23andMe scrambles to update user terms of use to avoid lawsuits


23andMe, a genetic testing provider, is in trouble – but seeks to avoid more costly inconveniences. The company has modified its Terms of Use to make it harder for it to be sued after the massive theft of its customer data.

As we now know, a threat actor recently attempted to sell 23andMe customer data and, after failing to do so, leaked the data for 1 million Ashkenazi Jews and 4.1 million people living in the United Kingdom.

23andMe soon said it had determined that hackers only accessed around 0.1% of user accounts through their credential stuffing attacks – about 14,000 of them. But this was enough to use the ‘DNA Relatives’ feature and scrape millions of individuals’ data.

ADVERTISEMENT

23andMe confirmed recently that a total of 6.9 million people were impacted by the breach.

Cybersecurity measures were quite obviously lacking at 23andMe. Unsurprisingly, multiple class action claims have already been filed against the company in various American and Canadian states.

Now, 23andMe has quietly modified its Terms of Use to make it harder to sue the company. The update blocks users from suing the firm and forces them into a binding arbitration agreement.

“These terms of service contain a mandatory arbitration of disputes provision that requires the use of arbitration on an individual basis to resolve disputes in certain circumstances, rather than jury trials or class action lawsuits,” reads the updated Terms of Use.

Emails sent to customers about this change state that users have up to 30 days after receiving the email notification to notify 23andMe at [email protected] that they disagree with the new terms.

Those who send an email disputing the update will remain on the previous Terms of Service. In other words, if you don’t explicitly tell 23andMe you disagree with the new terms, you’re locked into them automatically.

Under the company’s previous Terms of Use, users had to agree to private arbitration of disputes and waive their right to file a class action if a dispute arose but could eventually go to the courts for relief if dispute negotiations failed.

“Needless to say, them wanting to pre-empt a class action suit means that most likely there’s way worse revelations yet to come,” an eagle-eyed Mastodon user @thomasfuchs who first saw the update on 23andMe’s website said.

ADVERTISEMENT

However, Nancy Kim, a Chicago-Kent College of Law professor, told Axios this change in the Terms of Use will likely not protect 23andMe from lawsuits because it will be hard for the firm to prove that they gave reasonable notice to opt out of the new terms.


ADVERTISEMENT

Leave a Reply

Your email address will not be published. Required fields are markedmarked