Privacy Notice for California Residents

Effective Date: January 1, 2020

Summary

This Privacy Notice for California Residents supplements our Privacy Statement and applies solely to 23andMe consumers, as defined below. In the event of any conflict between the terms of this notice and the Privacy Statement, the terms of this notice prevail.

This notice details the rights of California residents under the California Consumer Privacy Act of 2018 (CCPA).

If you have any questions regarding the information presented on this page, please contact 23andMe at privacy@23andme.com.

Contents

  1. Key definitions
  2. Consumer rights
  3. Categories of personal information collected
  4. Changes to this notice
  5. Contact information

  1. Key definitions

    1. Consumer: natural persons who reside in California, including (1) individuals who are in California for other than a temporary and transitory purpose; and (2) individuals who are domiciled in California, but are outside the state for a temporary or transitory purpose.
    2. CCPA: the California Consumer Privacy Act of 2018, effective as of January 1, 2020, as amended or replaced from time to time, along with any implementing regulations.
    3. Personal information: as defined in the CCPA, and includes information that can be used to identify you, either alone or in combination with other information, and any other information that could reasonably be linked with a particular consumer or device.

  2. Consumer rights

    1. Notice and access.

      As a consumer, you have the right to know:

      • The categories of personal information we collect about you;
      • The categories of sources from which the information was collected;
      • The business or commercial purpose for collecting, disclosing, or selling personal information; and
      • The categories of third parties we have disclosed personal information to for a business purpose and the categories of personal information disclosed.

      You may request that 23andMe provide you access to the specific pieces of personal information collected about you in a readily usable format.

      Your access rights under the CCPA are not absolute. Specifically, the CCPA limits the information you can request to personal information collected in the 12-month period preceding our receipt of the request. Additionally, under the CCPA, 23andMe is not obligated to respond to requests for access to personal information more than twice in a twelve month period.

      23andMe may, in its sole discretion, choose to provide personal information in response to a consumer’s access request that relate to a time period greater than the preceding 12 months or respond to a consumer request more frequently than required by law; choosing to do so, however, does not constitute an obligation to do so.

    2. Deletion.

      You may request that 23andMe delete the personal information we process about you, subject to certain limitations. Your personal information may not be deleted if the information is necessary to:

      • Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.
      • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
      • Debug products to identify and repair errors that impair existing intended functionality.
      • Ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
      • Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
      • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
      • To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
      • Comply with a legal obligation.
      • Otherwise use your personal information, internally, in a lawful manner that is compatible with the context in which you provided the information.

    3. Opt-out of sales.

      The CCPA provides you the right to opt-out of having your personal information sold by a business. 23andMe does not sell personal information to third parties.

    4. Non-discrimination.

      The CCPA prohibits businesses from discriminating against a consumer for exercising their rights under the CCPA. 23andMe will not discriminate against you for exercising any of your CCPA rights.

    5. Designated methods for submitting rights requests.

      Access and deletion rights may be exercised within your 23andMe Account Settings. For additional details regarding account deletion, see Section 5.d. of our Privacy Statement.

      If you have not created a 23andMe account, you may contact us directly to submit your request by emailing privacy@23andme.com with the subject line “CCPA Rights Request” or calling our Customer Care team at 1.800.239.5230.

    6. Verifying consumer requests.

      Only you or someone legally authorized to act on your behalf may make a verifiable consumer request related to your personal information. Your request must:

      • Provide sufficient information that allows us to verify you are the person about whom we collected personal information or an authorized representative.
      • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

      Generally, requests submitted through your 23andMe account will be considered sufficiently verified when the request relates to personal information associated with that specific account. However, if you have not created, or no longer have access to your 23andMe account, we may request additional materials or information for the purposes of validating the authenticity of your request.

      23andMe will use the information provided in connection with a verification request solely for the purposes of verification. We cannot effectuate your request if we are unable to verify your identity or authority to make the request and confirm that the personal information relates to you.

      There may be other situations where 23andMe is unable or not required to effectuate your rights request. In such circumstances, 23andMe will respond to your request within the period required by the CCPA. The response will provide relevant details regarding 23andMe’s determination and any additional, pertinent information about your request.

  3. Categories of personal information collected

    When you choose to use our Services, including visiting our website, we may collect and process your personal information. 23andMe has collected the following categories of personal information from its consumers within the last twelve (12) months as necessary to provide our Services and/or as otherwise allowed under our Privacy Statement. The categories of personal information and other terms used below are defined in California Civil Code 1798.140, and may include reference to certain key definitions set forth in our Privacy Statement.

    1. Information you provide directly to us.

      Information Description Business or commercial purpose(s) of collection Business purpose(s) for disclosure

      Identifiers

      • Registration Information, such as your name and email address.
      • User Content, such as your government-issued ID which may be requested in exceptional circumstances to assist you in regaining access to your account.
      • Web-Behavior Information, such as your device ID or IP address, automatically collected when you visit our website.

      Generally identifiers are provided directly to us, collected automatically when you visit our website, or created on your behalf when you sign up for our Services to allow 23andMe to provide our Services.

      • Provide you with Services and analyze and improve our Services (Read more in our Privacy Statement)
      • Process, analyze and deliver your genetic testing results
      • Allow you to share your Personal Information with others
      • Allow you to share your Personal Information for research purposes
      • Recruit you for external research
      • Provide customer support
      • Conduct surveys or polls, and obtain testimonials
      • Provide you with marketing communications

      Identifiers are sometimes processed by our service providers for the following purposes:

      • Audit
      • Security
      • Debugging
      • Transient use
      • 23andMe Research
      • Quality assurance and product improvement

      Personal information categories listed in the California Customer Records statute (Cal. Civ. Code §1798.80(e))

      • Registration Information, such as your name and address.
      • Self-Reported Information, such as details about your employment or education.
      • User Content, such as your government-issued identification which may be requested in exceptional circumstances to assist you in regaining access your account.

      Some personal information included in this category may overlap with other categories.

      • Provide you with Services and analyze and improve our Services
      • Process, analyze and deliver your genetic testing results
      • Allow you to share your Personal Information with others
      • Allow you to share your Personal Information for research purposes
      • Recruit you for external research
      • Provide customer support
      • Provide you with marketing communications

      California Customer Records information is sometimes processed by our service providers for the following purposes:

      • Audit
      • Security
      • Transient use
      • 23andMe Research
      • Quality assurance and product improvement

      Protected classification characteristics

      • Protected classification characteristics we process include age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information)

      Generally this information is collected because you provide it directly to us. Certain elements, including Genetic Information, ancestry, and sex, may be developed or analyzed by 23andMe in relation to our genetic testing services. You can review protected classes under California Law here.

      • Provide you with Services and analyze and improve our Services
      • Process, analyze and deliver your genetic testing results
      • Allow you to share your Personal Information with others
      • Allow you to share your Personal Information for research purposes
      • Recruit you for external research
      • Provide customer support
      • Conduct surveys or polls, and obtain testimonials
      • Provide you with marketing communications

      Protected classification characteristics are sometimes processed by our service providers for the following purposes:

      • Audit
      • Security
      • Transient use
      • 23andMe Research
      • Quality assurance and product improvement

      Commercial information

      • Self-Reported Information, such as survey responses regarding past purchasing history.
      • User Content, such as information you share on 23andMe forums about products you purchased or considered.

      Generally, this information is collected directly from you.

      • Provide you with Services and analyze and improve our Services
      • Allow you to share your Personal Information for research purposes
      • Recruit you for external research
      • Provide customer support
      • Conduct surveys or polls, and obtain testimonials
      • Provide you with marketing communications

      Commercial information is sometimes processed by our service providers for the following purposes:

      • Audit
      • Security
      • Transient use
      • 23andMe Research
      • Quality assurance and product improvement

      Sensory data

      • Self-Reported Information including audio, electronic, visual, thermal, olfactory, or similar information.

      Generally, this information is collected directly from you, or passively collected about you with your permission.

      • Provide you with Services and analyze and improve our Services
      • Allow you to share your Personal Information with others
      • Allow you to share your Personal Information for research purposes
      • Recruit you for external research
      • Provide customer support
      • Conduct surveys or polls, and obtain testimonials
      • Provide you with marketing communications

      Sensory data is sometimes processed by our service providers for the following purposes:

      • 23andMe Research
      • Quality assurance and product improvement

      Professional, Education, or employment-related information.

      • Self-Reported Information including education, household income, occupation, and other professional information.

      Generally, this information is collected directly from you.

      • Allow you to share your Personal Information for research purposes
      • Recruit you for external research
      • Provide customer support
      • Conduct surveys or polls, and obtain testimonials
      • Provide you with marketing communications

      Professional, Education and employment-related information is sometimes processed by our service providers for the following purposes:

      • 23andMe Research
      • Quality assurance and product improvement

    2. Information collected in relation to our genetic testing services.

      Information Description Business or commercial purpose(s) of collection Business purpose(s) for disclosure

      Biometric information

      • Genetic Information (your As, Cs, Ts, and Gs)
      • Self-Reported Information about physiological, behavioral, and biological characteristics, or other identifier or identifying information, and sleep, health, or exercise data

      Generally, this information is collected directly from you or developed or analyzed by 23andMe in relation to our genetic testing services.

      • Provide you with Services and analyze and improve our Services
      • Process, analyze and deliver your genetic testing results
      • Allow you to share your Personal Information with others
      • Allow you to share your Personal Information for research purposes
      • Recruit you for external research
      • Provide customer support
      • Conduct surveys or polls, and obtain testimonials

      Biometric information is sometimes processed by our service providers for the following purposes:

      • Audit
      • 23andMe Research
      • Quality assurance and product improvement

    3. Information collected through tracking technology (e.g. from cookies and similar technologies).

      Information Description Purpose of Collection Business purpose(s) for disclosure

      Internet or other electronic network activity information

      • Web-Behavior Information, including data generated from your use of our Services and collected through log files, cookies, web beacons, and similar technologies, (e.g., browser type, domains, page views).

      Our Cookie Policy contains more information about how 23andMe processes Web-Behavior Information.

      • Provide you with Services and analyze and improve our Services
      • Allow you to share your Personal Information with others
      • Allow you to share your Personal Information for research purposes
      • Recruit you for external research
      • Provide customer support
      • Conduct surveys or polls, and obtain testimonials
      • Provide you with marketing communications

      Internet information is sometimes processed by our service providers for the following purposes:

      • Audit
      • Security
      • Debugging
      • Transient use
      • 23andMe Research
      • Quality assurance and product improvement

      Geolocation data

      • Web-Behavior Information that includes the identification or estimation of physical location or movement.

      Our Cookie Policy contains more information about how 23andMe processes Web-Behavior Information.

      • Provide you with Services and analyze and improve our Services
      • Allow you to share your Personal Information with others
      • Allow you to share your Personal Information for research purposes
      • Recruit you for external research
      • Provide customer support
      • Conduct surveys or polls, and obtain testimonials
      • Provide you with marketing communications

      Geolocation data is sometimes processed by our service providers for the following purposes:

      • Audit
      • Security
      • Debugging
      • Transient use
      • 23andMe Research
      • Quality assurance and product improvement

    4. Derived information created from other personal information.

      Information Description Purpose of Collection Business purpose(s) for disclosure

      Inferences and derived data

      Inferences and derived information are any information, data, assumptions, or conclusions 23andMe infers based on analyses of facts, evidence, or another source of information or data.

      • 23andMe may derive Genetic Information, such as imputed genotype data, genetic risk scores, and phenotypes (which are observable characteristics or traits).

      Generally this information is created by 23andMe and not collected directly from you. 23andMe may derive information from data that was collected in relation to our genetic testing services, directly from you, or through tracking technology.

      • Provide you with Services and analyze and improve our Services
      • Process, analyze and deliver your genetic testing results
      • Allow you to share your Personal Information with others
      • Allow you to share your Personal Information for research purposes
      • Recruit you for external research
      • Conduct surveys or polls, and obtain testimonials
      • Provide you with marketing communications

      Inferences and derived data are sometimes processed by our service providers for the following purposes:

      • Audit
      • Security
      • Debugging
      • Transient use
      • 23andMe Research
      • Quality assurance and product improvement

    5. Disclosures of personal information for a business purpose

      23andMe may share information listed above under “Categories of personal information collected” with our service providers for operational business purposes including:

      • Audit: Auditing related to a current interaction and concurrent transactions.
      • Security: Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity. Please see Section 4.e. of our Privacy Statement for more information.
      • Debugging: Debugging to identify and repair errors that impair existing intended functionality.
      • Transient use: Short-term, transient use, where personal information is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction.
      • 23andMe Research: Scientific research that 23andMe performs with the intent to publish in a peer-reviewed scientific journal.
      • Quality assurance and product improvement: Activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by 23andMe, and otherwise to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by 23andMe.

    6. Disclosures of personal information for a commercial purpose

      If you have given your explicit consent, for example via a data transfer authorization or other consent document, we may disclose the categories of personal information detailed above for commercial purposes. The purpose, such as recruitment for external research, may vary and will be specified in the consent.

  4. Changes to this notice

    23andMe will review and update this notice at least once every 12 months and more frequently as needed. We recommend visiting this page periodically to stay aware of any changes. If we modify this notice, we will make the revised notice available through our website.

  5. Contact information

    If you have questions about this notice, or wish to submit a complaint, request or inquiry, please email 23andMe's Privacy Administrator at privacy@23andme.com, or send a letter to:

    Privacy Administrator
    23andMe, Inc.
    223 N. Mathilda Avenue
    Sunnyvale, CA 94086
    1.800.239.5230