Privacy Notice for California Residents
Effective Date: January 1, 2020
Summary
This Privacy Notice for California Residents supplements our Privacy Statement and applies solely to 23andMe consumers, as defined below. In the event of any conflict between the terms of this notice and the Privacy Statement, the terms of this notice prevail.
This notice details the rights of California residents under the California Consumer Privacy Act of 2018 (CCPA).
If you have any questions regarding the information presented on this page, please contact 23andMe at privacy@23andme.com.
Contents
- Key definitions
- Consumer rights
-
Categories of personal information collected
- Information you provide directly to us
- Information collected in relation to our genetic testing services
- Information collected through tracking technology (e.g. from cookies and similar technologies)
- Derived information created from other personal information
- Disclosures of personal information for a business purpose
- Disclosures of personal information for a commercial purpose
- Changes to this notice
- Contact information
1. Key definitions
- Consumer: natural persons who reside in California, including (1) individuals who are in California for other than a temporary and transitory purpose; and (2) individuals who are domiciled in California, but are outside the state for a temporary or transitory purpose.
- CCPA: the California Consumer Privacy Act of 2018, effective as of January 1, 2020, as amended or replaced from time to time, along with any implementing regulations.
- Personal information: as defined in the CCPA, and includes information that can be used to identify you, either alone or in combination with other information, and any other information that could reasonably be linked with a particular consumer or device.
2. Consumer rights
a. Notice and access.
As a consumer, you have the right to know:
- The categories of personal information we collect about you;
- The categories of sources from which the information was collected;
- The business or commercial purpose for collecting, disclosing, or selling personal information; and
- The categories of third parties we have disclosed personal information to for a business purpose and the categories of personal information disclosed.
You may request that 23andMe provide you access to the specific pieces of personal information collected about you in a readily usable format.
Your access rights under the CCPA are not absolute. Specifically, the CCPA limits the information you can request to personal information collected in the 12-month period preceding our receipt of the request. Additionally, under the CCPA, 23andMe is not obligated to respond to requests for access to personal information more than twice in a twelve month period.
23andMe may, in its sole discretion, choose to provide personal information in response to a consumer’s access request that relate to a time period greater than the preceding 12 months or respond to a consumer request more frequently than required by law; choosing to do so, however, does not constitute an obligation to do so.
b. Deletion.
You may request that 23andMe delete the personal information we process about you, subject to certain limitations. Your personal information may not be deleted if the information is necessary to:
- Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
- Debug products to identify and repair errors that impair existing intended functionality.
- Ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
- To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
- Comply with a legal obligation.
- Otherwise use your personal information, internally, in a lawful manner that is compatible with the context in which you provided the information.
c. Opt-out of sales.
The CCPA provides you the right to opt-out of having your personal information sold by a business. 23andMe does not sell personal information to third parties.
d. Non-discrimination.
The CCPA prohibits businesses from discriminating against a consumer for exercising their rights under the CCPA. 23andMe will not discriminate against you for exercising any of your CCPA rights.
e. Designated methods for submitting rights requests.
Access and deletion rights may be exercised within your 23andMe Account Settings. For additional details regarding account deletion, see Section 5.d. of our Privacy Statement.
If you have not created a 23andMe account, you may contact us directly to submit your request by emailing privacy@23andme.com with the subject line “CCPA Rights Request” or calling our Customer Care team at 1.800.239.5230.
f. Verifying consumer requests.
Only you or someone legally authorized to act on your behalf may make a verifiable consumer request related to your personal information. Your request must:
- Provide sufficient information that allows us to verify you are the person about whom we collected personal information or an authorized representative.
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
Generally, requests submitted through your 23andMe account will be considered sufficiently verified when the request relates to personal information associated with that specific account. However, if you have not created, or no longer have access to your 23andMe account, we may request additional materials or information for the purposes of validating the authenticity of your request.
23andMe will use the information provided in connection with a verification request solely for the purposes of verification. We cannot effectuate your request if we are unable to verify your identity or authority to make the request and confirm that the personal information relates to you.
There may be other situations where 23andMe is unable or not required to effectuate your rights request. In such circumstances, 23andMe will respond to your request within the period required by the CCPA. The response will provide relevant details regarding 23andMe’s determination and any additional, pertinent information about your request.
3. Categories of personal information collected
When you choose to use our Services, including visiting our website, we may collect and process your personal information. 23andMe has collected the following categories of personal information from its consumers within the last twelve (12) months as necessary to provide our Services and/or as otherwise allowed under our Privacy Statement. The categories of personal information and other terms used below are defined in California Civil Code 1798.140, and may include reference to certain key definitions set forth in our Privacy Statement.
a. Information you provide directly to us.
| Information | Description | Business or commercial purpose(s) of collection | Business purpose(s) for disclosure |
|---|---|---|---|
|
Identifiers |
Generally identifiers are provided directly to us, collected automatically when you visit our website, or created on your behalf when you sign up for our Services to allow 23andMe to provide our Services. |
|
Identifiers are sometimes processed by our service providers for the following purposes:
|
|
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code §1798.80(e)) |
Some personal information included in this category may overlap with other categories. |
|
California Customer Records information is sometimes processed by our service providers for the following purposes:
|
|
Protected classification characteristics |
Generally this information is collected because you provide it directly to us. Certain elements, including Genetic Information, ancestry, and sex, may be developed or analyzed by 23andMe in relation to our genetic testing services. You can review protected classes under California Law here. |
|
Protected classification characteristics are sometimes processed by our service providers for the following purposes:
|
|
Commercial information |
Generally, this information is collected directly from you. |
|
Commercial information is sometimes processed by our service providers for the following purposes:
|
|
Sensory data |
Generally, this information is collected directly from you, or passively collected about you with your permission. |
|
Sensory data is sometimes processed by our service providers for the following purposes:
|
|
Professional, Education, or employment-related information. |
Generally, this information is collected directly from you. |
|
Professional, Education and employment-related information is sometimes processed by our service providers for the following purposes:
|
b. Information collected in relation to our genetic testing services.
| Information | Description | Business or commercial purpose(s) of collection | Business purpose(s) for disclosure |
|---|---|---|---|
|
Biometric information |
Generally, this information is collected directly from you or developed or analyzed by 23andMe in relation to our genetic testing services. |
|
Biometric information is sometimes processed by our service providers for the following purposes:
|
c. Information collected through tracking technology (e.g. from cookies and similar technologies).
| Information | Description | Purpose of Collection | Business purpose(s) for disclosure |
|---|---|---|---|
|
Internet or other electronic network activity information |
Our Cookie Policy contains more information about how 23andMe processes Web-Behavior Information. |
|
Internet information is sometimes processed by our service providers for the following purposes:
|
|
Geolocation data |
Our Cookie Policy contains more information about how 23andMe processes Web-Behavior Information. |
|
Geolocation data is sometimes processed by our service providers for the following purposes:
|
d. Derived information created from other personal information.
| Information | Description | Purpose of Collection | Business purpose(s) for disclosure |
|---|---|---|---|
|
Inferences and derived data |
Inferences and derived information are any information, data, assumptions, or conclusions 23andMe infers based on analyses of facts, evidence, or another source of information or data.
Generally this information is created by 23andMe and not collected directly from you. 23andMe may derive information from data that was collected in relation to our genetic testing services, directly from you, or through tracking technology. |
|
Inferences and derived data are sometimes processed by our service providers for the following purposes:
|
e. Disclosures of personal information for a business purpose
23andMe may share information listed above under “Categories of personal information collected” with our service providers for operational business purposes including:
- Audit: Auditing related to a current interaction and concurrent transactions.
- Security: Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity. Please see Section 4.e. of our Privacy Statement for more information.
- Debugging: Debugging to identify and repair errors that impair existing intended functionality.
- Transient use: Short-term, transient use, where personal information is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction.
- 23andMe Research: Scientific research that 23andMe performs with the intent to publish in a peer-reviewed scientific journal.
- Quality assurance and product improvement: Activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by 23andMe, and otherwise to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by 23andMe.
f. Disclosures of personal information for a commercial purpose
If you have given your explicit consent, for example via a data transfer authorization or other consent document, we may disclose the categories of personal information detailed above for commercial purposes. The purpose, such as recruitment for external research, may vary and will be specified in the consent.
4. Changes to this notice
23andMe will review and update this notice at least once every 12 months and more frequently as needed. We recommend visiting this page periodically to stay aware of any changes. If we modify this notice, we will make the revised notice available through our website.
5. Contact information
If you have questions about this notice, or wish to submit a complaint, request or inquiry, please email 23andMe's Privacy Administrator at privacy@23andme.com, or send a letter to:
Privacy Administrator
23andMe, Inc.
223 N. Mathilda Avenue
Sunnyvale, CA 94086
1.800.239.5230