Privacy Notice for U.S. State Residents
Last Updated: March 30, 2023
This Privacy Notice for U.S. State Residents applies to residents of California, Colorado, and Virginia, and contains information required by the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act, Colorado Privacy Act (“CPA”), and Virginia Consumer Data Protection Act (“VCDPA”) (collectively, “U.S. State Data Protection Laws”), as amended or replaced from time to time, along with any implementing regulations, and supplements our Privacy Statement.
This policy, together with the 23andMe Privacy Statement, includes the information and disclosures we are required to provide to you under U.S. State Data Protection Laws. You should read them both carefully.
23andMe applies certain privacy controls to all U.S. customers. For example, all customers can request a copy of their data, request deletion, and control their privacy settings in their Account Settings. This notice makes sure we cover state-specific requirements. In the event of any conflict between the terms of this notice and the Privacy Statement, the terms of this notice prevail.
Here is a summary before we dive into the details:
- You have the right to know whether we sell or share your Personal Information and opt-out of a sale or sharing of your Personal Information with a third party.
- You have the right to receive an overview of the Personal Information we collect, how we use it, and who we share it with.
- You have a right to limit use and sharing of your sensitive Personal Information.
- You have the right to access your Personal Information and get a copy of it.
- You have the right to correct inaccurate Personal Information.
- You have the right to delete your Personal Information.
- You or your authorized agent can always contact us if you have a question at email@example.com
1. Your Rights
When we talk about “Personal Information” in this notice, we mean any information that identifies, relates to, describes, is capable of being associated with you, or could reasonably be linked, directly or indirectly, with you, and as otherwise defined in the U.S. State Data Protection Laws. The U.S. State Data Protection Laws do not consider publicly available information, deidentified, or aggregate consumer information as “Personal Information.”
We will not attempt to reidentify deidentified information (except as necessary to test our deidentification processes to ensure no individuals can be identified) and will use it only in deidentified form.
Let’s start with your privacy rights first. You have the right to:
- Know what Personal Information we collect, use, disclose, share, or sell.
- Receive a copy of your Personal Information.
- Correct inaccurate Personal Information.
- Delete your Personal Information.
- Receive your Personal Information in a portable and, if technically feasible, in a readily usable format.
- Opt out of: targeted advertising; the sale or sharing of your Personal Information with third parties; and/or, profiling in the furtherance of decisions that produce legal or similarly significant effects. Please see our Cookie Choices page for more information.
- Limit the use and sharing of your sensitive Personal Information. Sensitive Personal Information includes, but is not limited to, Personal Information that reveals your racial or ethnic origin, religious beliefs, mental or health conditions or diagnosis, sex life or sexual orientation, citizenship or immigration status, genetic data, precise geolocation, or as otherwise defined in applicable U.S. State Data Protection Laws. Your 23andMe Registration Information, Genetic Information, and Self-Reported information likely include sensitive Personal Information.
- Not receive discriminatory treatment if you exercise your privacy rights.
We make it easy to exercise your rights to know, correct, and delete your Personal Information by making them available through your Account Settings. To access Account Settings, you must log in to your 23andMe account.
If you do not have a 23andMe account and would like to make a privacy rights request, or to appeal an action we made related to your privacy request, you can email us at firstname.lastname@example.org with the subject line “Privacy Rights Request”. We will require some additional information to verify your identity in order to process your request. Alternatively, you may exercise your privacy rights through an authorized agent. If you use an authorized agent, we will require you to verify your identity and confirm that you have provided the authorized agent permission to submit the request on your behalf.
We will respond to your request within 45 days, and in more difficult cases we may extend our response time by another 45 days. The easiest way to exercise your rights is through your Account Settings so we can quickly verify your identity. Your rights under the U.S. State Data Protection Laws are not absolute and 23andMe may exercise limitations or exemptions as permitted by the U.S. State Data Protection Laws.
Notice of Right to Opt-Out of Sale/Sharing
Under the CCPA, this use of your data for cross-context behavioral advertising may constitute a “sale” or “sharing” of personal information. We let advertising providers collect identifiers (IP addresses, cookie IDs, and mobile IDs), activity data (browsing, clicks, app usage), device data, and geolocation data through our sites and apps when you use our online service. In the past 12 months, these categories of personal information may have been “sold” or “shared” as defined under CCPA. We do not have actual knowledge of selling or sharing personal information of users under the age of 16.
23andMe believes in providing you with a frictionless experience by responding to Global Privacy Control (“GPC”) signals sent by your browser or mobile device. A GPC is a signal from your browser that notifies us of your privacy preferences, such as whether or not you want us to drop cookies on your device. To check your GPC preferences, check out the settings or extensions in your browser or mobile device. Learn more about GPC. Otherwise you can always opt-out of cross-context behavioral or targeted advertising any time via the Cookie Choices page.
Notice of Financial Incentive
We may provide special offers and benefits to certain customers. For example, a customer may be invited to get a free kit via a discount code or special promotion. Such offers and benefits are voluntary and customers can choose not to accept the free kit. If a customer accepts a free kit, they can choose to close their account at any time via Account Settings or by contacting us at email@example.com. We collect the same Personal Information from a customer with a free kit as a customer who purchased their kit from us. Both customers’ Personal Information will be handled as detailed in this Policy.
While we do not assign a monetary value to the personal information we collect from a customer with a free kit, we do receive value in the form of customer loyalty, Research participation (if they choose to opt-in to Research), and increased engagement. The value of the personal information that we collect is reasonably related to the expenses related to our offering to you. This value will vary by customer depending on their engagement on the 23andMe Services, and many other factors.
2. What We Collect
As detailed in our Privacy Statement, we collect Personal Information for various purposes with privacy principles in mind.
Below, we describe the categories of Personal Information as defined under the CCPA for California residents, and may include reference to certain key definitions from our Privacy Statement. Some of the categories below require separate opt-in consent and these categories do not necessarily reflect all of the types of information that we may collect about you. We will provide you a separate notice if we collect any additional Personal Information about you. Some Personal Information included in the categories may overlap with other categories.
In the last twelve (12) months, we have collected the following categories of Personal Information:
- Identifiers: Registration Information and information contained in Web-Behavior Information and/or User Content such as your name, display name, address, online identifier, IP address, email address, username, or other similar identifiers.
- Personal information categories listed in the California Customer Records provisions: Certain information from Registration Information (including payment information), certain User Content (such as your name, address, or phone number), and/or certain Self-Reported Information (such as details about your employment or education).
- Characteristics of protected classifications under California or federal law: Certain information from Registration Information, Self-Reported Information, and/or User Content, such as your age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, and genetic information (including familial genetic information). You can review protected classes under California law here.
- Commercial information: Certain information from Self-Reported Information and/or User Content such as products or Services purchased, obtained, or considered, survey responses regarding past purchasing history, information about products you purchased or considered, or other purchasing or consuming histories or tendencies.
- Audio, electronic, visual, thermal, olfactory, or similar information: Certain information from Self-Reported Information and/or User Content you provide to us through surveys or other engagement on our platform, such as when you upload a profile picture.
- Professional or employment-related information: Certain information from Self-Reported Information and/or User Content such as education, household income, occupation, and other professional information. This information can be collected when you apply for a job with 23andMe, fill out a survey, or otherwise engage with us.
- Biometric information: Certain information from Self-Reported Information and/or User Content such as physiological, behavioral, and biological characteristics that can be used to establish an individual’s identity. To the extent we collect this information, we collect it directly from you when you choose to share it with us.
- Internet or other electronic network activity information: Web-Behavior Information such as data generated from your use of our Services and collected through log files, cookies, web beacons, and similar technologies. Such information may include your browser type, domains, page views, how long you spent on a page or feature of the website, or other data about your engagement with our Services.
- Geolocation data: Web-Behavior Information that includes the identification or estimation of physical location or movement.
- Inferences drawn from other personal information: Inferences and Derived Data includes any information, data, assumptions, or conclusions 23andMe infers based on analyses of facts, evidence, or another source of information or data. 23andMe may derive Genetic Information, such as imputed genotype data, genetic risk scores, and phenotypes (which are observable characteristics or traits). Generally this information is created by 23andMe and not collected directly from you. 23andMe may derive information from data that was collected in relation to our genetic testing services, directly from you, or through tracking technology.
- Sensitive personal information: Genetic Information, and certain Registration Information, Sample Information, and Self-Reported Information may be considered “sensitive.” This includes data that reveals your: social security, driver’s license, state identification card, or passport number; account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to your account; precise geolocation; racial or ethnic origin, religious or philosophical beliefs, or union membership; mail, email, and/or text messaging contents where 23andMe is not an intended recipient; and genetic data.
3. How We Use Your Personal Information
As defined under the CCPA for California residents, 23andMe may use Personal Information listed above for the purposes described below or at your direction. Such purposes include:
- Providing Services: To provide our Services to you, including maintaining or servicing your account, providing customer service, processing or fulfilling orders and transactions, and more.
- Audit: Auditing related to a current interaction and concurrent transactions, or compliance with applicable laws or standards.
- Security and Integrity: Detecting security incidents, maintaining integrity, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
- Debugging: Debugging to identify and repair errors that impair existing intended functionality.
- Transient Use: Short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of your current interaction with our business, provided that your Personal Information is not disclosed to another third party and is not used to build a profile about you or otherwise alter your experience outside the current interaction.
- Advertising and Marketing: To provide advertising and marketing to you, including cross-context behavioral advertising. Check out our Cookie Choices for more information on how we use your Web-Behavior Information for cross-context behavioral advertising.
- Research and Development: Internal research that 23andMe performs to improve and develop its products and services.
- Quality Assurance and Product Improvement: Activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by 23andMe, and otherwise to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by 23andMe.
If you have given your explicit consent, for example via a data transfer authorization or other consent document, we may use, disclose, or share your Personal Information for commercial or research purposes to third parties. The purpose, such as recruitment for external research or participation in 23andMe Research, may vary and will be described in the consent at that time.
In the past 12 months, we have disclosed Personal Information to service providers and contractors for the business purposes described above, and to third-party advertising and marketing companies for cross-context behavioral or targeted advertising.
We do not use or disclose sensitive Personal Information for purposes other than the business purposes permitted by CCPA, which include, for example, to perform our services, to detect and prevent security incidents, to perform services on behalf of the business, and other purposes as allowed by CCPA.
4. Changes to this notice
23andMe will periodically review and update this notice. We recommend visiting this page to stay aware of any changes. If we modify this notice, we will make the revised notice available through our website. Click here to view the older version of this notice.