Let me tell you a tale of face palming and “what were they thinking?” About two years ago, a company called Unroll.me, providing the service by the same name, that handles cleaning up your email inbox by unsubscribing you to newsletters and spam somehow managed to get itself in trouble via a privacy policy. While this doesn’t happen often, it’s definitely a cautionary tale about maintaining your privacy policy and following it. Let’s see what happened and what we can learn from this.
The service is owned by parent company Slice Technologies. A couple of years ago, it was discovered that unroll.me was providing Slice with information it collected on user purchases from scanning their emails. Slice was, of course, selling this information. As the Verge points out in its summary of the issue, “Unroll.me was caught selling receipt data to Uber so the ride hailing service could better target customers who might be using its competitor Lyft more often.” Now, under normal circumstances, this type of behavior wouldn’t really ruffle feathers. I mean, most people understand that free services are not really “free” and that the price we often pay is through the monetization of our data by the companies providing the service. However, this situation was just a bit different than that.
See, the problem (and here’s where we’re all going to learn something) was that Unroll.me, a year before any of this happened, sent messages to users who declined to provide permission for the company to scan its inbox and gave what the FTC determined were misleading statements. Specifically, they provided messages saying “Don’t worry, this is just to watch for those pesky newsletters, we’ll never touch your personal stuff.” The FTC determined that this behavior violated privacy disclosure rules and amounted to misrepresentation since the company was, in fact, collecting and using and selling customer data.
Do you have a privacy policy for your website/app/service? If the answer is no, please contact me so we can talk...
If you have a privacy policy in place, then please make sure you are actually adhering to the policy that you’ve published and that users agreed to when signing up for your service. Do not give users messaging or give them the impression that you plan on doing something different than what your privacy policy states. If you give them the ability to opt out, then that means they’ve opted out and that’s all there is to it. If you plan on selling user data, make sure it’s in your privacy policy and that you don’t state anything otherwise on social media, directly to customers in email, or on your website. And, of course, if you decide to change your mind about customer data, be sure to update your privacy policy to reflect these changes and have users acknowledge the updated terms.
If you have questions or want to be sure your privacy policy (and procedures) are proper, feel free to reach out for a consultation.