23andMe requires two-factor authentication to protect user accounts, which provides an additional security layer beyond a password.
This analysis describes what 23andMe's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Given the sensitivity of genetic and health data held in 23andMe accounts, the policy states that two-factor authentication is applied as a baseline security control, which reduces the risk of unauthorized account access.
The updated privacy statement no longer explicitly directs users to a separate Medical Record Privacy Notice for telehealth services or explains that medical information collected through telehealth …
The updated privacy statement no longer explicitly discloses a separate Medical Record Privacy Notice that previously described how medical information is used, disclosed, and maintained for teleheal…
The policy states that user accounts are protected with two-factor authentication, meaning access to your genetic data requires both your password and a second verification factor, providing a baseline protection for the sensitive genomic and health information stored in your account.
How other platforms handle this
You are responsible for maintaining the confidentiality of your account and password and for restricting access to your computer, and you agree to accept responsibility for all activities that occur under your account or password. Amazon does sell products for children, but it sells them to adults, ...
OpenAI will notify Customer without undue delay after becoming aware of a Security Incident affecting Customer Personal Data. OpenAI will provide information about the Security Incident as it becomes available, including the nature of the Security Incident, the categories and approximate number of d...
We have implemented reasonable security measures designed to protect your personal information from unauthorized access and disclosure. It is important that you understand, however, that no website, Internet-connected device or online platform is completely secure. We cannot anticipate all potential...
Monitoring
23andMe has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"You create your online account and password. Your account is protected with 2-factor authentication.— Excerpt from 23andMe's 23andMe Privacy Statement
REGULATORY LANDSCAPE: Account security measures for genetic and health data engage FTC standards for reasonable security, GDPR Article 32 security of processing requirements, and California Consumer Privacy Act security obligations. The use of two-factor authentication is consistent with regulatory guidance on appropriate technical safeguards for sensitive personal data. GOVERNANCE EXPOSURE: Low. Disclosure of two-factor authentication as a baseline security control is consistent with reasonable security expectations for a genetic data platform. The governance question is whether 2FA is mandatory or optional for users, which the summary document does not fully clarify. JURISDICTION FLAGS: GDPR and UK GDPR require appropriate technical measures proportionate to the risk; for genetic data, regulatory guidance supports strong authentication controls. California law similarly requires reasonable security. CONTRACT AND VENDOR IMPLICATIONS: No significant contract or vendor implications from this specific disclosure. COMPLIANCE CONSIDERATIONS: Compliance teams should confirm whether two-factor authentication is mandatory for all account types or optional, and whether there are mechanisms to prevent users from disabling it for accounts holding genetic data.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Given the sensitivity of genetic and health data held in 23andMe accounts, the policy states that two-factor authentication is applied as a baseline security control, which reduces the risk of unauthorized account access.
The policy states that user accounts are protected with two-factor authentication, meaning access to your genetic data requires both your password and a second verification factor, providing a baseline protection for the sensitive genomic and health information stored in your account.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by 23andMe.