advisable.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision defines the operational scope of 23andMe's research data sharing practices and establishes the procedural framework through which participant data may be aggregated and used for research initiatives. The opt-out structure determines how participants can control their ongoing participation in the research component of the service.
If you opt into research, your deidentified genetic and phenotypic data may be shared with pharmaceutical and academic partners for studies you are not individually informed about; withdrawing consent stops future use but cannot reverse research already completed using your data.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by 23andMe.