If you previously opted into Research, genetic and health data you contributed may already have been shared with third-party research partners and cannot be recalled, even if you later withdraw consent or delete your account.
This analysis describes what 23andMe's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The policy discloses that Research consent, once acted upon and data shared, creates an irreversible commitment; withdrawal from Research stops future sharing but does not remove already-contributed data from third-party researchers who received it.
The updated privacy statement no longer explicitly directs users to a separate Medical Record Privacy Notice for telehealth services or explains that medical information collected through telehealth is governed by different privacy rules. Previously, the policy stated that users choosing telehealth services coordinated through 23andMe would find healthcare privacy protections described in a separate notice. That reference is now absent from the main privacy statement. Users seeking privacy information specific to telehealth services will need to determine independently whether a separate notice exists or contact 23andMe directly using the provided contact information.
View change record →The updated privacy statement no longer explicitly discloses a separate Medical Record Privacy Notice that previously described how medical information is used, disclosed, and maintained for telehealth services. Users who receive telehealth services coordinated through 23andMe may now lack clear notice of which privacy framework governs their medical records, since the reference to that parallel notice has been removed. The organizational scope change from '23andMe Research Institute' to '23andMe' narrows the explicitly named entities responsible for the policy, though operational impact depends on how these entities actually function.
View change record →This new provision emphasizes the irreversibility of opting out of research and data deletion, establishing a distinct high-severity provision around research participation consequences.
View full change record →Users who opted into Research and whose genetic or self-reported data was shared with academic or commercial partners before withdrawal cannot have that data recalled, meaning third parties may continue to use contributed genomic data indefinitely under the terms of their research agreements with 23andMe.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
23andMe has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"You can delete your 23andMe account any time. If you do, we will automatically opt you out of Research and discard your sample. Keep in mind this process cannot be cancelled or reversed.— Excerpt from 23andMe's 23andMe Privacy Statement
REGULATORY LANDSCAPE: Research use of genetic data implicates GDPR Article 9 (special category data) and the research exemptions under Article 89, as well as US Common Rule requirements if federally funded research is involved. The California Genetic Information Privacy Act imposes consent requirements specific to genetic data research use. FTC guidance on sensitive health data also applies. GOVERNANCE EXPOSURE: High. The irreversibility of data sharing with third-party research partners once consent has been exercised creates ongoing compliance exposure, particularly under GDPR's right to erasure under Article 17, which includes a research exemption that may limit but not eliminate erasure obligations. The scope of this exemption and its application to commercial research partners rather than purely academic research should be evaluated. JURISDICTION FLAGS: EU and UK users have stronger erasure rights under GDPR and UK GDPR, and the research exemption's applicability to commercial third-party research partners is not universally settled. California residents may have CCPA deletion rights that engage with this provision. Illinois users should note that genetic data may also engage the Genetic Information Privacy Act of Illinois. CONTRACT AND VENDOR IMPLICATIONS: Third-party research partners who receive de-identified genetic data from 23andMe should be assessed for their own data governance frameworks and whether their use of data received from 23andMe is bounded by contractual restrictions. The adequacy of 23andMe's de-identification methodology relative to GDPR anonymization standards is a material due diligence question. COMPLIANCE CONSIDERATIONS: Compliance teams should audit the consent records for Research participation, ensure the consent language clearly discloses the irreversibility of sharing once exercised, and evaluate whether the de-identification standard applied satisfies GDPR anonymization requirements or only HIPAA Safe Harbor. Contract review should confirm that research partner agreements include use limitation and data destruction provisions.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The policy discloses that Research consent, once acted upon and data shared, creates an irreversible commitment; withdrawal from Research stops future sharing but does not remove already-contributed data from third-party researchers who received it.
Users who opted into Research and whose genetic or self-reported data was shared with academic or commercial partners before withdrawal cannot have that data recalled, meaning third parties may continue to use contributed genomic data indefinitely under the terms of their research agreements with 23andMe.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by 23andMe.