In general, these are relatively small changes that all genealogists should welcome.
The new California statute, the California Consumer Privacy Act (“CCPA”), gives California residents certain rights that aren’t a whole lot different from rights provided to Europeans under the General Data Protection Regulation (“GDPR”) in effect there.1 They include:
• The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information;
• The right to delete personal information held by businesses and by extension, a business’s service provider;
• The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13.
• The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.2
The law is only applicable to a business if it “has gross annual revenues in excess of $25 million,” or “buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices,” or “derives 50 percent or more of annual revenues from selling consumers’ personal information” — so it’s aimed at protecting personal data.3 And a Nevada law in effect as of October 1 bars companies from selling a Nevada consumer’s personal information too.4
Because these are state laws, they only affect residents of those states — but in some cases it’s just easier to make changes for all customers rather than some.
At Ancestry, the revised privacy statement, effective 23 December 2019, begins with an overview of the changes, two of which specifically focus on DNA issues:
Specifically, the most recent changes include:
• The addition of language to comply with the California Consumer Privacy Act (“CCPA”) such as the categories of personal information collected, used and shared.
• The addition of language to the Law Enforcement section to clarify that Ancestry does not allow law enforcement to use Ancestry’s services to investigate crimes or to identify human remains.
• The incorporation of the AncestryHealth Supplemental Privacy Statement into the Ancestry Global Privacy Statement. Note: AncestryHealth is available to US customers only.5
The changes that appear to be due to the new California privacy law include statements like an explicit statement that information collected about a customer can include “communications…, including audio and visual information (such as recordings of calls with Ancestry Member Services or information voluntarily shared when doing consumer insights research)”; “information related to certain protected classifications such as gender or marital status”; and “geolocation information from your device with your permission.” The statement says it may use data about things you click “to infer details about you as a customer (for example subscriber, engaged/occasional user, etc.).”6
There’s no specific reference in the Ancestry privacy statement to the new Nevada law, but there is a blanket representation: Ancestry does not sell your Personal Information.7
Because of the new health-related product, there’s an entire new section on that product that anyone contemplating using it should read carefully since — as the privacy statement notes — it collects “personal and health history information about your family members (‘Family Health History’) which you have voluntarily contributed to your AncestryHealth® account.”8 The intent and design to provide individualized health information and guidance makes it essential that anyone who wants to use this product know exactly what he or she is providing to the company and what it will do with it.
The last big DNA-related change is a clarification: the privacy statement makes it abundantly clear now that the Ancestry DNA service isn’t to be used by law enforcement. The new statement — with new provisions in bold — is: “Ancestry does not voluntarily cooperate with law enforcement. To provide our Users with the greatest protection under the law, we require all government agencies seeking access to Ancestry customers’ data to follow valid legal process and do not allow law enforcement to use Ancestry’s services to investigate crimes or to identify human remains.”9
At 23andMe, the response to the California Consumer Privacy Act was different: instead of incorporating language changes in the privacy statement overall to comply, the company has a separate Privacy Notice for California Residents, effective 1 January 2020.10 As to the Nevada law, it says it doesn’t sell any customers’ personal information under Nevada law.11
There are some universal changes in the overall Privacy Statement, however, that likely were driven by the changes needed to comply with the California law. These include an express statement that it may use “information, data, assumptions, or conclusions that are derived directly or indirectly from another source of Personal Information” and that allowing use of your information or using someone else’s to order personalized merchandise means the information can be used for that purpose, but for that purpose only. The updated provisions also note that 23andMe website doesn’t handle browser controls intended to prevent tracking from one website or web page to another “due to a lack of industry standards.”12
As to law enforcement, the terms have not changed. 23andMe still provides: “We will not provide information to law enforcement or regulatory authorities unless required by law to comply with a valid court order, subpoena, or search warrant for genetic or Personal Information…”13
At MyHeritage, the new privacy statement is dated 31 December 2019, and contains a new section for California residents subject to the California Consumer Privacy Act, and a statement for Nevada residents under the law applicable there that it doesn’t sell personal information.14
The updated policy also has new sections noting expressly that:
• “We collect historical records from various sources, birth, marriage and death certificates, census records, immigration lists, newspapers and other records, which may contain personal information relating to you.”
• “Your communications with other users through the Service’s features, as well as information you provide in communications with our support teams or other representatives, may be collected by us.”
As to law enforcement, the policy has a slight but meaningful change in language. Where it used to say “We will not provide information to law enforcement unless required by a valid court order or subpoena for genetic personal information,” it now deletes the word “personal” and the sentence reads: “We will not provide information to law enforcement unless required by a valid court order or subpoena for genetic information.”16
So… overall… a bit more protection for personal privacy and/or a bit more disclosure of what’s being done with our data. And some new health-related provisions that anyone choosing to do health testing should read carefully first.
Cite/link to this post: Judy G. Russell, “A new year… and new terms,” The Legal Genealogist (https://www.legalgenealogist.com/blog : posted 5 Jan 2020).
- See generally Judy G. Russell, “The GDPR, you & me,” The Legal Genealogist, posted 21 May 2018 (https://www.legalgenealogist.com/blog : accessed 5 Jan 2020). ↩
- See California Consumer Privacy Act (CCPA)FACT SHEET, Office of the Attorney General, State of California (https://oag.ca.gov/ : accessed 5 Jan 2020). ↩
- Ibid. ↩
- See generally Chris Brook, “Nevada Beats California With New Privacy Law,” Digital Guardian, posted 7 Oct 2019 (https://digitalguardian.com/blog/ : accessed 5 Jan 2020). ↩
- “Your Privacy,” Ancestry.com, effective 23 Dec 2019 (https://www.ancestry.com/ : accessed 5 Jan 2020). ↩
- Ibid. ↩
- Ibid., ¶ 7. ↩
- See generally ibid., “AncestryHealth® Supplemental Privacy Statement.” ↩
- Ibid., ¶ 7. ↩
- Privacy Notice for California Residents, 23andMe.com, effective 1 Jan 2020 (https://www.23andme.com/ : accessed 5 Jan 2020). ↩
- See “Full Privacy Statement,” 23andMe.com, effective 1 Jan 2020 (https://www.23andme.com/ : accessed 5 Jan 2020). ↩
- Ibid. ↩
- Ibid. ↩
- Ibid. ↩
- Ibid. ↩