FTC Says Unroll.me Deceived Consumers on Access and Use of Information

Published On August 14, 2019 | By Stacey Brandenburg and Marielena Reyes | FTC & State AG, Privacy
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

The Federal Trade Commission announced a settlement and consent decree with email receipt management company Unroll.me, a subsidiary of Slice Technologies, Inc. Unroll.me offered a service that helped users unsubscribe from unwanted subscription emails and consolidate certain other types of emails into a single daily email. 

The FTC’s allegations included claims that Unroll.me shared detailed personal data and the full contents of certain email communications with its parent company Slice without first obtaining user consent to such sharing. For users who signed up for the service prior to June 2017, Unroll.me falsely represented to those users that their information would not be shared or accessed when, in reality, they were sharing users’ information, including email receipt data. Specifically, the complaint alleges that Unroll.me “failed to disclose, or failed to disclose adequately, that Unroll.me also grants access to its users’ inboxes, including personal emails in the form of e-receipts, which is then used to collect and sell purchase information contained therein to third parties.” After June 2017, it appears that Unroll.me fixed these representations and made adequate disclosures about their data practices.

While Unroll.me had disclosed in its privacy policy that it may collect, use, transfer, sell, and disclose “data from and about [users’] ‘commercial electronic mail messages’ and ‘transactional or relationship messages,’ ” it specifically stated in other user-facing communications that it would “never touch your personal stuff.” The FTC also critiqued Slice’s data storage practices, including its retention of complete, unredacted copies of entire email receipt messages that it had extracted from Unroll.me users until users deleted their account.   

Interestingly, the FTC explained that Slice extracted “anonymous purchase information” from those emails, which it stored separately and used for its market research products. As a result, this could suggest that the FTC considered Slice’s anonymization techniques sufficient for data-sharing if only the initial consent had been better. Commissioner Phillips entered a separate concurring statement in an otherwise unanimous vote noting Google’s recent decision to bar access to email receipts by third parties like Unroll.me. He suggested that Google’s decision may be good for privacy, but bad for consumer choice, as Google now has exclusive access to email receipt data, perhaps giving it an unfair advantage.   

The settlement requires, in addition to standard injunctive relief, that Unroll.me notify those consumers who originally viewed the allegedly deceptive statements. Additionally, Unroll.me must delete all data extracted from emails and the emails themselves for customers who signed up prior to June 2017. The settlement reaffirms the FTC’s emphasis on companies obtaining affirmative, express consent for the collection and use of consumer information.

About The Authors

Stacey advises clients on a wide range of privacy and data security issues. A veteran of the Federal Trade Commission’s Division of Privacy and Identity Protection, Stacey assists clients in responding to FTC investigations involving potential violations of Section 5 of the FTC Act, the FTC’s advertising guidelines, and the Children’s Online Privacy Protection Act (COPPA). She also helps clients respond to investigations by State Attorneys General. Stacey helps clients implement sound security and privacy practices and provides compliance training to employees. Stacey is on the faculty at American University’s Washington College of Law, where she teaches on technology and privacy-related issues.

Prior to joining ZwillGen, Marielena served as a law clerk for NTIA at the Department of Commerce and the Cybersecurity and Communications Reliability Division at the FCC, where she worked with attorneys on issues related to consumer privacy, data protection, 5G deployment, international and domestic compliance issues, and emerging technologies. In addition, Marielena worked for American University’s Gluskko-Samuelson Intellectual Property Law Clinic, where she drafted privacy policies and terms of use agreements for nonprofit organizations and startups.