FTC settles with Unroll.me over allegedly duping users over email data collection, sale

The agency claimed that users were falsely told Unroll.me would not “touch” personal information contained in emails.

What happens after a data breach in a major company? Nothing good, says Wall Street

The US Federal Trade Commission (FTC) and Unroll.me have finalized a settlement to lay to rest allegations of consumer deception in how email information was collected and sold. 

Unroll.me is an email management company that markets itself as a means to declutter your inbox. Users can sign in and permit the service to scan their inboxes for the presence of mailing lists which can be automatically unsubscribed from. (Individuals in the EU are unable to sign up due to GDPR restrictions.)

Handing over the keys to your email kingdom can be a daunting prospect and so when it comes to privacy and data use, the company says that sensitive information is encrypted and personal, private messages are of no interest. 

On Tuesday, the US watchdog said "some consumers [were decieved] about how it [Unroll.me] accesses and uses their email," claiming that Unroll.me "falsely told consumers that it would not "touch" their personal emails in order to persuade consumers to provide access to their email accounts."

Back in 2017, the email cleanup service was embroiled in a scandal after it was discovered that user information was being sold to Uber. Unroll.me handed over data harvested from user email accounts to parent company Slice Technologies, which then sold on anonymized data based on emailed Lyft receipts to its rival, a valuable data source that could be used to measure Uber's competition. 

See also: When one isn't enough: This shady malware will infect your PC with dual Trojans

During the backlash, some users revoked Unroll.me access -- however, the FTC is interested in a broader timeframe, from November 2015 through at least September 2018, in which Unroll.me allegedly misrepresented its services to lure users back to the fold. 

According to the FTC, "the company tried to persuade these consumers to reconsider by making false and deceptive statements."

This included emails sent to users declining to give Unroll.me access saying, "you need to authorize us to access your emails. Don't worry, this is just to watch for those pesky newsletters, we'll never touch your personal stuff," and "Oops! Looks like you declined access [...] Unroll.Me requires access to your inbox so we can scan for subscriptions and allow you to begin clearing out your inbox."

"The message did not tell users that access to their inboxes would also be used to collect e-receipts and to sell the purchase information they contain," the agency added. "The complaint alleges that thousands of consumers changed their minds and signed up for Unroll.me in response to these assurances."

The e-receipts in question may have contained names, billing and shipping addresses, as well as information relating to purchases. 

CNET: Database exposes names of risky potential bank customers

As part of the settlement, Unroll.me must ensure it remains transparent in informing users of how their data is collected, used, stored, and shared, and recipients of the previous "allegedly deceptive statements" must be notified specifically concerning the e-receipts. 

In addition, the company must delete the e-receipts previously gathered from these users from both its systems and Slice's, unless consent is obtained from users to keep them. 

"What companies say about privacy matters to consumers," said Andrew Smith, Director of the FTC's Bureau of Consumer Protection. "It is unacceptable for companies to make false statements about whether they collect information from personal emails."

The FTC will publish a description of the consent agreement package in the Federal Register in the coming days to gather public comment. 

TechRepublic: Ellen DeGeneres, Lisa Kudrow, Facebook, and Google named worst password offenders of 2019

At the time of writing, Unroll.me's privacy page says that users can expect for basic information to be collected during setup and transactional data will be shared with Rakuten Intelligence to anonymize data points. This information, once "de-identified and processed," may be sold to companies "that want to learn more about their business, their markets, or their competitors."

ZDNet has reached out to Unroll.me but has not heard back at the time of publication. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0