23andMe Updates Terms of Service to Prevent Class Action Lawsuits
23andMe has updated its terms and conditions in an attempt to prevent its customers from joining class action lawsuits following a massive data breach that affected 6.9 million of its customers. In October 2023, a collection of the data was uploaded to a dark web forum that was allegedly stolen from 23andMe. The dataset contained information on around 1 million Ashkenazi Jews and 100,000 individuals of Chinese descent, then the hacker advertised a further dataset a couple of weeks later that contained the information of a further 4.1 million individuals.
23andMe investigated and determined that approximately 14,000 accounts were compromised in a credential stuffing attack, which was made possible due to password reuse by those customers. The compromised accounts were used to access the ancestry data of 6.9 million users through the DNA Relatives feature (5.5 million users) and the Family Tree feature (1.4 million users). Per its financial reports, 23andMe has around 14 million customers, which means almost half were affected by the data breach. 23andMe maintains that there was no breach of its systems.
Several lawsuits have already been filed against 23andMe over the data breach. One such lawsuit was filed in the Supreme Court in British Columbia with the lead plaintiff claiming that his personal data was stolen and listed for sale on the dark web. The lawsuit alleges 23andMe engaged in “willful, knowing or reckless conduct” by failing to implement and maintain proper data retention and data protection practices. The lawsuit seeks monetary damages, including the price that affected customers paid for 23andMe’s services. Thousands of Canadians have already added their names to the class action lawsuit. Another lawsuit was filed in California that alleges negligence, invasion of privacy, unjust enrichment, and breach of implied contract. The plaintiffs claim that 23andMe implemented inadequate safeguards to protect sensitive user data, did not do enough to prevent intrusions, and did not provide adequate training to staff.
In response, 23andMe has updated its terms of service to force its customers into a binding arbitration, which requires all disputes to be resolved out of court. The updated terms prohibit customers from joining class action lawsuits against the company. The terms of service apply to all new customers, but also to all existing customers unless they opt out. 23andMe emailed its customers on November 30, 2023, about the update to its terms of service and gave them 30 days to opt out. If they do not opt out they will be assumed to have agreed to the new terms of service. Customers hoping to join a class action over the recent data breach must opt out of the new terms of service by December 30, 2023.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The change, which is now prominently displayed in its terms of service in full caps, states, “TO THE FULLEST EXTENT ALLOWED BY APPLICABLE LAW, YOU AND WE AGREE THAT EACH PARTY MAY BRING DISPUTES AGAINST THE OTHER PARTY ONLY IN AN INDIVIDUAL CAPACITY, AND NOT AS A CLASS ACTION OR COLLECTIVE ACTION OR CLASS ARBITRATION.”
The new terms of service mean cases must be arbitrated by a neutral third-party arbitrator, who would decide on the validity of each case. Any decision made by the arbitrator is legally binding and must be accepted by both parties and the arbitrator’s decision cannot be appealed. Since arbitration requires cases to be dealt with on an individual basis, it takes away the power of a group. The new terms and conditions are likely to reduce the number of individuals eligible to participate in class action lawsuits and will thus limit the costs for 23andMe should those lawsuits prove successful.
Arbitration is generally a faster process that could see any payments or refunds issued much more rapidly than a class action. 23andMe explained that the new terms of service will encourage prompt resolution; however, they also include a new 60-day initial dispute resolution period, during which time both parties agree to a delay to arbitration. While the new terms of service will help to prevent class action lawsuits, they do permit mass arbitration. If 25 or more customers issue similar demands for arbitration based on the same or similar subject matter or if they share common issues of law or fact, they can be dealt with through mass arbitration. In such cases, mass arbitration would be handled by National Arbitration and Mediation (NAM), a nationally recognized provider of alternative dispute resolution services.
