Privacy Notice for U.S. State Residents

Last Updated: March 15, 2024

Summary

This policy, together with the 23andMe Privacy Statement, includes the information and disclosures we are required to provide to you under U.S. State Data Protection Laws. You should read them both carefully.

This Privacy Notice for U.S. State Residents applies to residents of California, Washington, Colorado, Virginia, Utah, and Connecticut and contains information required by the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act, the Colorado Privacy Act (“CPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Utah Consumer Privacy Act (“UCPA”), the Washington My Health My Data Act (“MHMDA”), and the Connecticut Data Privacy Act (“CTDPA”) (collectively, “U.S. State Data Protection Laws”), as amended or replaced from time to time, along with any implementing regulations, and supplements our Privacy Statement.

This policy, together with the 23andMe Privacy Statement, includes the information and disclosures we are required to provide to you under U.S. State Data Protection Laws. You should read them both carefully.

23andMe applies certain privacy controls to all U.S. customers. For example, all customers can request a copy of their data, request deletion, and control their privacy settings in their Account Settings. This notice makes sure we cover state-specific requirements. In the event of any conflict between the terms of this notice and the Privacy Statement, the terms of this notice prevail.

Here is a summary before we dive into the details:

  • You have the right to know whether we sell or share your Personal Information and opt-out of a sale or sharing of your Personal Information with a third party.
  • You have the right to receive an overview of the Personal Information we collect, how we use it, and who we share it with.
  • You have a right to limit use and sharing of your sensitive Personal Information.
  • You have the right to access your Personal Information and get a copy of it.
  • You have the right to correct inaccurate Personal Information.
  • You have the right to delete your Personal Information.
  • You or your authorized agent can always contact us if you have a question at privacy@23andme.com

Contents

  1. Your Rights
  2. What We Collect
  3. How We Use Your Personal Information
  4. Changes to this notice

1. Your Rights

When we talk about “Personal Information” in this notice, we mean any information that identifies, relates to, describes, is capable of being associated with you, or could reasonably be linked, directly or indirectly, with you, and as otherwise defined in the U.S. State Data Protection Laws. The U.S. State Data Protection Laws do not consider publicly available information, deidentified, or aggregate consumer information as “Personal Information.”

We will not attempt to reidentify deidentified information (except as necessary to test our deidentification processes to ensure no individuals can be identified) and will use it only in deidentified form.

Let’s start with your privacy rights first. You have the right to:

  • Know what Personal Information we collect, use, disclose, share, or sell.
  • Receive a copy of your Personal Information.
  • Correct inaccurate Personal Information.
  • Delete your Personal Information.
  • Receive your Personal Information in a portable and, if technically feasible, in a readily usable format.
  • Opt out of: targeted advertising; the sale or sharing of your Personal Information with third parties; and/or, profiling in the furtherance of decisions that produce legal or similarly significant effects. Please see our Cookie Choices page for more information.
  • Limit the use and sharing of your sensitive Personal Information. Sensitive Personal Information includes, but is not limited to, Personal Information that reveals your racial or ethnic origin, religious beliefs, mental or health conditions or diagnosis, sex life or sexual orientation, citizenship or immigration status, genetic data, precise geolocation, or as otherwise defined in applicable U.S. State Data Protection Laws. Your 23andMe Registration Information, Genetic Information, and Self-Reported information likely include sensitive Personal Information.
  • Not receive discriminatory treatment if you exercise your privacy rights.

We make it easy to exercise your rights to knowcorrect, and delete your Personal Information by making them available through your Account Settings. To access Account Settings, you must log in to your 23andMe account.

If you do not have a 23andMe account and would like to make a privacy rights request, or to appeal an action we made related to your privacy request, you can email us at privacy@23andme.com with the subject line “Privacy Rights Request”. We will require some additional information to verify your identity in order to process your request. Alternatively, you may exercise your privacy rights through an authorized agent. If you use an authorized agent, we will require you to verify your identity and confirm that you have provided the authorized agent permission to submit the request on your behalf.

We will respond to your request within 45 days, and in more difficult cases we may extend our response time by another 45 days. The easiest way to exercise your rights is through your Account Settings so we can quickly verify your identity. Your rights under the U.S. State Data Protection Laws are not absolute and 23andMe may exercise limitations or exemptions as permitted by the U.S. State Data Protection Laws.

Notice of Right to Opt-Out of Sale/Sharing

Like many websites, 23andMe uses cookies (including other tracking technologies) for targeted or cross-context behavioral advertising. Cookies require your Web-Behavior Information to work.

Under the CCPA, this use of your data for cross-context behavioral advertising may constitute a “sale” or “sharing” of personal information. We let advertising providers collect identifiers (IP addresses, cookie IDs, and mobile IDs), activity data (browsing, clicks, app usage), device data, and geolocation data through our sites and apps when you use our online service. In the past 12 months, these categories of personal information may have been “sold” or “shared” as defined under CCPA. We do not have actual knowledge of selling or sharing personal information of users under the age of 16.

23andMe believes in providing you with a frictionless experience by responding to Global Privacy Control (“GPC”) signals sent by your browser or mobile device. A GPC is a signal from your browser that notifies us of your privacy preferences, such as whether or not you want us to drop cookies on your device. To check your GPC preferences, check out the settings or extensions in your browser or mobile device. Learn more about GPC. Otherwise you can always opt-out of cross-context behavioral or targeted advertising any time via the Cookie Choices page.

Notice of Financial Incentive

We may provide special offers and benefits to certain customers. For example, a customer may be invited to get a free kit via a discount code or special promotion. Such offers and benefits are voluntary and customers can choose not to accept the free kit. If a customer accepts a free kit, they can choose to close their account at any time via Account Settings or by contacting us at privacy@23andme.com. We collect the same Personal Information from a customer with a free kit as a customer who purchased their kit from us. Both customers’ Personal Information will be handled as detailed in this Policy.

While we do not assign a monetary value to the personal information we collect from a customer with a free kit, we do receive value in the form of customer loyalty, Research participation (if they choose to opt-in to Research), and increased engagement. The value of the personal information that we collect is reasonably related to the expenses related to our offering to you. This value will vary by customer depending on their engagement on the 23andMe Services, and many other factors.

File a complaint under the California Genetic Information Privacy Act or the Virginia Genetic Information Privacy Act

We encourage you to reach out to us with any complaints or concerns at privacy@23andme.com. Residents of the state of California or the state of Virginia may also file complaints if they believe certain rights were infringed under the California Genetic Information Privacy Act or the Virginia Genetic Information Privacy Act. 

If you are a California resident, you may file a complaint with the California Attorney General, or your California county district attorney. Residents of cities with more than 750,000 residents may file a complaint with their city attorney, and residents of cities with full-time city prosecutors may file a complaint with their city prosecutor. If you wish to file a complaint with your district attorney, city attorney, or city prosecutor, contact their local office for more information.


If you are a Virginia resident, you may file a complaint with the Virginia Attorney General, or contact the Virginia Consumers Protection Hotline at 1-800-552-9963.

2. What We Collect

As detailed in our Privacy Statement, we collect Personal Information for various purposes with privacy principles in mind.

Below, we describe the categories of Personal Information as defined under the CCPA for California residents, and may include reference to certain key definitions from our Privacy Statement. Some of the categories below require separate opt-in consent and these categories do not necessarily reflect all of the types of information that we may collect about you. We will provide you a separate notice if we collect any additional Personal Information about you. Some Personal Information included in the categories may overlap with other categories.

In the last twelve (12) months, we have collected the following categories of Personal Information:

  • Identifiers: Registration Information and information contained in Web-Behavior Information and/or User Content such as your name, display name, address, online identifier, IP address, email address, username, or other similar identifiers.
  • Personal information categories listed in the California Customer Records provisions: Certain information from Registration Information (including payment information), certain User Content (such as your name, address, or phone number), and/or certain Self-Reported Information (such as details about your employment or education).
  • Characteristics of protected classifications under California or federal law: Certain information from Registration Information, Self-Reported Information, and/or User Content, such as your age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, and genetic information (including familial genetic information). You can review protected classes under California law here.
  • Commercial information: Certain information from Self-Reported Information and/or User Content such as products or Services purchased, obtained, or considered, survey responses regarding past purchasing history, information about products you purchased or considered, or other purchasing or consuming histories or tendencies.
  • Audio, electronic, visual, thermal, olfactory, or similar information: Certain information from Self-Reported Information and/or User Content you provide to us through surveys or other engagement on our platform, such as when you upload a profile picture.
  • Professional or employment-related information: Certain information from Self-Reported Information and/or User Content such as education, household income, occupation, and other professional information. This information can be collected when you apply for a job with 23andMe, fill out a survey, or otherwise engage with us.
  • Biometric information: Certain information from Self-Reported Information and/or User Content such as physiological, behavioral, and biological characteristics that can be used to establish an individual’s identity. To the extent we collect this information, we collect it directly from you when you choose to share it with us.
  • Internet or other electronic network activity information: Web-Behavior Information such as data generated from your use of our Services and collected through log files, cookies, web beacons, and similar technologies. Such information may include your browser type, domains, page views, how long you spent on a page or feature of the website, or other data about your engagement with our Services.
  • Geolocation data: Web-Behavior Information that includes the identification or estimation of physical location or movement.
  • Inferences drawn from other personal information: Inferences and Derived Data includes any information, data, assumptions, or conclusions 23andMe infers based on analyses of facts, evidence, or another source of information or data. 23andMe may derive Genetic Information, such as imputed genotype data, genetic risk scores, and phenotypes (which are observable characteristics or traits). Generally this information is created by 23andMe and not collected directly from you. 23andMe may derive information from data that was collected in relation to our genetic testing services, directly from you, or through tracking technology.
  • Sensitive personal information: Genetic Information, and certain Registration Information, Sample Information, and Self-Reported Information may be considered “sensitive.” This includes data that reveals your: social security, driver’s license, state identification card, or passport number; account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to your account; precise geolocation; racial or ethnic origin, religious or philosophical beliefs, or union membership; mail, email, and/or text messaging contents where 23andMe is not an intended recipient; and genetic data.

23andMe may access publicly available information or public records from federal, state, or local government records (e.g., vital records, census data).

3. How We Use Your Personal Information

As defined under the CCPA for California residents, 23andMe may use Personal Information listed above for the purposes described below or at your direction. Such purposes include:

  • Providing Services: To provide our Services to you, including maintaining or servicing your account, providing customer service, processing or fulfilling orders and transactions, and more.
  • Audit: Auditing related to a current interaction and concurrent transactions, or compliance with applicable laws or standards.
  • Security and Integrity: Detecting security incidents, maintaining integrity, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
  • Debugging: Debugging to identify and repair errors that impair existing intended functionality.
  • Transient Use: Short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of your current interaction with our business, provided that your Personal Information is not disclosed to another third party and is not used to build a profile about you or otherwise alter your experience outside the current interaction.
  • Advertising and Marketing: To provide advertising and marketing to you, including cross-context behavioral advertising. Check out our Cookie Choices for more information on how we use your Web-Behavior Information for cross-context behavioral advertising.
  • Research and Development: Internal research that 23andMe performs to improve and develop its products and services.
  • Quality Assurance and Product Improvement: Activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by 23andMe, and otherwise to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by 23andMe.

If you have given your explicit consent, for example via a data transfer authorization or other consent document, we may use, disclose, or share your Personal Information for commercial or research purposes to third parties. The purpose, such as recruitment for external research or participation in 23andMe Research, may vary and will be described in the consent at that time.

In the past 12 months, we have disclosed Personal Information to service providers and contractors for the business purposes described above, and to third-party advertising and marketing companies for cross-context behavioral or targeted advertising.

We do not use or disclose sensitive Personal Information for purposes other than the business purposes permitted by CCPA, which include, for example, to perform our services, to detect and prevent security incidents, to perform services on behalf of the business, and other purposes as allowed by CCPA.

4. Changes to this notice

23andMe will periodically review and update this notice. We recommend visiting this page to stay aware of any changes. If we modify this notice, we will make the revised notice available through our website. Click here to view the older version of this notice.

Washington Consumer Health Data Privacy Policy

If you are a Washington resident, the Washington My Health My Data Act (“WAMHMD”) requires us to provide you with the following additional information about: (1) the categories of “Consumer Health Data” (as defined in the WAMHMDA) we collect including how we use the data; (2) the categories of sources from which the consumer health data are collected (3) the categories of consumer health data that are shared; (4) a list of the categories of third parties and specific affiliates with whom we share the consumer health data; and (5) how a consumer can exercise the rights provided by the act. Please see the following chart for the information:

Consumer Health Data we CollectSourcePurpose of Use and CollectionCategories of third-parties with whom we share
Individual health conditions, treatment, diseases, or diagnosis; 
Social, psychological, behavioral, and medical interventions; 
Health-related surgeries or procedures; 
Use or purchase of prescribed medication; 
Bodily functions, vital signs, symptoms, or measurements of other Consumer Health Data;
Diagnoses or diagnostic testing, treatment, or medication; 
Gender-affirming care information; 
Reproductive or sexual health information
Self-Reported (if you choose to complete our health surveys)Provide and manage the Services; Analyze and improve the Services;We do not share this information unless you direct us to; if directed by you, we will provide to Lemonaid Health, an affiliate of 23andMe.
Biometric dataSelf-Reported (if you choose)

*For Totalheath customers only*

Generated by our identity verification provider on behalf of 23andMe with your consent as you sign up for the TotalHealth services
Provide and manage the Services; Verify your identifyWe do not share this information unless you direct us to
 Bio sample and genetic dataBio sample is provided by you as you sign up for our services; genetic data is generated by 23andMe based on your bio sampleProvide our servicesWe do not share this information unless you direct us to; if directed by you, we will provide to Lemonaid Health, an affiliate of 23andMe.
Customer Health Data “derived or extrapolated from nonhealth information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning)

We only collect and use this information with your express consent to our Personalized Recommendations terms		This information is generated from your use of our Services and collected through log files, cookies, web beacons, and similar technologies. Such information may include your browser type, domains, page views, how long you spent on a page or feature of the website, or other data about your engagement with our Services.Provide and manage the Services; Analyze and improve the Services; Advertising and marketingAnalytics and advertising partners

Your Rights

  • You have the right to confirm whether we collect your Consumer Health Data, how we use it, and whether we shared or sold it, including the contact information of any third parties to whom we shared or sold your Consumer Health Data. You also have the right to obtain a copy of that Consumer Health Data free of charge. 
  • You have the right to withdraw your consent from our collection and sharing of Consumer Health Data. 
  • You have the right to have your Consumer Health Data deleted. 

If for any reason we decline a request you make while exercising these rights, you have the right to appeal our decision. If you are a Washington resident, you may file a complaint with the Washington Attorney General, or contact the Washington Consumers Protection Hotline at 1-800-551-4636.

To exercise any of these rights, you may utilize the controls in your 23andMe Account Settings or email privacy@23andMe.com