23andMe is updating its TOS to force binding arbitration with a limited opt-out window 23andMe is updating its TOS to force binding arbitration with a limited opt-out window
Photo: 23andMe

23andMe is updating its TOS to force binding arbitration with a limited opt-out window

In response to the cyberattack, rather than implementing robust security measures, 23andMe has opted for a legal shield, mandating binding arbitration for disputes.

23andMe, the personal genomics and biotechnology company, has been trying to contain a security breach that was first disclosed on October 6th. On October 19th, 23andMe disclosed another security breach by the same hacker who had initially claimed responsibility. The hacker said he had access to more than 4 million genetic profile records this time. And on December 4th, 23andMe confirmed that the total scope of the breach was 6.9 million users in total.

The fallout of this disclosure, which started in October, was swift. By October 14th, several individuals had already filed lawsuits against 23andMe for negligence, as Stack Diary reported. Likewise, the general consensus of 23andMe users has been that the company handled the situation very poorly.

To add insult to injury, Stack Diary can reveal that 23andMe is now rolling out an update to its Terms of Service. This change will force its users into binding arbitration, which is a means to resolve disputes (such as a cybersecurity breach leaking your DNA data) outside of court.

In this process, both parties in a disagreement present their cases to an arbitrator, who is a neutral third party. The arbitrator listens to both sides, reviews the evidence, and decides. The key aspect of binding arbitration is that the arbitrator’s decision is final and legally enforceable, meaning both parties must accept it and cannot appeal to a regular court.

This method is commonly used in various settings, including consumer contracts, employment disputes, and business disagreements, as it is often faster and less formal than going to court.

And 23andMe is trying to accomplish exactly this.

  • Initial Dispute Resolution Period: If you have a problem with 23andMe’s services, you first need to contact their customer care team. This is to try and solve the issue quickly and without legal proceedings. You have to try this informal negotiation for at least 60 days before you can take any further legal action. You need to provide them with a detailed email outlining your issue, including what the dispute is about, when it happened, what you want as a solution, and your contact details. You (and your lawyer, if you have one) will also need to have a discussion with them to try and solve the dispute.
  • Arbitration Instead of Court: If the issue isn’t resolved in those 60 days, the next step is usually not a lawsuit in court, but arbitration. This means a neutral third party (an arbitrator) will listen to both sides and make a decision. The rules of this process are governed by JAMS, a company that provides arbitration services. In some cases, if many people have similar disputes against 23andMe, a different process called Mass Arbitration with another company, NAM, will be used.
  • Arbitrator’s Decision: The arbitrator’s decision is final. They have to follow the law and can give any ruling that a court could.
  • Exceptions to Arbitration: There are a few situations where you or 23andMe can take the issue to court instead of arbitration. This includes things like intellectual property disputes and small claims (minor issues).
  • No Class Actions: You can’t join with other people to bring a class action or collective arbitration against 23andMe. Each dispute is handled individually.
  • Severability: If any part of this dispute resolution section is not legally enforceable, the rest still applies.

In the event of a cybersecurity breach, this means that if you have a dispute with 23andMe about it, you would first try to resolve it with their customer care. If that doesn’t work, you’d generally go to arbitration, not a lawsuit, unless it falls under one of the exceptions. You also can’t join a class action lawsuit for such an issue.

23andMe is beginning to notify its users

23andMe is beginning to inform its users of a modification in their Terms of Service via email. Users are given a 30-day window from when they receive this email to opt out of these new, stringent terms that significantly reduce their rights.

In the email that 23andMe is sending to its users, the “notify us” hyperlink contains an email address that is “legal@23andme.com” as opposed to an address that is listed in the Terms of Service.

The email doesn’t mention that you must email the “arbitrationoptout@23andme.com” address to opt out of forced arbitration, as outlined in the updated Terms of Service, which you can preview here.

30 Day Right to Opt-Out. You have the right to opt-out and not be bound by the arbitration and class action waiver provisions set forth above by sending written notice of your decision to opt-out by emailing us at arbitrationoptout@23andme.com. The notice must be sent within thirty (30) days of your first use of the Service, or the effective date of the first set of Terms containing an Arbitration and Class Action and Class Arbitration Waiver section otherwise you shall be bound to arbitrate disputes in accordance with the terms of those sections. If you opt out of these arbitration provisions, we also will not be bound by them.

It’s unlikely that the intention of the email mix-up is malicious in nature; they would absolutely get destroyed by every privacy organization on the planet if they snuck in a change like that, but I have emailed them to verify the above and will add a response here once I get it.

That said, unless you email this account 30 days after starting to use the service for the first time, you will automatically be enrolled in this arbitration scheme. Likewise, this affects all users who were affected by the cybersecurity breach since the terms were changed after the fact. Because these terms were put in place on November 30, 2023 – it has already been over a week, and most users might not understand why this is important or relevant.

If you’re unsure as to why arbitration is bad, it’s because it is biased against the consumer. The Stanford Graduate School of Business did an entire study on it; you can read the blog post about it here or view the entire study here.

Here’s an excerpt from the blog post:

Now, a new analysis of almost 9,000 arbitration cases from the securities industry confirms what many have long suspected: The system is biased against consumers — and not just because big companies have more money to spend on lawyers.

When it comes to arbitration, the study finds, companies have a big information advantage in fishing for arbitrators who are likely to rule in their favor.

Making matters worse, the arbitrators themselves know that being pro-company in one case greatly increases their chances of being picked for future cases.

Edmund L. Andrews, Stanford Business

This is merely about 23andMe protecting itself (not you, the consumer) because if a security breach of this scope happens again in the future, it will have some protection against mass user complaints.

How to opt-out (email template)

If you have been affected by the security breach at 23andMe and would like to opt out of the forced arbitration, here is an email template that you can use:

To: legal@23andme.com, customercare@23andme.com, arbitrationoptout@23andme.com
Subject: Request to Opt-Out of Updated TOS

Dear 23andMe Team,

I am contacting you regarding the recent changes to the 23andMe Terms of Service, dated November 30, 2023. My name is [your name as registered with 23andMe], and the email associated with my 23andMe account is [your 23andMe account email].

I hereby formally request to opt out of the newly updated Terms of Service. I do not consent to the terms as outlined in the recent update.

Thank you for processing my request promptly.

Best regards,
[Your Name]

You should also make sure that you save the reply and explicitly ask them to confirm that you opted out. This will be mandatory in case another breach happens in the future, as you will have proof that you’re not bound by this change in their Terms of Service.