After hack, 23andMe gives users 30 days to opt out of class-action waiver

Shortly after 23andMe confirmed that hackers stole ancestry data of 6.9 million users, 23andMe has updated its terms of service, seemingly cutting off a path previously granted to users seeking public accountability when resolving disputes.

According to a post on Hacker News, the "23andMe Team" notified users in an email that "important updates were made to the Dispute Resolution and Arbitration section" of 23andMe's terms of service on November 30. This was done, 23andMe told users, "to include procedures that will encourage a prompt resolution of any disputes and to streamline arbitration proceedings where multiple similar claims are filed."

In the email, 23andMe told users that they had 30 days to notify the ancestry site that they disagree with the new terms. Otherwise, 23andMe users "will be deemed to have agreed to the new terms." The process for opting out is detailed in the site's terms of service, instructing users to send written notice of their decision to opt out in an email to arbitrationoptout@23andme.com.

It is not necessarily obvious to users exactly what has changed in the dispute resolution and arbitration section of the ToS. Some users may recall that 23andMe had previously required users to agree to arbitration, but recent changes seem to have removed users' previously acknowledged right to seek public injunctive relief for any irreparable harm. That seems significant since 23andMe's update comes when millions of 23andMe users feel vulnerable following a cyberattack that leaked a million data points, Wired reported.

As some users may be contemplating opting out, Ars compared current and archived versions of 23andMe's ToS to get a better understanding of what has changed.

Before the November 30 update, 23andMe's ToS was seemingly last updated on October 4, according to an Internet Archive screenshot from November 27.

That older version of the ToS required users to agree that a neutral arbitrator—"not any federal, state or local court or agency"—had "exclusive authority to resolve all disputes" over the ToS. Users also had to agree to understanding that "absent this mandatory provision," they "would have the right to sue in court and have a jury trial." The only exceptions allow for litigation in court over disputes involving intellectual property and trade secrets, small claims, and provisional remedies, like a preliminary injunction.

The older ToS also required users to waive rights to a class action, asking users to agree that "any arbitration shall be conducted in our respective individual capacities only and not as a class action, and you and we each expressly waive our respective right to file a class action or seek relief on a class basis." But the previous version also included a now-omitted stipulation that following arbitration, 23andMe users could turn to a federal or state court to "adjudicate the party’s claim or prayer for 'public injunctive relief.'"

This language has now been updated, drastically cut down, and positioned much more prominently. Standing out from the rest of the ToS as the only text written in all caps, the class action waiver now says:

TO THE FULLEST EXTENT ALLOWED BY APPLICABLE LAW, YOU AND WE AGREE THAT EACH PARTY MAY BRING DISPUTES AGAINST THE OTHER PARTY ONLY IN AN INDIVIDUAL CAPACITY, AND NOT AS A CLASS ACTION OR COLLECTIVE ACTION OR CLASS ARBITRATION.

Although 23andMe told users in its email that changes were made to encourage "prompt" resolution, another seemingly major change to the ToS is a new 60-day "initial dispute resolution period" that could drag out the dispute resolution process. During this initial period, 23andMe users agree to delay any litigation or arbitration until a mandatory "informal dispute resolution process" concludes.

The updated terms also explain a new process for mass arbitration. This requires that "if 25 or more demands for arbitration are filed relating to the same or similar subject matter and sharing common issues of law or fact, and counsel for the parties submitting the demands are the same or coordinated," this "will constitute a 'Mass Arbitration.'" Any mass arbitration dispute will be settled by the National Arbitration and Mediation, "a nationally recognized arbitration provider."

As 23andMe seeks to move on from the hack, mass arbitration would likely be the least expensive, most private path, as arbitration happens behind closed doors rather than a public courtroom.

23andMe did not immediately respond to Ars' request to comment.