FTC Says Unroll.me Deceived Consumers on Access and Use of Information
The Federal Trade Commission announced a settlement and consent decree with email receipt management company Unroll.me, a subsidiary of Slice Technologies, Inc. Unroll.me offered a service that helped users unsubscribe from unwanted subscription emails and consolidate certain other types of emails into a single daily email.
The FTC’s allegations included claims that Unroll.me shared detailed personal data and the full contents of certain email communications with its parent company Slice without first obtaining user consent to such sharing. For users who signed up for the service prior to June 2017, Unroll.me falsely represented to those users that their information would not be shared or accessed when, in reality, they were sharing users’ information, including email receipt data. Specifically, the complaint alleges that Unroll.me “failed to disclose, or failed to disclose adequately, that Unroll.me also grants access to its users’ inboxes, including personal emails in the form of e-receipts, which is then used to collect and sell purchase information contained therein to third parties.” After June 2017, it appears that Unroll.me fixed these representations and made adequate disclosures about their data practices.
Interestingly, the FTC explained that Slice extracted “anonymous purchase information” from those emails, which it stored separately and used for its market research products. As a result, this could suggest that the FTC considered Slice’s anonymization techniques sufficient for data-sharing if only the initial consent had been better. Commissioner Phillips entered a separate concurring statement in an otherwise unanimous vote noting Google’s recent decision to bar access to email receipts by third parties like Unroll.me. He suggested that Google’s decision may be good for privacy, but bad for consumer choice, as Google now has exclusive access to email receipt data, perhaps giving it an unfair advantage.
The settlement requires, in addition to standard injunctive relief, that Unroll.me notify those consumers who originally viewed the allegedly deceptive statements. Additionally, Unroll.me must delete all data extracted from emails and the emails themselves for customers who signed up prior to June 2017. The settlement reaffirms the FTC’s emphasis on companies obtaining affirmative, express consent for the collection and use of consumer information.