Two days before 23andMe revealed that hackers had gained access to the personal and genetic data of nearly 7 million customers, the genetic testing company updated its terms of service. The changes, according to lawyers specializing in representing victims of data breaches and the arbitration process, are designed to make it harder for victims to join together in filing a legal claim against the company. The lawyers described the changes to 23andMe’s terms of service with their customers as “cynical,” “self-serving,” and “a desperate attempt” to protect the company and deter customers from exercising their legal rights following the breach of customer data. The lawyers noted that the new terms of service essentially prohibit 23andMe customers from joining forces in a mandatory arbitration process.
The forced arbitration process that 23andMe utilizes has received criticism from legal experts who believe it unfairly favors corporations. The new terms of service also compel customers to try to negotiate a dispute for 60 days before filing an arbitration demand. Critics argue that the changes make forced arbitration even more burdensome and difficult for consumers.
23andMe spokesperson Andy Kill defended the recent revisions to the company’s terms of service, stating that the changes provide more details and clarity around the arbitration process and make arbitration more efficient for customers when multiple similar claims are filed. However, some customers have emailed the company requesting to opt out of the new terms of service but have not yet received a response.
The company gave customers 30 days to reject the new terms of service. Despite the exclusion of class action lawsuits in the terms of service, victims have already filed class action lawsuits against 23andMe in the U.S. and Canada. It remains to be seen how these legal challenges will play out as 23andMe continues to face scrutiny over its handling of the data breach.