Is 23andMe Safe?

September 22, 2017

Finding the best ancestry DNA test that can meet your unique needs can be difficult. If we set the testing quality aside, we are left with the overall security of your personal data. During your testing circuit, you’ll provide your company of choice with all kinds of private and sensitive information and you want to make sure it doesn’t share it with third parties or use it without your explicit consent.  Today, we’re looking into 23andMe, one of the most popular ancestry DNA testing companies out there.


23andMe Safe?

23andMe Privacy Highlights

23andMe collects the information you provide through your personal account, surveys and forms, company’s applications and features, and the service itself. It’ll also collect data when you upload content, use connected social media, refer contacts, and share information through interactions with the company or its partners. Note that 23andMe also uses cookies to further personalize its service. You can read the entire Cookie Policy on the official website. The most important thing, though, is the fact that cookies can’t be used to activate programs on your computer or introduce viruses and malware.  

What Information Does 23andMe Collect?

Once you decide to place an order with 23andMe, the data collection process begins. Here, we’ll take a look at all the information you’ll provide during the course of your ancestry testing.

The information you provide directly includes:

  • Registration info – When you create your personal 23andMe account, you’ll provide your name, birth date, shipping and billing address, payment details, and contact information (phone number, email, license number, etc.).
  • Self-reported info – You can provide additional information about yourself through forms, surveys, features, and applications.
  • User content – Some of 23andMe’s services allow you to create and post or upload content (messages in community forums, for example).
  • Social media features and widgets – 23andMe’s social media features (Facebook Like/Share and the LinkedIn Open ID app) can record your IP address and the pages you visited on the company’s site.
  • Referral information and sharing – If you refer a person to 23andMe or share your results, the company will request that person’s email address.
  • Address books – If you use your PC or mobile address books in connection to 23andMe, the company can collect the contact information of the people you want to refer or have them communicate with the company.
  • Third-party services – If you use third-party sites (Facebook, Twitter…) in connection with 23andMe to communicate with another person, the company will collect that person’s name and contact info but can also store your profile picture, gender, network, user ID, username, language and country, age range, friend or follower lists, etc.
  • Gifts – If you order a testing kit as a gift through 23andMe, the company will collect information about the recipient. This info will not be shared with you, however.
  • Customer service – When your contact 23andMe’s customer service, it’ll collect certain info in order to track and respond to your inquiry and improve its service.

The information related to genetic testing includes:

  • Saliva sample and bio-banking – In order to take the test with 23andMe, you’ll have to send your saliva sample for genetic processing. Your unique test kit code will make you identifiable to the company itself, but not its third-party laboratory. Unless you opt to bio-bank (store) your saliva sample with 23andMe, it’ll be destroyed after the testing is complete.
  • Genetic information – Your genetic information is located within your final report.

The information obtained through tracking technologies (cookies, web beacons, device identifiers, and similar programs) includes:

  • Web behavior – The company monitors your interaction with its website, your results, and the overall success of its marketing program. It’ll also use this info to gather demographic data about its user base. The programs automatically collect and store information about your browser type, IP address, ISP, operating system, referring/exit pages, time stamps, and clickstream data.
  • Google analytics – 23andMe uses the User-ID feature to combine behavioral data across devices and sessions.

23andMe will use the collected information to:  

  • Provide, analyze, and further improve its services 
  • Personalize its marketing and advertising endeavors 
  • Maintain the security of the company, its employees, and customers 
  • Comply with relevant laws and regulations 
  • Advance its research projects (only with your explicit consent) 

Note that 23andMe follows the letter of the law at all times and never operates outside of the permitted boundaries.  

When you accept the company’s Privacy Statement and Terms of Service, 23andMe can:

  • Perform analysis of your data and provide you with its service 
  • Perform analysis and give you information about your ancestry 
  • Determine your eligibility for polls, surveys, and questionnaires 
  • Monitor and improve the quality of the existing products and services or develop new ones 

The company will never use your information without your consent unless it is already aggregated and anonymized so that you can’t be positively identified as an individual. The other possibility of using your data without your consent involves potential court orders requiring the company to disclose personal information.  

Transfer Of Personal Information

Transfer Of Personal Information

By accepting 23andMe’s Privacy Policy and Terms of Service, you authorize the company to store and process your personal data, including sensitive information, within the US and other countries, which are outside your resident country.  

The company will never sell, lease or rent your personal info to any third parties. With your explicit consent, the company may share your data with third parties for research purposes.  

As we already mentioned, the company may share aggregated and anonymized information with third parties, but that data has already been “stripped” of any information that can identify you as a person (your name, contact info…).  Note that, once given, your consent can also be withdrawn at any given moment by simply changing the consent status within your personal 23andMe account.  

23andMe Security Measures

23andMe implements a wide range of technical, physical, and administrative measures to prevent unauthorized access or disclosure of your personal data. Any connection to the official website is protected with SSL technology.

The company also warns against sharing your password, secret questions/answers, and similar authentication info that can be used to access the service in your name.

Join our mailing list to receive exclusive updates, giveaways and coupon codes directly to your inbox.