
23andMe is a direct-to-consumer genetic testing service that provides information and tools for individuals interested in exploring their DNA. While 23andMe has stated that it will use all legal and administrative resources to resist requests from law enforcement, the company may be required by law to comply with valid court orders, subpoenas, or search warrants for genetic or personal information. To date, 23andMe has not released any data to law enforcement, and customers have the ability to download their raw data or delete their accounts at any time. Requests for information from law enforcement must be made in writing and include specific details about the information requested and its relevance to the investigation. If a user authorizes the disclosure of their genetic information to law enforcement, 23andMe will disclose the information identified in the authorization, but will not release any identifying information about the user's genetic relatives without their consent.
Explore related products
What You'll Learn

23andMe's commitment to protecting user data
23andMe has outlined its commitment to protecting user data through various security measures and privacy practices. The company states that it employs software, hardware, and physical security measures to safeguard user information. This includes encryption of all sensitive data, both at rest and in transit, as well as regular security assessments to identify vulnerabilities and potential threats.
Additionally, 23andMe provides users with robust controls over their genetic data, ensuring that it will not be shared with employers, insurance companies, or public databases without explicit consent. Users can decide how their information is stored, used, and shared, and 23andMe will not release individual-level personal information to law enforcement without valid legal process and explicit user consent, unless required by law.
The company has achieved three ISO certifications, demonstrating the strength of its security program. 23andMe's information security management system has also been certified under the globally recognized ISO/IEC 27001:2013, 27018, and 27701 standards, providing further proof of its commitment to information security and user privacy.
In terms of sharing data with law enforcement, 23andMe has published a Guide for Law Enforcement that outlines the procedures for requesting user information. The company closely scrutinizes all requests and will only comply with court orders, subpoenas, search warrants, or other legally valid requests. 23andMe also publishes a Transparency Report, detailing all law enforcement requests for user information received.
Despite these commitments, 23andMe has faced challenges, including a data breach in 2024 that affected approximately 14,000 user accounts. The company has since taken steps to enhance security, such as requiring two-step verification for all customers and encouraging the use of multi-factor authentication.
How State Laws Can Be Repealed
You may want to see also
Explore related products
$19.74 $36

The legal process required to obtain user data
23andMe takes its users' privacy very seriously and has a range of security measures in place to protect their data. The company will not release any individual-level personal information to law enforcement without explicit consent unless required by law. All law enforcement requests are closely scrutinised, and 23andMe will only comply with court orders, subpoenas, search warrants, or other legally valid requests.
In certain circumstances, 23andMe may be required by law to comply with a valid court order, subpoena, or search warrant for genetic or personal information. In such cases, the company requires a valid legal process to consider producing information about its users. Requests should be made in writing and submitted by certified mail, express courier, or in person. They must be made on law enforcement letterhead and signed by the responsible officer. Even if a request meets these minimum requirements, 23andMe will assess whether it is required by law to comply, considering factors such as the relevance of the requested data and the specificity of the request.
If a 23andMe user authorises the disclosure of their genetic information to law enforcement, the company will disclose only the information specified in the authorisation. 23andMe will not disclose any identifying information about the user's genetic relatives or connections unless those individuals also provide express written consent. The company publishes a Transparency Report detailing all law enforcement requests for user information.
It is important to note that 23andMe does not share customer data with any public databases or entities that may increase the risk of law enforcement access. The company also provides users with robust controls over their genetic data, allowing them to decide how their information is used and shared. Users can download their raw data or delete their accounts at any time through their account settings.
Combining Pre-Med and Pre-Law: Is It Possible?
You may want to see also
Explore related products

The limitations of 23andMe's data for law enforcement
23andMe is a direct-to-consumer genetic testing service that provides individuals with information and tools to learn about their DNA. The company has outlined its commitment to protecting customer data and privacy, resisting requests from law enforcement agencies, and not sharing customer data with public databases or entities that may increase the risk of law enforcement access.
Despite 23andMe's resistance to sharing customer data with law enforcement, there are certain limitations to this protection. Firstly, 23andMe may be required by law to comply with a valid court order, subpoena, or search warrant for genetic or personal information. In such cases, the company will notify the affected individuals before disclosing any information, unless doing so violates the law or a court order. Secondly, while 23andMe does not share customer data with third-party companies, they work with contracted labs that have access to DNA samples and limited user information for processing purposes. This includes the customer's sex and date of birth, as required by the federal Clinical Laboratory Improvement Amendments (CLIA) of 1988.
Another limitation of 23andMe's data protection for law enforcement is the customer's consent. If a user authorizes the disclosure of their genetic information to law enforcement, 23andMe will share the information specified in the authorization. However, the company will not disclose any identifying information about the user's genetic relatives or connections without their express, written consent.
Furthermore, 23andMe publishes a Transparency Report that details all law enforcement requests for user information. This report provides insight into the company's response to such requests and its commitment to protecting customer data. While 23andMe has successfully resisted requests from law enforcement agencies and has not released any customer information to date, the company acknowledges the importance of transparency and keeping customers informed about their data security and privacy.
In conclusion, while 23andMe prioritizes the protection of customer data and privacy, there are certain legal and technical limitations that may allow law enforcement access to genetic information in specific circumstances. These limitations include valid legal orders, customer consent, and the involvement of third-party labs with limited access to user information. Nonetheless, 23andMe remains committed to resisting law enforcement requests and safeguarding customer data.
Who Has Jurisdiction? State vs. Federal Law
You may want to see also
Explore related products

User consent and privacy settings
23andMe takes user consent and privacy seriously. The company has strong security measures in place to ensure that user data is protected and transferred safely. 23andMe will not share individual-level personal information with law enforcement without explicit consent unless required by law. The company closely scrutinizes all law enforcement requests and will only comply with legally valid court orders, subpoenas, search warrants, or other requests.
Users can choose to share their Research Information with 23andMe's research collaborators, but this action cannot be undone, and the data will not be returned. Users can still participate in the research program without sharing their individual-level data. Giving consent involves agreeing to let 23andMe share de-identified individual-level data with approved researchers outside of 23andMe. This data is stripped of information that could directly identify the user, such as their name, date of birth, and address, and is connected to a random code or study ID.
Users can withdraw their consent to share individual-level data at any time through their account settings. It may take up to 30 days for 23andMe to withdraw information after consent is withdrawn. Users can also delete their 23andMe account at any time, which will automatically opt them out of research and discard their sample. This process cannot be canceled or reversed.
Additionally, 23andMe requires a valid legal process to consider producing information about its customers to law enforcement. Requests for information should be made in writing, submitted by certified mail, express courier, or in person, and include specific details about the information being requested and its relevance to the investigation. 23andMe will assess whether it is required by law to comply with the request, considering factors such as personal jurisdiction and the validity of the method of service.
Rate Laws: Non-Integral Possibilities and Their Implications
You may want to see also
Explore related products

23andMe's Transparency Report
23andMe Transparency Report
At 23andMe, we believe that respect for customer privacy and transparency are core principles that guide our approach to responding to law enforcement requests and maintaining customer trust. We are committed to keeping our customers informed and protecting their privacy. To that end, we publish a Transparency Report, which we first released in 2015 and have updated quarterly since then.
The Transparency Report details all law enforcement requests for user information that we receive. As of the last update on February 28, 2025, 23andMe has not received or been notified of any classified requests for user information under the national security laws of the United States or any other country. We have received four requests for user data from law enforcement, impacting five users. We have not disclosed any user information without valid legal process and explicit consent from the user.
We will only comply with court orders, subpoenas, or search warrants that we determine are legally valid. We closely scrutinize all law enforcement requests and are prepared to exhaust available legal remedies to protect customer privacy. Our customers' genetic information will not be shared with law enforcement unless we are required to do so by law or with the user's explicit consent.
To request user account information, law enforcement must submit a written request on law enforcement letterhead, signed by the responsible officer. Requests should include the full name of the account holder, email and/or mailing address, and details about the specific information requested and its relevance to the investigation. We assess whether we are required by law to comply with the request based on various factors, including personal jurisdiction, the validity of the method of service, the relevance of the requested data, and the specificity of the request.
Mother-in-Law Joining Navy Federal: Who Can and How?
You may want to see also
Frequently asked questions
23andMe requires a valid legal process to consider producing information about its customers. If you are a user, you can complete a valid authorization to disclose your genetic information to law enforcement, and 23andMe will disclose the information identified in the authorization. Law enforcement agencies should read 23andMe's Guide for Law Enforcement document prior to contacting the company.
23andMe chooses to use all practical legal and administrative resources to resist requests from law enforcement, and the company does not share customer data with any public databases or entities that may increase the risk of law enforcement access. The company has not released any data to law enforcement to date.
Under the federal Clinical Laboratory Improvement Amendments (CLIA) of 1988, 23andMe is required to provide the laboratory with the customer's sex and date of birth. No other registration information, such as name, address, email, or phone number, is provided. Samples and data are otherwise identifiable only by the unique barcode used to register a saliva collection kit tube.











































