Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Businesses IT

23andMe Moves To Thwart Class-Action Lawsuits by Quietly Updating Terms (pcmag.com) 45

Following a hack that potentially ensnared 6.9 million of its users, 23andMe has updated its terms of service to make it more difficult for you to take the DNA testing kit company to court, and you only have 30 days to opt out. From a report: In a filing with the US Securities and Exchange Commission last week, 23andMe said hackers accessed around 14,000 customer accounts earlier this year by trying login-password combinations exposed in unrelated breaches. It later said hackers had access to 6.9 million accounts due to the interconnected nature of its DNA Relatives feature.

23andMe has since updated its terms of service in a way that changes how the company resolves disputes with users. Customers were informed via email that "important updates were made to the Dispute Resolution and Arbitration section" on Nov. 30 "to include procedures that will encourage a prompt resolution of any disputes and to streamline arbitration proceedings where multiple similar claims are filed." Customers have 30 days to let the site know if they disagree with the terms. If they don't reach out via email to opt out, the company will consider their silence an agreement to the new terms.

This discussion has been archived. No new comments can be posted.

23andMe Moves To Thwart Class-Action Lawsuits by Quietly Updating Terms

Comments Filter:
  • Can't touch us, we're grownups and stuff. Professional business things mean all your thing belong to us and whatever your thing is, well (sucking teeth) buyer beware right? So later! Got this train to catch. Dusk is falling.
    • by Anonymous Coward
      If their contract-manipulation is legal; can a user do same to them?

      Can I just slap

      Here are my changes to my contract with 23andMe.

      [whatever I want]

      If they don't respond in 30 days, it means they agree

      on my own website, and suddenly they're bound to it?

    • by shmlco ( 594907 )

      "I have altered the terms of our agreement. Pray...."

      Yeah, you know the rest.

    • by Z00L00K ( 682162 )

      Changing the terms after they have been agreed upon should be prohibited unless there's a legal requirement from a court to change the terms post agreement.

  • by Opportunist ( 166417 ) on Friday December 08, 2023 @11:48AM (#64066617)

    Consumer protection sucks in the US.

    • by Anonymous Coward
      In the EU you could sign the new T&C and still sue as you can't restrict fundamental rights in this way.
    • It's not, really.

      It is a scare tactic. If they can make you think that you agreed, then you wont actually take them to court...

      Most contracts these days have unenforceable clauses that exist only to fool people into capitulation.

    • I know! Can you believe it?!

      --eyes unfocus and drift apart--
      What? Wanna get some beers?

  • by mrobinso ( 456353 ) on Friday December 08, 2023 @11:48AM (#64066619) Homepage

    Any ambulance chaser will make short work of that slimeball move.
    If anything, the stunt will make things worse.
    How droll.

    • Back during the Bush Junior presidency several laws were changed around arbitration. I think Donald Trump's presidency snuck a few more in too. Also the courts have been heavily heavily stacked with pro corporate judges for the last 40 years. It was part of a major initiative spearheaded by the right wing heritage foundation.

      It's possible a lawyer might give a few million dollars out of this mess so that the whole thing can be declared complete and that no one else can claim any injury. But so much has c
  • But how long till they wont let you use the site until you agree?

    • Shrink wrap licenses and contracts are pretty much crap in an American court.

      The user doesn't have a lawyer to represent them and is not on equal footing with the company which violates very basic contract law in this country.

      Just because some ex-Google assholes do something doesn't mean it's legal or they'll get away with it.

  • by Shag ( 3737 ) on Friday December 08, 2023 @12:04PM (#64066659) Journal

    Mention 23andme's shenanigans to your friendly local State Attorney General.
    Mention 23andme's shenanigans to your friendly local TV News investigative / problem-solving reporter.
    Both of these people would probably find the shenanigans extremely interesting.
    And "all publicity is good publicity" for 23andme, right?

  • Next time the product, er I mean customers won't have as many protection rights.
  • by bill_mcgonigle ( 4333 ) * on Friday December 08, 2023 @12:10PM (#64066671) Homepage Journal

    If you're a customer the terms you agreed to when you sent them your genetic information should govern their data protection responsibilities.

    Maybe their online service is something else but good luck convincing a judge that contracts are meaningless.

    Unless it's true that they're an Intelligence cut-out meant to replace the Theranos disaster, then they'll find procedural grounds to dismiss claims.

    • by sinij ( 911942 )

      Unless it's true that they're an Intelligence cut-out ... then they'll find procedural grounds to dismiss claims.

      You make it sound like there are still some doubts about this...

  • I never trusted a company with my genetic info in the first place regardless of any terms. There is no compelling reason to do so.

    • There is no compelling reason to do so.

      The compelling reason is when you need the analysis, such as predicting your responsiveness and sensitivity to certain classes drugs that you need to take (cancer/cardiology/etc.); predicting your likeliness to get certain non-transmittable diseases later in life; pre-natal (genetic compatibility between a couple; potential genetic defects of fetus using cells collected from wife blood).

    • by MDMurphy ( 208495 ) on Friday December 08, 2023 @04:43PM (#64067265)
      I have multiple relatives who sent their DNA to these guys. Because of what you can infer from relatives DNA my privacy was already compromised just from their normal practices. Now with the data breach, my privacy is additionally compromised.

      I never agreed to any arbitration with them. So I can still sue?
  • by TomGreenhaw ( 929233 ) on Friday December 08, 2023 @12:24PM (#64066709)
    I sent an email asking if my private data was divulged without my consent. The next day, I got this ominous legal notification. I still don't know what if anything about me and my DNA is now public knowledge.

    I found another article that if you want to opt out of the change to the terms of service, you must send an email to arbitrationoptout@23andme.com which isn't really clearly stated anywhere.

    One would think that a company that stores personal health information, strictly governed by US federal law, would do a better job handling what is unfortunately commonplace. For all I know they are innocent of any incompetence or wrongdoing, but when they lawyer up like this it leads me to think that this is an unmitigated disaster.
  • I don't really care they changed the terms and condition, but don't users have to opt-in, after such a change? Until a user clicks an "Accept" or "Ok" button on the new terms, I'm surprised they can go into affect, and if a user doesn't accept them then what?
  • They can basically screw people over and there is no way to engage the company. I think this needs to change, I once lost 400$ through a major corperation because of inept customer service reps and there was no way for me to get that money back. I'm sure you could lose a lot more through 23andme if someone got a hold of your data.
  • I'm not a 23andMe customer, so I don't have a dog in the fight... but a part of me really wants someone with standing to wait until after the 30 days have passed and then proceed to sue them, if for no other reason than to establish a legal precedent on these idiotic forced opt-out manipulations being non-enforceable. The only contract that should even have a chance of being binding under law is one that has been actively agreed upon by both parties at the time that the contract was initiated. One party att

    • by HiThere ( 15173 )

      It won't be a precedent unless it goes to an appellate court. That won't happen. If you lose, you won't be able to afford the cost, and if you win, they'll cut their losses.

  • by haggie ( 957598 ) on Friday December 08, 2023 @01:59PM (#64066939)

    Considering that my DNA might have been revealed through a relative submitting theirs and then having the data hacked, and I'm not a customer, I have a legal claim of damages and I am not limited by the arbitration clause of the terms of service.

    • I have quite a few foolish relatives who have gladly sent DNA and family information to these guys and ancestry. So yes, I'm affected too. So the 6 million and climbing number of people hacked is really a drop in the bucket.

      Usually hacking of a relative's financial information doesn't affect you, but DNA can. By that measure, this is potentially the data breach with the greatest impact of all time.
  • ...and has later repercussions for their customers, shouldn't the ToS active at the time of the initial event be what is considered in play regardless of later changes?
  • For purposes of class action suits, what matters is the TOS that were in effect when the breach occurred.

    • by HiThere ( 15173 )

      Can you prove what that TOS was? If there've been multiple changes, does each one require a separate class action?

      They should be able to prove what the TOS was, but can you?

      Actually, it's my opinion that the TOS should not be enforceable. I.e., it should be a shield, but far from a perfect shield, and that it should not be a weapon. It's almost never the case that there is a "meeting of minds" about what the TOS means, so it's not a contract in the traditional sense.

      • In the discovery process, the court would require disclosure of the terms of service at the time specified by the judge. The company would be required to do this under penalty of perjury. I have no doubt there are plenty of ways to come up with a reliable record of previous TOS versions.

        I agree with you that many TOS provisions shouldn't be enforceable, though that shouldn't be absolute. For example, it seems logical to ask customers not to share logins with others, or to share other people's private data w

  • 30 Day Right to Opt-Out. You have the right to opt-out and not be bound by the arbitration and class action waiver provisions set forth above by sending written notice of your decision to opt-out by emailing us at arbitrationoptout@23andme.com. The notice must be sent within thirty (30) days of your first use of the Service, or the effective date of the first set of Terms containing an Arbitration and Class Action and Class Arbitration Waiver section otherwise you shall be bound to arbitrate disputes in acc
  • Customers were informed via email that "important updates were made to the Dispute Resolution and Arbitration section"

    Yeah, but if your account was hacked, you might never receive the email, which means it might as well have never been sent.

This is clearly another case of too many mad scientists, and not enough hunchbacks.

Working...