Updated Dec 6, 2023 - Business

23andMe changes terms of service amid legal fallout from data breach

23andMe CEO Anne Wojcicki speaking in Austin, Texas, US, in March 2023.

23andMe CEO Anne Wojcicki speaking in Austin, Texas in March 2023. Photo: Jordan Vonderhaar/Bloomberg via Getty Images

Days after a data breach allowed hackers to steal 6.9 million 23andMe users' personal details, the genetic testing company changed its terms of service to prevent customers from formally suing the firm or pursuing class-action lawsuits against it.

Why it matters: It's unclear if 23andMe is attempting to retroactively shield itself from lawsuits alleging it acted negligently.

  • Through a mechanism called acceptance by silence or inaction, 23andMe stipulated that customers must explicitly tell the company they disagree with the new terms within 30 days of being notified of the changes or they will be locked into the terms automatically.

The latest: At least two law firms are pursuing a class action against 23andMe.

  • Canada-based law firms YLaw and KND Complex Litigation have proposed a class-action lawsuit against the company in the Supreme Court of British Columbia.

What they're saying: A 23andMe spokesperson said on Friday the company did not change its terms of service to limit its customers' rights to seek relief in court but to speed up the resolution of disputes.

  • The spokesperson said the new terms allow customers to seek relief in small claims court. They noted that customers also retain the right to opt out of mandatory arbitration by not agreeing with the new terms.
  • The spokesperson did not say whether the company was attempting to protect itself from potential legal fallout stemming from the breach.

The big picture: Small claims courts are generally less formal than traditional courtrooms and handle cases involving claims generally under $10,000, depending on the state court system involved.

  • The new terms only allow customers to seek relief in small claims court if they give the company written notice before an arbitrator has been formally appointed to handle the dispute.

Between the lines: Nancy Kim, a Chicago-Kent College of Law professor who is an expert in online contracts, said if 23andMe was attempting to shield itself from fallout from the data breach, it's unlikely that most courts would uphold such an effort.

  • Kim said updating terms is usually perfectly legal if consumers are given reasonable notice and the option to opt-out. But, she added, 23andMe will likely struggle to prove it provided both to its customers.

Context: 23andMe said hackers were able to gain access to personal data of almost half of its customers by forcing their way into around 14,000 unsecured online accounts.

  • However, because those accounts were linked to the user's DNA relatives through a feature offered by the company, hackers were able to access the personal data of other customers.
  • After the attack, hackers published around 1 million data points about users with Ashkenazi Jewish heritage and information about more than 300,000 users with Chinese heritage.
  • The company did not publicly reveal the full extent of the breach until around two months after it occurred.

How it works: The company's terms of service include a "mandatory arbitration" clause, which strips the rights of parties alleging harm to seek damages in court.

  • The clause forces the potentially wronged party to resolve disputes before an arbitrator. Arbitrators are not required to follow legal precedent or rules of legal procedure, such as rules regarding admissible evidence.
  • Dispute negotiations are also conducted in private, meaning no records or awards are available for public review.

Zoom in: Under the company's previous terms of service, users had to agree to private arbitration of disputes and waive their right to file a class action if a dispute arose but could eventually go to the courts for relief if dispute negotiations failed.

  • In the new terms, the court stipulation was removed, essentially eliminating the ability for 23andMe customers to sue the company in a formal court of law.

Such mandatory arbitration arrangements have been criticized by legal scholars as being deceptive, as they are often buried in the fine print of contracts.

  • Professors from the Stanford Graduate School of Business found in an analysis of thousands of arbitration cases that the arrangements are overwhelmingly biased against customers, as companies hold financial advantages over them.

Of note: In emails notifying customers of the terms of service change, the company has said people are able to opt out if they email "[email protected]" within 30 days of receiving the notice.

Zoom out: Before the attack occurred, 23andMe recommended customers to protect their accounts using two-factor authentication, a widely-used security measure. Afterwards, the company made two-factor authentication mandatory.

  • Kim described 23andMe's lack of two-factor authentication on its platform as negligent, saying "I don't think its reasonable to not have two-factor [authentication] given the information that they have."

Go deeper: New York's hospital cybersecurity rules could spur similar mandates

Editor's note: This article has been updated to reflect additional comments from 23andMe.

Go deeper