Unrollme, Inc. Settlement with FTC over Unauthorized Email Access

The Federal Trade Commission (FTC) entered into a proposed settlement with Unrollme Inc. (“Unrollme”), a free private email management service that helps customers manage the flow of subscription messages in their inboxes. The FTC alleged that Unrollme made misleading statements to consumers who may have had concerns about privacy and persuaded them to give their email accounts to the company.

Unrollme provides services that help minimize subscription email clutters by assisting consumers in unsubscribing from unwanted subscription email messages and consolidating wanted subscription messages into one daily email. In order to provide these services, Unrollme needs customers to provide Unrollme with full access to their email accounts so that it can scan the users’ inboxes for subscription emails.

FTC allegations in its complaint regarding Unrollme practices are deeply concerning to say the least. Unrollme provided its parent company, Slice Technologies, Inc. (“Slice”) access to its users’ email messages without notice or consent, to allow Slice to scan and extract data from the users’ electronic receipts (think about your Amazon receipts or other receipts you received from making an online purchase). 

Using a crawler, Slice “captures and copies the entire body of the message, which Slice then stores until the user deletes his or her Unrollme account.”[1]  Nothing was removed from the body of the receipts before they were stored, including any personal or sensitive information. Slice then extracted data from those receipts, anonymized the data, and packaged it into  reports of market research and sold to other companies. While some users refused to grant Unrollme access to their email accounts during the enrollment process, Unrollme sent them follow-up messages and induced the users to grant it access. FTC further points out that although Unrollme privacy policy has disclosed  that it would sell information collected from commercial email messages, Unrollme did not require the users to view the privacy policy and only generally require them to click a box to agree. Some of the users who viewed the privacy policy indicated that they found it confusing.

These deceptive practices were considered to be in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a).

PROPOSED RESOLUTIONS TO THE FTC COMPLAINT

The settlement prohibits Unrollme from making any misrepresentations to its users about how it accesses, collects, uses, stores or shares users’ data or emails. FTC further requires Unrollme to notify all its users about how it collects and uses data, delete all Unrollme and Slice stored data, and provide the FTC with periodic compliance reports and notices.

AVOIDING POTENTIAL PRIVACY LAWSUITS

New consumer privacy laws will come into effect in the near future, particularly in states like Nevada and California, restricting how businesses collect, use, store, and share consumer information. A clear and conspicuous privacy policy disclosing the company privacy practice will be required by law, among other measures. Additionally, businesses must acquire consumer consent to their privacy practice at the moment of purchase or otherwise during the registration period of the website to email customers.

This is not the first time that Unrollme activities have been questioned. Last year, in Cooper v. Slice Technologies, Inc.,[2] a privacy lawsuit was filed against Unrollme data mining procedures, stating that it did not adequately disclose to consumers the extent of its data mining practices and sold anonymized emails without their consent.

[1] https://www.ftc.gov/enforcement/cases-proceedings/172-3139/unrollme-inc-matter

[2] Cooper v. Slice Technologies, Inc., No. 17-CV-7102 (JPO), 2018 WL 2727888 (S.D.N.Y. June 6, 2018)