If you previously opted into Research, genetic and health data you contributed may already have been shared with third-party research partners and cannot be recalled, even if you later withdraw consent or delete your account.
This analysis describes what 23andMe's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The policy discloses that Research consent, once acted upon and data shared, creates an irreversible commitment; withdrawal from Research stops future sharing but does not remove already-contributed data from third-party researchers who received it.
The updated privacy statement no longer explicitly directs users to a separate Medical Record Privacy Notice for telehealth services or explains that medical information collected through telehealth …
The updated privacy statement no longer explicitly discloses a separate Medical Record Privacy Notice that previously described how medical information is used, disclosed, and maintained for teleheal…
Users who opted into Research and whose genetic or self-reported data was shared with academic or commercial partners before withdrawal cannot have that data recalled, meaning third parties may continue to use contributed genomic data indefinitely under the terms of their research agreements with 23andMe.
How other platforms handle this
We may share your information with third-party advertising partners to provide you with targeted advertising. We also work with third-party analytics providers who help us understand how users interact with our Services. These third parties may use cookies, web beacons, and similar tracking technolo...
We process personal data you provide to Oura to enable third party integrations, services, features, and offerings. For example, with your permission, our Services may integrate with third-party services like Google Health Connect and Apple HealthKit, or those of our partners. Oura takes measures to...
Creators: when you subscribe to a Creator's publication, we provide them the information necessary (including your name and email address) to provide you their publication(s). Please note that Creators control their own publications; accordingly, when you interact with a Creator's publication in a w...
Monitoring
23andMe has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"You can delete your 23andMe account any time. If you do, we will automatically opt you out of Research and discard your sample. Keep in mind this process cannot be cancelled or reversed.— Excerpt from 23andMe's 23andMe Privacy Statement
REGULATORY LANDSCAPE: Research use of genetic data implicates GDPR Article 9 (special category data) and the research exemptions under Article 89, as well as US Common Rule requirements if federally funded research is involved. The California Genetic Information Privacy Act imposes consent requirements specific to genetic data research use. FTC guidance on sensitive health data also applies. GOVERNANCE EXPOSURE: High. The irreversibility of data sharing with third-party research partners once consent has been exercised creates ongoing compliance exposure, particularly under GDPR's right to erasure under Article 17, which includes a research exemption that may limit but not eliminate erasure obligations. The scope of this exemption and its application to commercial research partners rather than purely academic research should be evaluated. JURISDICTION FLAGS: EU and UK users have stronger erasure rights under GDPR and UK GDPR, and the research exemption's applicability to commercial third-party research partners is not universally settled. California residents may have CCPA deletion rights that engage with this provision. Illinois users should note that genetic data may also engage the Genetic Information Privacy Act of Illinois. CONTRACT AND VENDOR IMPLICATIONS: Third-party research partners who receive de-identified genetic data from 23andMe should be assessed for their own data governance frameworks and whether their use of data received from 23andMe is bounded by contractual restrictions. The adequacy of 23andMe's de-identification methodology relative to GDPR anonymization standards is a material due diligence question. COMPLIANCE CONSIDERATIONS: Compliance teams should audit the consent records for Research participation, ensure the consent language clearly discloses the irreversibility of sharing once exercised, and evaluate whether the de-identification standard applied satisfies GDPR anonymization requirements or only HIPAA Safe Harbor. Contract review should confirm that research partner agreements include use limitation and data destruction provisions.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The policy discloses that Research consent, once acted upon and data shared, creates an irreversible commitment; withdrawal from Research stops future sharing but does not remove already-contributed data from third-party researchers who received it.
Users who opted into Research and whose genetic or self-reported data was shared with academic or commercial partners before withdrawal cannot have that data recalled, meaning third parties may continue to use contributed genomic data indefinitely under the terms of their research agreements with 23andMe.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by 23andMe.