Dec 6, 2021 - 23andMe and You

The 23andMe privacy team answers 10 common questions

Privacy Feature Image Wide

Our commitment to transparency never ends, so we put together answers to several of the most commonly asked questions we receive about privacy at 23andMe.

You should read our Privacy Statement for details, but this is a good summary of some of the basics that you can review in just a few minutes. Feel free to contact us with any of your privacy questions that we don’t cover below.

First up, since folks have asked: Now that 23andMe is a public company, does that change how my data is treated?

Too Long, Didn’t Read (TLDR): Becoming a publicly traded company does not change our privacy commitments to you.  We do not share your data with any investor!

I need more details:

  • Our Privacy Statement details our commitments to you about your data (or, as we refer to it in our Privacy Statement, your Personal Information). 23andMe customer Personal Information remains subject to the promises made in our Privacy Statement, which specifically addresses how 23andMe will handle Personal Information in the event of a merger or acquisition.
  • We won’t make important changes to our Privacy Statement or other legal documents without alerting you. If we have a material change to make, you’ll know about it before those changes become effective so you have an opportunity to make a choice about your continued use of our Services. You’ll hear from us through a banner or in-app notice, or email message for those types of changes.
Question 2: Do you sell my data when I sign up for 23andMe?

TLDR: Nope!

I need more details:

  • With core values like transparency and choice, we are not in the business of selling your Personal Information for commercial purposes such as advertising or marketing.
  • When it comes to Research, we only use or share your data if we receive your explicit consent. Participation in our Research is opt-in and entirely voluntary. Learn more about our Research program here.
Question 3: Do I need to participate in Research?

TLDR: Participation in our Research is opt-in and entirely voluntary. Whether or not a customer participates in 23andMe Research, the consumer experience is the same.

I need more details:

  • The purpose of 23andMe Research is to make new discoveries about genetics and other factors behind diseases and traits – about people in general, not about you specifically.
  • Customers choose whether to participate in Research after they read a separate research consent. This means we do not bundle our Research consent into the Terms of Service or any other consent. Only customers that participate in our Research program are included in any analysis completed by our scientists for research studies or collaborations. Customers can change their Research consent preference at any time in their Account Settings. Don’t believe how simple it is? Give it a try!
  • If it’s so simple, there must be a catch, right? Nope! Choosing not to participate in Research does not impact your 23andMe experience. If you choose not to opt-in to participate in Research, or if you later opt-out of participating, you will still be able to access all of the same reports and product features as customers who are participating in our Research program.
Question 3 (continued): If I participate in Research, what types of data do you share?

TLDR: In our 23andMe Research program, we may share summaries of research results, which do not identify any particular individuals, with third-party research collaborators, such as academic institutions and pharmaceutical companies, but we won’t share information about you without your separate, explicit consent.

I need more details:

  • When we conduct Research in collaboration with a third party, we run a series of analyses on de-identified data in-house. Then, we send summary information and supporting data (i.e., information about specific genetic variants of significance) to collaborators. Data is summarized so individual-level data is not identified. We also include terms in our contracts with research collaborators to protect customer data, such as prohibiting any attempts to re-identify individuals.
  • An example of a summary of research results is “20% of men between the ages of 30 and 35 report having some form of cancer and XX genetic variants in common.”
  • We do not share any of your Registration Information (e.g., name, contact information, etc.), nor is your Registration Information available to 23andMe researchers running those analyses with any collaborator without your separate, explicit consent. We may recruit for studies in specific disease areas, such as lupus, and depression. For those studies we ask participants to sign a separate consent authorizing the sharing of their Registration Information with the named third party collaborator.
  • Hey, what about the individual-level data sharing research consent? Glad you asked — we enable customers to share more detailed information about themselves with our collaborators which may further accelerate research if they choose. But this is an additional, separate and explicit choice that the Research participant makes. Unless you choose to participate in individual-level data sharing, your individual-level, de-identified Genetic Information and Self-Reported Information is not shared with collaborators. To be clear, even if you consent to individual-level data sharing, we still do not share any of your Registration Information with collaborators.
  • If you ever want a refresh or to learn more, links to our Privacy Statement and Research Consent Document can be easily found in the website footer or in the Settings menu of our mobile app.
Question 4: How can Research participants learn about how their data is used?

TLDR: Take a look at the docs linked in that last bullet above, and you will find the details about our Research data use practices. In the spirit of transparency, we have announced many of our collaborations with pharmaceutical companies to make customers aware of how their data may be used for research. And, if you are a genetics geek like us, you might want to check out our publications on studies conducted with academic institutions. Or, better yet, if you have chosen to participate in our Research program, check out which published studies your data has been used in right in your Account Settings!

I need more details:

An image showing how 23andMe shows customers who have consented to participate in research the list of studies that their data was used in.

  • Before we launched our Research program over a decade ago, we worked with the Ethical, Legal, and Social Implications (ELSI) program, founded in 1990 as part of the Human Genome Project. The ELSI program was created to identify and address issues that genomics research could trigger with regard to impacting people, families, and society. We engaged with this community early on to incorporate strong ethical standards into our program.
  • Following our discussions with ELSI, we approached a third party institutional review board (“IRB”) and worked together to create an entirely new model of research based on an online experience. The job of the IRB is to review and monitor our Research to make sure that the people taking part in Research are fully informed about the risks and benefits of participating. Our model ensures we have third party oversight of our Research program, including clear, informed consent.
  • Further, our Research program is built on the ethical principles laid out in the Belmont Report, which describes guidelines for treating people right in research.
  • And we’ve taken it a step further by ensuring 23andMe’s Research actually adheres to a much stricter federal standard called the Common Rule. Although the Common Rule technically only applies to federally-funded research, 23andMe voluntarily applies it to its Research program.
  • We walk-the-talk, too. Every one of our researchers undergoes training on protecting human subjects and responsible conduct of research. We have multiple teams dedicated to making sure all of our work follows applicable federal regulations related to human subjects research and the instructions of our IRB.
  • We work to bring visibility to our Research activities by providing Research participants with information about published studies they have contributed to. Check out the link above!
  • As already mentioned, you can change your mind about Research participation anytime, no questions asked. We can’t go back and remove your data from research or studies that have already been conducted, however, you can rest assured that your data will not be used in any new Research initiatives that start more than 30 days after your consent change (it may take up to 30 days to withdraw your data after you withdraw your consent).
Question 5: Why do you collaborate with pharma companies?

TLDR: We continue to be committed to our mission to help people access, understand and benefit from the human genome. We believe that working with others, including pharma companies, can help accelerate our ability to more quickly develop treatments and cures. We work with academic institutions for the same reason, too!

I need more details:

  • We believe transparency is critical. Our Research consent describes our collaborations with various third parties, including pharmaceutical companies, so customers can make an informed choice.
  • Drug development is a long and expensive process. Through our collaborations with industry, nonprofits and research institutions, we hope to bring more successful treatments and cures to people faster. Studies have shown treatments validated with genetic data are at least twice as likely to succeed. We want to change the drug development process and make it more efficient. Ultimately, we are committed to discovering and developing novel therapies to improve patient lives through the study of human genetics.
  • We also want people to feel like they are part of the process and we strive to treat them like partners rather than research subjects. We empower our customers to choose whether they want to play a role in collectively sharing their Personal Information to fuel scientific discoveries. Approximately eighty percent of 23andMe’s customers consent to participate in Research.
  • When we’ve entered into major collaborations with academic institutions or pharmaceutical companies in the past, we’ve informed our customers through email, blog posts or press outreach. For example, when we entered into a collaboration with GSK, we used all three approaches, including emailing customers, posting details of the project on our blog, and engaging with journalists on stories about the effort.
Question 6: Is my data secure?

TLDR: 23andMe is ISO 27001 certified, and we also hold other certifications to confirm our commitment to your security and privacy. But, security is a two-way street and we try to make it easy to be secure with 23andMe. In addition to the security measures we’ve undertaken, we provide customers with security tools to protect their accounts, such as two-step verification.

I need details:

    • Our information security management system, which protects 23andMe data, has been certified under ISO 27001, ISO 27701, and ISO 27018! An ISO certification is awarded after extensive audits by an independent third party. 23andMe is the first direct-to-consumer genetic testing company to be assessed against all three standards.
    • We have security measures in place for authentication, encryption (at rest and in transit), least privilege access, and authorization to our systems and proprietary technologies to support customer security. 23andMe access combines token-based, multi-factor authentication and strict least-privileged authorization controls.
    • We store your data in segregated databases. For example, your Registration Information (such as name and email) and Genetic Information are stored separately in secured, segmented databases, which reduces the risk of, and incentive to, commit a breach.
  • Your own security precautions are critical. For example, you should not share your password with others or use previously compromised passwords. If you do, we are not responsible for those actions.
Question 7: Have you ever detected any breach?

TLDR: No, we have not detected any breaches of Personal Information to date. I need details: See the TLDR — we don’t have additional details because it is just that simple.

Question 8: I’ve read that 23andMe is not regulated. Is that true?

TLDR: 23andMe, and our Health + Ancestry Service, is certainly regulated.

I need details:

  • For starters, our carrier status, genetic health risk and pharmacogenetic reports are regulated by the U.S. Food and Drug Administration (“FDA”) and have been reviewed and authorized or cleared by the FDA.
  • Far from being “unregulated”, 23andMe’s health reports have been reviewed and cleared by the FDA six times at the time of this blog publication. 23andMe’s six authorizations and clearances for the reports below:
    • Carrier screening (de novo)
    • Genetic Health Risk reports (de novo)
    • BRCA 1/2 (Selected Variants) cancer predisposition (de novo)
    • MUTYH-Associated Polyposis cancer predisposition (510k)
    • Pharmacogenetic reports (de novo)
    • Pharmacogenetic reports (510k)
  • 23andMe is the first direct-to-consumer genetic testing company to meet FDA requirements for its health reports. Our FDA authorized reports meet a greater than 99% accuracy standard when compared to Sanger sequencing. In addition, in connection with meeting FDA requirements, 23andMe demonstrated that US consumers, regardless of education, age, gender or ethnicity can comprehend their 23andMe results, enabling them to be used safely without a doctor’s prescription.
  • As an FDA manufacturer, 23andMe also meets the Federal FDA Cybersecurity requirements.
  • 23andMe is inspected intermittently by the FDA. These inspections have found no deficiencies of its adherence to Federal quality standards.
Question 9: Does 23andMe share my data with China?

TLDR: Nope!

I need details:

  • 23andMe’s contract laboratories are located in the United States. As part of our FDA submissions, we identify all of our key suppliers, none of which are based or located in China.
  • We do not do business in China or use any Chinese-based laboratories for our genetic testing service. We do not store data in China.
Question 10: Do you cooperate with law enforcement agencies looking to solve cold cases?

TLDR: No, 23andMe will exercise any available legal measures to object to a law enforcement request. As of the date of this publication, we have not released any individual user data to law enforcement. Take a look at our track record in our Transparency Report.

I need details:

  • Respect for customer privacy and transparency are core principles that guide 23andMe’s approach to responding to legal requests and maintaining customer trust. In 2015, 23andMe was the first consumer genetics company to publish a Transparency Report, which details the government requests for data we receive and how we have responded. This report is updated quarterly. As of the date of this publication, we have not released any individual user data to law enforcement and we want to keep it that way.
  • We closely scrutinize all law enforcement and regulatory requests and we will only comply with court orders, subpoenas, search warrants or other requests that we determine are legally valid and legally require our response after exhausting other options.
  • If, despite our resistance, we are required by law to comply with a valid court order, subpoena, or search warrant for a customer’s Genetic Information or Personal Information, we will try to notify you through the contact information you provided us before we disclose this information to law enforcement, unless doing so would violate the law or a court order. This provides you with a chance to move to quash the subpoena before we are required to answer it.
Related Stories

Stay in the know.

Receive the latest from your DNA community.