23andMe admitted it lost 6.9 million users’ DNA in a hack, after initially reporting only 14,000 users were affected. If you’ve used 23andMe, there’s basically a coin-flip chance that your data was exposed. The company, however, updated its terms of service last week to change the ways customers can take legal action against it.
‘Even AI Rappers are Harassed by Police’ | AI Unlocked
For years, 23andMe’s terms of service had forced users into “binding arbitration.” That means you agree to give up your right to sue the company when you join its platform. Instead, your only option if you have a problem is to appeal to a third party who makes a final, legally binding decision about your complaint. The arbitration process is often friendlier to corporations than it is to individuals. And now, thanks to new details in 23andMe’s terms of service, your rights under the arbitration process are limited in a new way—one that seems tailored to address the company’s recent data breach disaster.
Now, if more than 25 people have the same complaint about 23andMe (for example, the 6.9 million people affected by the hackers), they can no longer go through the arbitration process individually, thanks to a new “mass arbitration” process.
“We have not limited our customers’ rights to seek relief,” a 23andMe spokesperson told Gizmodo, adding that the “updated terms of service allow for this to be determined by the arbitrator, which provides for a faster resolution.”
Whether a faster resolution also means a fair resolution for hacked customers is another matter; the arbitration process is hidden from the public and tends to benefit companies over customers and workers, compared to class-action lawsuits.
Customers who opted into the company’s DNA Relative feature seem to have had information about their name, birth year, ancestry reports, DNA makeup, family members, and location exposed. The future implications of this breach are hard to predict, but experts told Gizmodo that the impacts could be disturbing.
You have a little bit of time to preserve the meager rights 23andMe is giving you, but you have to act soon. You can opt out of the new arbitration provision by emailing firstname.lastname@example.org by January 4, which is 30 days from when the company notified customers via email about the terms of service update.
Correction: A previous version of this article incorrectly stated that 23andMe introduced binding arbitration to its terms of service. In fact, it amended the existing policy to include mass arbitration. Additionally, this article stated that customers have until December 30 to opt out; the correct date is January 4.