If you agree to participate in 23andMe's research program, your genetic and health information (with your name and direct identifiers removed) may be combined with other users' data and shared with outside research partners, including pharmaceutical companies and academic institutions. You can withdraw this consent at any time, but research already done using your data cannot be undone.
This analysis describes what 23andMe's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Your genetic data is among the most sensitive personal information that exists and can reveal health risks, ancestry, and family relationships; sharing it with pharmaceutical companies, even in deidentified form, carries risks of re-identification and downstream commercial use that may not be fully visible to you at the time of consent.
Interpretive note: The full text of the research consent terms and third-party partner agreements is not reproduced in the document excerpt reviewed; the adequacy of deidentification and specific scope of pharmaceutical partnerships may be detailed in supplemental documents.
The updated privacy statement no longer explicitly directs users to a separate Medical Record Privacy Notice for telehealth services or explains that medical information collected through telehealth …
The updated privacy statement no longer explicitly discloses a separate Medical Record Privacy Notice that previously described how medical information is used, disclosed, and maintained for teleheal…
If you opt into research, your deidentified genetic and phenotypic data may be shared with pharmaceutical and academic partners for studies you are not individually informed about; withdrawing consent stops future use but cannot reverse research already completed using your data.
How other platforms handle this
When you ask us to open an Account, we or someone acting for us will ask for information about you and where the money you will put in your Account comes from. We do this for a number of reasons, including to check your credit score and identity, and to meet our legal and regulatory requirements. Ou...
We may share your personal information with third parties, including service providers, financial institutions, regulatory authorities, and fraud prevention agencies, where necessary to provide our services, comply with legal obligations, or protect against fraud and financial crime.
We share your personal data with your consent or as necessary to complete any transaction or provide any product you have requested or authorized. We also share data with Microsoft-controlled affiliates and subsidiaries; with vendors or agents working on our behalf for the purposes described in this...
Monitoring
23andMe has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"If you choose to participate in research, your deidentified data will be pooled with data from other participants. You can opt out at any time.— Excerpt from 23andMe's 23andMe Privacy Statement
REGULATORY LANDSCAPE: This provision implicates GDPR Article 9 (special category data including genetic data) and the explicit consent requirement under Article 9(2)(a) for EU/EEA users, as well as UK GDPR equivalents. For US users, the California Genetic Information Privacy Act and analogous state statutes impose specific consent and use limitations on genetic data that may exceed CCPA. The FTC has issued guidance on the sensitivity of health and genetic data under its consumer protection authority. The research partnership model engages considerations around whether deidentified data meets applicable anonymization standards under GDPR and whether onward transfer obligations apply to third-party research recipients. GOVERNANCE EXPOSURE: High. The combination of highly sensitive genetic data, consent-based sharing with commercial pharmaceutical partners, and the acknowledged irreversibility of past research use creates significant compliance exposure. The adequacy of deidentification as a protective measure is subject to ongoing regulatory and scientific debate, particularly as genetic data can potentially be re-identified. The consent framework must be evaluated for granularity, specificity, and genuine withdrawability under applicable law. JURISDICTION FLAGS: EU/EEA users are protected by GDPR's explicit consent requirement for special category data; any deficiency in consent quality or granularity could expose 23andMe to enforcement by national data protection authorities. California users are subject to the California Genetic Information Privacy Act. UK users are subject to UK GDPR. Users in jurisdictions with standalone genetic privacy laws (Texas, Illinois, Washington) face additional layered protections. The irreversibility disclosure may be legally insufficient in jurisdictions that treat the right to erasure as a continuing obligation. CONTRACT AND VENDOR IMPLICATIONS: Procurement and legal teams should assess whether data sharing agreements with pharmaceutical and academic partners include appropriate data processing agreements, use limitation clauses, and re-identification prohibitions consistent with GDPR Article 28 requirements and equivalent US standards. The commercial nature of pharmaceutical partnerships raises questions about whether data subjects are adequately informed of potential commercial benefit derived from their data. COMPLIANCE CONSIDERATIONS: Compliance teams should audit the consent mechanism for research participation against GDPR's explicit consent standard, including whether consent is freely given, specific, informed, and unambiguous. The policy's statement that past research cannot be reversed should be evaluated against the right to erasure under GDPR and equivalent US state rights. Data mapping should trace the full lifecycle of research data from collection through third-party use. A review of research partner agreements for use limitation and re-identification protections is advisable.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Your genetic data is among the most sensitive personal information that exists and can reveal health risks, ancestry, and family relationships; sharing it with pharmaceutical companies, even in deidentified form, carries risks of re-identification and downstream commercial use that may not be fully visible to you at the time of consent.
If you opt into research, your deidentified genetic and phenotypic data may be shared with pharmaceutical and academic partners for studies you are not individually informed about; withdrawing consent stops future use but cannot reverse research already completed using your data.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by 23andMe.