FTC Says Unroll.me Deceived Consumers on Access and Use of Information

The Federal Trade Commission announced a settlement and consent decree with email receipt management company Unroll.me, a subsidiary of Slice Technologies, Inc. Unroll.me offered a service that helped users unsubscribe from unwanted subscription emails and consolidate certain other types of emails into a single daily email. 

The FTC’s allegations included claims that Unroll.me shared detailed personal data and the full contents of certain email communications with its parent company Slice without first obtaining user consent to such sharing. For users who signed up for the service prior to June 2017, Unroll.me falsely represented to those users that their information would not be shared or accessed when, in reality, they were sharing users’ information, including email receipt data. Specifically, the complaint alleges that Unroll.me “failed to disclose, or failed to disclose adequately, that Unroll.me also grants access to its users’ inboxes, including personal emails in the form of e-receipts, which is then used to collect and sell purchase information contained therein to third parties.” After June 2017, it appears that Unroll.me fixed these representations and made adequate disclosures about their data practices.

While Unroll.me had disclosed in its privacy policy that it may collect, use, transfer, sell, and disclose “data from and about [users’] ‘commercial electronic mail messages’ and ‘transactional or relationship messages,’ ” it specifically stated in other user-facing communications that it would “never touch your personal stuff.” The FTC also critiqued Slice’s data storage practices, including its retention of complete, unredacted copies of entire email receipt messages that it had extracted from Unroll.me users until users deleted their account.   

Interestingly, the FTC explained that Slice extracted “anonymous purchase information” from those emails, which it stored separately and used for its market research products. As a result, this could suggest that the FTC considered Slice’s anonymization techniques sufficient for data-sharing if only the initial consent had been better. Commissioner Phillips entered a separate concurring statement in an otherwise unanimous vote noting Google’s recent decision to bar access to email receipts by third parties like Unroll.me. He suggested that Google’s decision may be good for privacy, but bad for consumer choice, as Google now has exclusive access to email receipt data, perhaps giving it an unfair advantage.   

The settlement requires, in addition to standard injunctive relief, that Unroll.me notify those consumers who originally viewed the allegedly deceptive statements. Additionally, Unroll.me must delete all data extracted from emails and the emails themselves for customers who signed up prior to June 2017. The settlement reaffirms the FTC’s emphasis on companies obtaining affirmative, express consent for the collection and use of consumer information.

The post FTC Says Unroll.me Deceived Consumers on Access and Use of Information appeared first on Law Across the Wire and Into the Cloud.

*** This is a Security Bloggers Network syndicated blog from Law Across the Wire and Into the Cloud authored by Stacey Brandenburg. Read the original post at: https://blog.zwillgen.com/2019/08/14/ftc-says-unrollme-deceived-consumers-access-use-information/