FTC Unrolls Settlement Over Privacy Violations

Advertising Law

The Federal Trade Commission (FTC) reached a deal with email management company Unroll.Me Inc. after the agency alleged that the company tricked consumers about how their personal emails were accessed and used.

Beginning in June 2012, Unroll.Me offered its services to consumers through its website, to which it added apps in November 2015 and October 2017. The company provided two services to consumers to help them manage subscription emails, such as newsletters or marketing emails from retailers: first, helping users unsubscribe from unwanted missives, and second, consolidating subscription emails into one daily message called the “Rollup” to minimize inbox clutter.

During the sign-up process, Unroll.Me asked consumers to grant the company full access to the email accounts they wished to enroll in its services, which allowed it to access and scan users’ inboxes for subscription emails and to provide its services. In turn, it provided its parent company, Slice, a market research company, with access to the inboxes.

If users declined to grant Unroll.Me access, the company tried to persuade them to reconsider with false and deceptive statements, the FTC alleged, including, “It looks like you clicked No thanks. In order to use Unroll.Me, you need to tell Google to allow us to monitor your emails. Don’t worry, we won’t touch your personal stuff.” and “In order to use Unroll.Me, you need to authorize us to access your emails. Don’t worry, this is just to watch for those pesky newsletters, we’ll never touch your personal stuff.”

Unroll.Me’s data collection practices with respect to users’ email accounts were material to users’ decision whether to use the company’s services, the FTC said. “Over 20,000 consumers changed their minds and decided to complete the sign-up process after viewing the messages,” according to the agency’s complaint.

Although it represented it would not “touch” users’ personal emails, Unroll.Me did just that, the FTC said, by providing the information to Slice. Slice collected and sold user information that it gathered from email receipts (e-receipts) from businesses following consumer orders or purchases, which it stored until a consumer deleted his or her Unroll.Me account. E-receipts are emails sent to consumers following a completed transaction and can include, among other things, the user’s name, billing and shipping addresses, and information about products or services purchased by the consumer.

Slice did not remove any personal or sensitive information from the body of the e-receipt, according to the FTC’s administrative complaint. To settle the charges of violations of Section 5(a) of the FTC Act, Unroll.Me agreed to a consent order with the agency. While the company neither admitted nor denied any of the allegations, it promised not to misrepresent in any manner the degree to which it accesses, collects, uses, stores or shares the personal information found in user emails.

Unroll.Me must notify all users about its email access, and the company will have ten days from the entry of the order to delete all stored e-receipts and any other information or content contained from those receipts unless it obtains affirmative, express consent from the user to maintain the e-receipt.

To read the complaint and the consent order in In re Unrollme, Inc., click here.

Why it matters: It cannot be emphasized enough that companies need to regularly audit their data privacy and security practices and accurately describe them when crafting privacy policies and advertising statements about their data collection and processing practices. Many companies have gotten in trouble with the FTC (under its deception authority pursuant to Section 5 of the FTC Act), state attorneys general (under state consumer protection statutes), third-party watchdog groups (who attract media attention and refer problem cases to the government) and private litigants (using various statutory and common law claims, including as class actions) for posting inaccurate statements about the company’s data collection practices or posting a privacy policy that does not truly reflect the company’s information practices, which results in the company saying one thing and doing another—classic false or misleading behavior.