⚠ Data Sensitivity Tier 1: Genetic Data

Genetic data requires the highest privacy protections - it cannot be changed, reveals information about biological relatives who never consented, and may have implications for employment and insurance. This review focuses on documented policy language with exact citations.

📊 Data Collection Scope

Genetic Information

23andMe collects detailed genetic data from your DNA sample:

"Genetic Information: information regarding your genotype (e.g., the As, Ts, Cs, and Gs at particular locations in your DNA)"
Source: Full Privacy Statement - "Information We Collect" section

Self-Reported Health Data

Beyond DNA, 23andMe collects extensive health and personal history information:

"Self-Reported Information: information you provide to 23andMe including your gender, disease conditions, health-related information, traits, ethnicity, family history"
Source: Full Privacy Statement - "Information We Collect" section

Biological Sample Information

Your physical saliva sample and laboratory analysis data:

"Sample Information: information regarding any sample, such as a saliva sample, that you submit for processing"
Source: Full Privacy Statement - "Information We Collect" section

Registration and Account Data

Standard personal identifiers linked to your genetic data:

"Registration Information: information you provide during account registration or when purchasing the Services, such as a name, user ID, password, date of birth"
Source: Full Privacy Statement - "Information We Collect" section

Web Behavior and Tracking

Online activity tracking through various technologies:

"Web-Behavior Information: information on how you use our Services or about the way your devices use our Services is collected through log files, cookies, web beacons"
Source: Full Privacy Statement - "Information We Collect" section

👥 Third-Party Sharing

Research Partners (Including Pharmaceutical Companies)

23andMe explicitly states that research may involve pharmaceutical companies:

"23andMe Research may be sponsored by, conducted on behalf of, or in collaboration with third parties, including non-profit foundations, academic institutions or pharmaceutical companies"
Source: Full Privacy Statement - "23andMe Research" section

Research Data Sharing (De-identified)

Research results may be shared with collaborators and published:

"We may share summaries of research results, which do not identify any particular individual, with qualified research collaborators and in scientific publications"
Source: Full Privacy Statement - "23andMe Research" section

Service Providers

Various contractors have access to personal information:

"Our service providers and contractors help us provide our Services...including: order fulfillment and shipping; processing and analyzing your samples; sample storage; customer care support"
Source: Full Privacy Statement - "How We Share Information" section

Law Enforcement Access

23andMe's policy on law enforcement cooperation:

"23andMe will not provide information to law enforcement unless required by law to comply with a valid court order, subpoena, or search warrant"
Source: Full Privacy Statement - "Law Enforcement" section

Insurance and Employers (Excluded)

23andMe explicitly states they will not share with certain parties:

"we will not voluntarily share your Personal Information with: Insurance companies or employers"
Source: Full Privacy Statement - "Information Security" section

Mergers and Acquisitions

Restrictions on genetic data transfer in corporate transactions:

"we will not sell or transfer your genetic data in connection with any merger, acquisition, bankruptcy, reorganization, or asset sale unless the buyer is also a U.S. nonprofit research institution"
Source: Full Privacy Statement - "Business Transactions" section

🔍 Law Enforcement Transparency (as of June 2, 2025)

According to 23andMe's Transparency Report:

11 total law enforcement requests received

15 users/accounts specified in requests

0 instances where data was produced

"Unless required to do so by law, we will not release a customer's individual-level Personal Information to a law enforcement agency without asking for and receiving that customer's explicit consent."
Source: 23andMe Transparency Report

🕐 Data Retention

General Retention Policy

23andMe retains data for service delivery and legal compliance:

"We retain Personal Information for as long as necessary to provide the Services and fulfill the transactions you have requested, comply with our legal obligations, resolve disputes, enforce our agreements"
Source: Full Privacy Statement - "Data Retention" section

Genetic Data - Extended Legal Retention

Genetic information is subject to extended retention requirements under federal law:

"23andMe and/or our contracted genotyping laboratory will retain your Genetic Information, date of birth, and sex as required for compliance with applicable legal obligations, including the federal Clinical Laboratory Improvement Amendments of 1988 (CLIA)"
Source: Full Privacy Statement - "Data Retention" section

Post-Deletion Record Keeping

Even after account deletion, certain records are maintained:

"23andMe will also retain limited information related to your account and data deletion request, including but not limited to, your email address, account deletion request identifier...for a limited period of time as required by law"
Source: Full Privacy Statement - "Data Retention" section

☑ User Control and Consent

Research Participation (Opt-In)

Research involvement requires explicit consent:

"23andMe has an opt-in research program, meaning that for eligible customers, taking part in 23andMe Research is completely voluntary"
Source: Full Privacy Statement - "23andMe Research" section

Sample Storage Choice

Users can choose whether to retain or destroy their biological sample:

"Opt-out: No, I do not want my sample stored. If you choose to discard your sample, it will be securely destroyed after the lab completes its analysis"
Source: Full Privacy Statement - "Your Choices" section

Account Deletion

Users can delete their account, but the process is irreversible:

"You can delete your 23andMe account within your Account Settings at any time. Upon account deletion, we will automatically opt you out of Research and discard your sample"
Source: Full Privacy Statement - "Account Deletion" section

Irreversibility Warning

23andMe emphasizes the permanent nature of deletion:

"You can delete your 23andMe account any time...this process cannot be cancelled or reversed."
Source: Privacy Statement Overview

Research Withdrawal Limitations

Important limitation on withdrawing from research:

"You can change your mind any time about your participation, however any Research involving your data that has already been performed or published prior to your withdrawal will not be reversed"
Source: Full Privacy Statement - "23andMe Research" section

Data Access and Download

Users can access their personal information:

"You can access and download your Personal Information processed by 23andMe"
Source: Full Privacy Statement - "Your Rights" section

🔒 Security Measures

Security Implementation

23andMe describes their security approach:

"We implement physical, technical, and administrative measures aimed at preventing unauthorized access to or disclosure of your Personal Information"
Source: Full Privacy Statement - "Information Security" section

Ongoing Security Review

Security practices are regularly updated:

"Our team regularly reviews and improves our security practices to help ensure the integrity of our systems and your Personal Information"
Source: Full Privacy Statement - "Information Security" section

Two-Factor Authentication

Account protection mechanisms:

"Your account is protected with 2-factor authentication"
Source: Privacy Statement Overview

🌎 GDPR/CCPA Compliance

Regional Privacy Rights

23andMe acknowledges jurisdiction-specific rights:

"residents of the European Economic Area (EEA), the UK, Switzerland and other jurisdictions" have specific rights detailed in separate EU Privacy Notice
Source: Full Privacy Statement - "Regional Privacy Rights" section

US State Privacy Laws

California and other state residents have additional rights:

"residents of California and other states have specific privacy rights" as outlined in separate California Privacy documentation
Source: Full Privacy Statement - "US State Privacy" section

GINA Protection

Federal genetic non-discrimination protections:

"Federal and state laws (including the federal Genetic Information Non-discrimination Act or 'GINA') provide some protection from employer and health insurance discrimination based on your genetics"
Source: Full Privacy Statement - "Legal Protections" section

Research De-identification

How research data is processed:

"23andMe Research analyses are conducted with information that has been stripped of your identifying Registration Information"
Source: Full Privacy Statement - "23andMe Research" section

Compare With Other DNA Testing Services

Ancestry
Review
MyHeritage
Review
View All