Email cleanup service Unroll.me has settled with the U.S. Federal Trade Commission and must delete information it gathered from some consumers after it was revealed the firm was mining and selling data from users’ inboxes, the agency announced on Tuesday.
In 2017, the New York Times revealed that once Unroll.me—which was supposed to help users unsubscribe from spam—gained access to inboxes, it scanned them for receipts and sent that data to its parent company, Slice Intelligence. Slice then used those receipts in analytics reports it sold to companies like Uber.
Disclosures that the company might engage in this kind of practice were buried deep in the terms of service, and it certainly didn’t help things that CEO Jojo Hedaya’s response to user anger was to issue a non-apology (he wrote it was “heartbreaking” “to see that some of our users were upset to learn about how we monetise our free service”).
One of Unroll.me’s co-founders who was no longer with the company, Perri Chase, wrote in a Medium post that those angry about the situation “have clearly been living under a rock.”
The FTC took a somewhat more limited view of how much of this was actually actionable. This settlement announced on Wednesday targets Unroll.me for those instances in which some people declined to give the company permission to access their inboxes or contacted customer support with privacy concerns, and the firm made false statements in an effort to lure them back.
The FTC’s complaint alleged Unroll.me sent marketing pitches to people who declined to give access to their inboxes that it “won’t touch your personal stuff,” and repeatedly assured those who contacted its customer support lines that it was not reading personal email, only “subscription emails.”
The settlement bars Unroll.me from “misrepresenting the extent to which it collects, uses, stores, or shares information it collects from consumers,” according to the FTC, as well as notify impacted users and delete all electronic receipts it had collected via their accounts. The agreement will be posted to the Federal Register “soon” and subject to a 30-day public comment period before it goes into effect.
“What companies say about privacy matters to consumers,” U.S. FTC Bureau of Consumer Protection director Andrew Smith said in the announcement. “It is unacceptable for companies to make false statements about whether they collect information from personal emails.”