Privacy Notice for California Residents

Last Updated: July 2, 2021

We’ve updated this notice as part of our CCPA compliance efforts and to make this notice easier to read.

Summary

This Privacy Notice for California Residents contains information required by the California Privacy Consumer Privacy Act (“CCPA”), as amended or replaced from time to time, along with any implementing regulations, and supplements our Privacy Statement. 23andMe’s privacy principles are the same for all customers. For example, all customers can request a copy of their data, request deletion, and control their privacy settings in their Account Settings. This notice makes sure we cover California-specific requirements. In the event of any conflict between the terms of this notice and the Privacy Statement, the terms of this notice prevail.

Here is a summary before we dive into the details:

  • You have the right to know whether we sell your Personal Information and opt-out of a sale if we do. But rest-assured, we do not sell your Personal Information.
  • You have the right to receive an overview of the Personal Information we collect, how we use it, and who we share it with.
  • You can request access to your Personal Information, get a copy, and delete your Personal Information.
  • You or your authorized agent can always contact us if you have a question at privacy@23andme.com

Contents

  1. Your Rights
  2. What We Collect
  3. How We Use Your Personal Information
  4. Changes to this notice

1. Your Rights

When we talk about “Personal Information” in this notice, we mean any information that identifies, relates to, describes, is capable of being associated with you, or could reasonably be linked, directly or indirectly, with you, and as otherwise defined in the CCPA. The CCPA does not consider publicly available information as “Personal Information.”

Let’s start with your rights first. You have the right to:

  • Know what Personal Information we collect, use, disclose, or sell.
  • Receive a copy of your Personal Information.
  • Delete your Personal Information.
  • Not receive discriminatory treatment if you exercise your CCPA rights.

We make it easy to exercise your CCPA rights by making them available through your Account Settings. To access Account Settings, you must log in to your 23andMe account. Please see Section 5 of the Privacy Statement for more guidance on exercising your choices through Account Settings.

If you do not have a 23andMe account and would like to make a CCPA rights request, you can email us at privacy@23andme.com with the subject line “CCPA Rights Request”. We will require some additional information to verify your identity in order to process your request. Alternatively, you may exercise your CCPA rights through an authorized agent. If you use an authorized agent, we will require you to verify your identity and confirm that you have provided the authorized agent permission to submit the request on your behalf. We will respond to your request within 45 days, and in more difficult cases we may extend our response time by another 45 days. The easiest way to exercise your rights is through your Account Settings so we can quickly verify your identity. Your rights under the CCPA are not absolute and 23andMe may exercise limitations or exemptions as permitted by the CCPA.

23andMe does not sell Personal Information to third parties. The CCPA provides you with the right to know whether your Personal Information is being sold and to opt-out of such sales.

2. What We Collect

As detailed in our Privacy Statement, we collect Personal Information for various purposes with privacy principles in mind. Choice and transparency are just as important to us as they are to you. The categories of Personal Information and other terms used below are defined in California Civil Code 1798.140, and may include reference to certain key definitions set forth in our Privacy Statement. Some of the categories below require separate opt-in consent and these categories do not necessarily reflect all of the types of information that we may collect about you. We will provide you a separate notice if we collect any additional Personal Information from you!

In the last twelve (12) months, we have collected the following categories of Personal Information from our customers:

  • Identifiers: Registration Information, Web-Behavior Information, and/or User Content such as your name, display name, address, online identifier, IP address, email address, username, or other similar identifiers. We mainly use these to offer our Services, such as when you create an account with us, purchase our Services, or when you choose to connect with other customers of 23andMe.
  • Personal information categories listed in the California Customer Records provisions: Registration Information, Self-Reported Information, and/or User Content such as your name, address, phone number, Self-Reported Information (such as details about your employment or education), and payment information (last 4 digits only). Some Personal Information included in this category may overlap with other categories. Similarly to the category above, we mainly use this information to offer our Services to you.
  • Characteristics of protected classifications under California or federal law: Registration Information, Self-Reported Information, and/or User Content such as your age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, and genetic information (including familial genetic information). You can review protected classes under California law here. Generally this information is collected because you provide it directly to us. Certain elements, including Genetic Information, ancestry, and sex, may be developed or analyzed by 23andMe in relation to our genetic testing services.
  • Commercial information: Self-Reported Information and/or User Content such as products or Services purchased, obtained, or considered, survey responses regarding past purchasing history, information you share on 23andMe forums about products you purchased or considered, or other purchasing or consuming histories or tendencies. For example, we may keep this information when you purchase products through 23andMe.
  • Audio, electronic, visual, thermal, olfactory, or similar information: Self-Reported Information and/or User Content you provide to us through surveys or other engagement on our platform, such as when you upload a profile picture. Generally, this information is collected directly from you, or passively collected about you with your permission.
  • Professional or employment-related information: Self-Reported Information and/or User Content such as education, household income, occupation, and other professional information. This information can be collected when you apply for a job with 23andMe, fill out a survey, or otherwise engage with us.
  • Biometric information: Self-Reported Information and/or User Content such as physiological, behavioral, and biological characteristics that can be used to establish an individual’s identity. To the extent we collect this information, we collect it directly from you when you choose to share it with us.
  • Internet or other electronic network activity information: Web-Behavior Information such as data generated from your use of our Services and collected through log files, cookies, web beacons, and similar technologies. Such information may include your browser type, domains, page views, how long you spent on a page or feature of the website, or other data about your engagement with our Services.
  • Geolocation data: Web-Behavior Information that includes the identification or estimation of physical location or movement. You can learn more about how 23andMe processes Web-Behavior Information in our Cookie Policy.
  • Inferences drawn from other personal information: Inferences and Derived Data includes any information, data, assumptions, or conclusions 23andMe infers based on analyses of facts, evidence, or another source of information or data. 23andMe may derive Genetic Information, such as imputed genotype data, genetic risk scores, and phenotypes (which are observable characteristics or traits). Generally this information is created by 23andMe and not collected directly from you. 23andMe may derive information from data that was collected in relation to our genetic testing services, directly from you, or through tracking technology.

3. How We Use Your Personal Information

23andMe may share Personal Information listed above for operational business purposes or at your direction. Such business purposes include:

  • Providing Services: To provide our Services to you, including maintaining or servicing your account, providing customer service, processing or fulfilling orders and transactions, and more.
  • Audit: Auditing related to a current interaction and concurrent transactions.
  • Security: Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity. Please see Section 4.e. of our Privacy Statement for more information.
  • Debugging: Debugging to identify and repair errors that impair existing intended functionality.
  • Transient Use: Short-term, transient use, where personal information is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction.
  • 23andMe Product Research and Development: Research that 23andMe performs to improve and develop its products and services.
  • Quality Assurance and Product Improvement: Activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by 23andMe, and otherwise to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by 23andMe.

If you have given your explicit consent, for example via a data transfer authorization or other consent document, we may share your Personal Information for commercial purposes. The purpose, such as recruitment for external research, may vary and will be described in the consent.

4. Changes to this notice

23andMe will periodically review and update this notice. We recommend visiting this page to stay aware of any changes. If we modify this notice, we will make the revised notice available through our website. Click here to view the older version of this notice.