Email Unsubscription Service Unroll.me To Close To EU Users Saying it Can't Comply With GDPR

Unroll.me, a company that has, for years, used the premise useful "email unsubscription" service to gain access to people's email inboxes in order to data-mine the contents for competitive intelligence -- and controversially flog the gleaned commercial insights to the likes of Uber -- is to stop serving users in Europe ahead of a new data protection enforcement regime incoming under GDPR, which applies from May 25. From a report: In a section on its website about the regional service shutdown, the company writes that "unfortunately we can no longer support users from the EU as of the 23rd of May," before asking whether a visitor lives in the EU or not. Clicking 'no' doesn't seem to do anything but clicking 'yes' brings up another info screen where Unroll.me writes that this is its "last month in the EU" -- because it says it will be unable to comply with "all GDPR requirements" (although it does not specify which portions of the regulation it cannot comply with).

No like it ever witkedt

I tried it, and all I got were a few links to external pages. Nothing worked out of the box.

Re:No like it ever witkedt

Your comment subject leaves one to wonder if your keyboard ever witkedt...

Re: No like it ever witkedt

It did wick before Microsoft bought it

One down...

[Joce640k]

One useless parasite down. That's a start.

Go, GDPR!

Re:One down...

[xxxJonBoyxxx]

Exactly. This is one law/regulation that's not only working as designed, it's working as intended!

Re:One down...

[Barsteward]

its their loss of a market of 450m people, they must be doing well elsewhere.

Big surprise?

[nitehawk214]

How can anyone be surprised that a company with full access to someone's email misuses the information they receive.

Why is anyone still using the service after they got caught lying?

Re:Big surprise?

For the same reason Trump is still president after being caught lying. People just don't care, and there are much worse crimes in this world than lying.

Re:Big surprise?

[ranton]

Why is anyone still using the service after they got caught lying?

I didn't see any mention of Unroll.me lying to their customers. They are a free service, so they are going to make money off of their customers' data. If you are curious about how, you go read their Terms of Use and Privacy Policy. This is from their Privacy Policy before details of their business model went public:

We also collect non-personal information - data in a form that does not permit direct association with any specific individual ... For example, when you use our services, we may collect data from and about the "commercial electronic mail messages" and "transactional or relationship messages" (as such terms are defined in the CAN-SPAM Act (15 U.S.C. 7702 et. seq.) that are sent to your email accounts.

This clearly states they will look at advertisements (commercial electronic mail message) and receipts / order updates ("transactional or relationship messages) in your inbox in order collect data to sell to 3rd parties. So where were they lying? You may not like their business model but don't accuse them of doing things they didn't do.

Re:Big surprise?

I present to you a visual guide of how hard it is to read all the T&Cs today

https://i.imgur.com/5LphAGP.jpg

Re:Big surprise?

People do care about lying. But what choice did we have when the other candidate was an even BIGGER liar?

Re:Big surprise?

That clearly says they will collect non-personal information. It says nothing about how they will use or disclose (i.e. sell) that information.

Re:Big surprise?

[ranton]

I present to you a visual guide of how hard it is to read all the T&Cs today

https://i.imgur.com/5LphAGP.jpg

I doubt that is an image of Unroll.me's privacy policy, since their document is about 6 pages long with significant white space and a Calibri 11 point font. Page 1 has their policy on collection of personal information, and page 2 has the text I listed above. If you actually care about how they collect your data, you can find everything you want under the headers Our Collection and Use of Personal Information and Our Collection and Use of Non-Personal Information, which are both about a page long.

Re:Big surprise?

Huh?!? What did Gary Johnson lie about?

Re:Big surprise?

[dave420]

There we go with the lies again.

Re:Big surprise?

[ranton]

That clearly says they will collect non-personal information. It says nothing about how they will use or disclose (i.e. sell) that information.

I would hope that would be obvious, but since you think it isn't here is some information from the very next paragraph of their privacy policy:

We may collect and use your commercial transactional messages and associated data to build anonymous market research products and services with trusted business partners. If we combine non-personal information with personal information, the combined information will be treated as personal information for as long as it remains combined.

Re:Big surprise?

Hillary didn't lie you fucking moron, you made this fucking mess through your idiocy. Can't wait until I take away your right to vote, you obviously haven't earned it.

Um.... politicians lie regardless of the party. That's how they get elected. You haven't figured that out yet?

Re:Big surprise?

Hillary didn't lie you fucking moron, you made this fucking mess through your idiocy. Can't wait until I take away your right to vote, you obviously haven't earned it.

'rights' aren't earned, yfm; they are intrinsic to being. privileges are earned.

Re:Big surprise?

[HiThere]

Not always. They never reveal the truth, but some are clever enough to say only technically true statements in ways that will cause you to believe as they intend. Not that I've run across one recently.

Re:Big surprise?

[sexconker]

Bill Clinton was caught lying. Under oath. He was even impeached for it.

Yet he remained in office.

Re:Big surprise?

[jareth-0205]

I'm genuinely curious as to whether you read and comprehend all the privacy policies that are presented to you on the internet for every site that you interact with... and whether you think that that can be a reasonable thing to expect people to do.

I mean they are deliberately written to be long and hard to understand https://www.theatlantic.com/te...

Re:Big surprise?

[AmiMoJo]

Not lying, just obfuscating to the point where they know that the average person won't bother to read the ToS or work out what "transactional or relationship messages" are.

Re:Big surprise?

Why Republicans get elected; "Because me um unga bunga throw spears at blue tribe unga bunga."

Why Democrats get elected; ""Because me um unga bunga throw spears at red tribe unga bunga."

Re:Big surprise?

[ranton]

I'm genuinely curious as to whether you read and comprehend all the privacy policies that are presented to you on the internet for every site that you interact with... and whether you think that that can be a reasonable thing to expect people to do.

I mean they are deliberately written to be long and hard to understand https://www.theatlantic.com/te...

No, I generally don't read any of them. But without thoroughly reading them you should simply assume all of the data you share can be shared with anyone. You should always assume the first time you type a phone number, address, etc. into a web form it is now public information, just like sending a nude selfie over SMS. Even payment methods such as credit cards are only possible because the card companies cancel / reimburse for fraudulent activity and send new cards, because you would be foolish to assume your credit card number is safe either.

You can certainly expect a higher level of privacy if you wish, but it will take significant effort on your part every time to interact with a new service to thoroughly understand their privacy policies. If you don't put in that time, then assume no privacy if you freely give information to a 3rd party.

Re:Big surprise?

[ranton]

Not lying, just obfuscating to the point where they know that the average person won't bother to read the ToS or work out what "transactional or relationship messages" are.

Which isn't lying. They offer a free product, so you are the product. That shouldn't be a surprise to anyone.

False advertising

Pretending to be a service for unsubscibing, while actually being a data-mining company...

You do realize that false advertising has always been illegal in the EU? Perhaps the real problem is that the fines for false advertising is too low, and the GDPR fines are large enough that companies care about them.

Re:False advertising

[HiThere]

Is there any reason to doubt that they do both? If they do both, then it's not false advertising. They sell themselves to you based on what you want, and the sell your data to fund themselves.

If so, then while it may be reprehensible, it's not false advertising.

Re:False advertising

[Carewolf]

Pretending to be a service for unsubscibing, while actually being a data-mining company...

You do realize that false advertising has always been illegal in the EU? Perhaps the real problem is that the fines for false advertising is too low, and the GDPR fines are large enough that companies care about them.

Plus data-mining has also been illegal for some 30 years. GDPR is just a minor update of existing rules to enable better enforcement.

Regulation kills business

Jobs will be lost.

News at 11.

Re:Regulation kills business

[Opportunist]

Those kinds of jobs being lost is a gain for humanity.

Re:Regulation kills business

[Archangel+Michael]

Subjective opinion, not a fact. I have no idea if it is a net gain or loss to humanity, but I suspect it is a loss, due to the totalitarian fascist nature of the law. The problem with Freedom is it is messy.

Re:Regulation kills business

[Opportunist]

Protecting privacy is fascist, war is peace, freedom is slavery, ignorance is strength...

Re:Regulation kills business

Exactly. Jobs were also lost when the Third Reich fell.

Re:Regulation kills business

[Opportunist]

Would somebody please think of the KZ-Guards...

Re:Regulation kills business

[Archangel+Michael]

Privacy is an illusion.

If you really want to be "private", hole up in a cave away from anyone so that nobody knows anything about you. Other than that, your privacy is subject to everyone you interact with. Ask any private detective how much information they can gather on someone just by watching their every move. Privacy is an assumption , and an illusion.

Re:Regulation kills business

Subjective opinion, not a fact. I have no idea if it is a net gain or loss to humanity, but I suspect it is a loss, due to the totalitarian fascist nature of the law. The problem with Freedom is it is messy.

You might want to stop channeling Alex Jones.

Re:Regulation kills business

[Archangel+Michael]

You might want to go to your safe space and play with crayons.

Re:Regulation kills business

[Opportunist]

Safety is an illusion, why do you wear a seatbelt?

Re:Regulation kills business

You might want to go to your safe space and play with crayons.

Thank you for reinforcing the point.

By can't, they mean don't want to

[Mascot]

access to people's email inboxes in order to data-mine the contents for competitive intelligence -- and controversially flog the gleaned commercial insights to the likes of Uber

It's almost as if that's exactly the sort of undisclosed behavior the GDPR is designed to combat...

Granted, I suppose my subject is a bit unfair. If violating privacy is your primary business model, I guess "can't" is technically accurate.

Re:By can't, they mean don't want to

[iggymanz]

EU should flood them with "right to be forgotten" requests that they have to comply with

Re:By can't, they mean don't want to

[FictionPimp]

They already said they would delete all EU customer data before the GDPR deadline. So that's not really going to do anything.

Re:By can't, they mean don't want to

There is always the GDPR letter from Hell that you can send them.

Re:By can't, they mean don't want to

[ranton]

It's almost as if [access to people's email inboxes in order to data-mine the contents for competitive intelligence is] exactly the sort of undisclosed behavior the GDPR is designed to combat...

I don't think it is. The GDPR is specifically interested in personal information, not non-personal information such as commercial or transactional messages. As long as the data is sufficiently anonymized (something I'm sure the courts will further define over the next decade or so) I would think companies like Unroll.me could continue that part of their business model even with the GDPR.

There are likely other aspects of Unroll.me's business model which are causing them to cut off EU customers, not their practice of reading customers' emails and selling aggregate data collected from them.

Re: By can't, they mean don't want to

But they disclose it...

Re:By can't, they mean don't want to

[Junta]

While I wouldn't doubt there are unfortunate facets of their business model that have not come to light, it could also be that avoiding the burden of having to reply to GPDR requesst is worth losing the market, even if you could give replies above board.

Re:By can't, they mean don't want to

The letter seems quite reasonable.

Re:By can't, they mean don't want to

[Mascot]

The focus of the GDPR is the need to inform the user and to allow them to control the use of their personal information, making undisclosed data collection and/or usage a primary target for the legislation. Thus this (I'm going by the summary here, I don't know anything about unroll.me) would be exactly the type of behavior it's designed to prevent. In other words, I strongly believe you are objectively wrong.

It is possible that they could keep going if they informed the user properly and made everything opt-in, but the big issue I see is the stipulation in the GDPR for data minimization. You cannot collect or process data that's not necessary for the purpose for which you are accessing the data. For a service offering a way to unsubscribe from mailing list, processing information about how you use ride sharing services would be a tough sell as being relevant to the service being offered. In order to be able to anonymize data and use it for other purposes than offering the service, you first need to show that processing that data was necessary to begin with.

Re:By can't, they mean don't want to

[AmiMoJo]

Uber is required to delete that data now, with no action required on our part.

This law is fucking great.

Re:By can't, they mean don't want to

[iggymanz]

talk and action are two different things; that is not an easy feat

Which part

[hattable]

Why does it matter which part of the GDPR a company is unable to comply with? Despite how scummy of a company they are, unrollme will not be able to provide services to a large portion of the world. Privacy advocates want it (including myself), and we got it. We don't get to jab our fingers in the wound and blame the company as a way to avoid any potential negative feelings about what has happened.

To reiterate: GDPR good. Unrollme bad. *massages temples* I chose this life. I chose this life.

This is the price Europeans must pay

[OrangeTide]

Mandating personal privacy has cost you free shitty email service.

Re:This is the price Europeans must pay

As said by someone who values money over others. Pecunia in conspectu populi.

GDPR is great !

[aepervius]

GDPR is like a great filter which tells me who is breaking my privacy and who won't. Say you close off to EU customer because of GDPR ? Great I know you were breaking my privacy and selling my data ! Good riddance !

Re:GDPR is great !

A++++ Would read again.

Re:GDPR is great !

Agreed. Even though I am not from a country within the EU I will start to consider whether to use an online service based on their compliance with GDPR. Avoiding GDPR will be a "red flag" to suggest I avoid that company.

Good.

[k.a.f.]

If they can't justify processing my data under any of the numerous and rather broad bases, then they don't deserve to get them.

Re:Good.

[Junta]

Note that I'm not particularly enthusiastic about unroll.me's model or particularly trusting in their intent, but broadly speaking even if they can justify processing the data, the effort associated with auditing and proving their intent and risk according to the specific terms of GPDR could still be considered too much a burden to be worth it.

That's generally the issue with many regulations. They mean well and there is a definite need for some regulation to serve the purpose, but often they are structured such that compliance also inflicts significant cost upon groups that were not doing anything to be vaguely part of the problem.

Re:Good.

Well, yeah. This is the ages-old phenomenon called "Why we can't have nice things": an unregulated situation that works nicely for most becomes untenable because a few assholes abuse the lack of sanctions to do asshole things. Imposing the regulation then imposes costs even on the innocent. But that doesn't mean that regulatin is always wrong. It's a case-by-case decision whether it's a net win or not.

Bullshit

Unable or unwilling? I think we all know the answer to that.

Another company to add to my blacklist.

Is it just me

[jwymanm]

Or is everyone on this discussion some kind of EU proponent wanting less freedoms and more laws for Internet? It's almost like robot shills. This is giving governments more control over business. This is not a good thing. I'd support a checkmark system like SSL in a browser that let people know if using a service could lead to leak of your information but not this. This just supports Google and Large Co to continue business as usual while killing smaller free service providers aka competition. People are celebrating less freedom on the net every time EU scratches a frigging freedom itch and it's disgusting.

Re:Is it just me

Did you read GDPR document?
It makes it sound like its dangerous insist on common sense processes around data security, but I guess maybe it is in the USA.....

Re:Is it just me

[Junta]

I think the goal is admirable, but reading the 'nightmare GPDR letter' highlights that doing things above board is good and required, but it also requires all good actors to respond to some potentially detailed inquiries. This includes both generic information about where and how data about the user is stored (which shouldn't be too much of a burden) to the specific unique details to a specific individual's data. This either means manual effort and/or creating specialized reporting to react to GPDR requests.

I think that's the burden people get worried about, how much burden it puts on *showing* you are not intentionally or at risk for accidentally having data disclosed.

Re:Is it just me

[Actually,+I+do+RTFA]

Laws and regulations can be good or bad. A lot of people think that the GDPR is a good law, and that it improves the world. That doesn't mean its supports want arbitrary more laws beyond that.

Re:Is it just me

[jwymanm]

But that is guaranteed to come. The internet needs to remain open at all costs. The entire reason it has prospered so well is because of the freedom it had when started. Now you can barely fart wrong on the net and you get taken down across 30 participating countries. CLOUD act basically means you have no rights anymore. EU sues damn near every large company on the Internet. etc

Re:Is it just me

[Carewolf]

The law has been in effect for a little over 30 years now, and not caused any troubles. The GDPR is only an update of the enforcement. It is the very same set of laws that forced Facebook to not merge data it bought from WhatsApp, and forced Google to not merge Youtube and Google Plus accounts.

Re:Is it just me

This is about giving business less control over people by giving people more control over how businesses (and governments) process their data. That is a good thing.

Re:Is it just me

I think companies and governments have increasingly in recent years abused our privacy and personal information. Regulations which help protect our personal information are generally a good thing. In the US, companies self-impose regulations to protect my credit card number more than my social security number even though i can easily get a new credit card but it's very difficult to deal with a new SSN. Likewise the self-imposed restrictions to protect my CC number are more stringent than the government imposed regulations to protect PHI under HIPAA. I say this as someone who works in a company that deals with both PCI and HIPAA regulated data. Too many of the HIPAA specifics are actually optional: "The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information." The key wiggle-room word is "appropriate".

"45 CFR 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information." They are not required to encrypt your data, they just have to notify you if a breach occurs and they didn't encrypt it.

While I have not read GDPR yet, my hope is that it's not another feel good regulation written by industry for industry.

Big goverment

Another example of big goverment attacking and undermining innovative businesses with terroristic laws and practises. I am American and many people are talking about this. Disgusting.

Re:Big goverment

Hi Donald, eat a bag of dicks.

quo nullum argumentum

[OrangeTide]

Si pecuniam haberem, panem emerem.

(est aliqualiter rationem)

Americunts on suicide watch

Oh I am laughing. I bet you work for some jewish piece of shit silcon valley "startup" which absolutly should not exist, and you are BUTT MAD that my awesome new privacy protection pisses all over your rented juicier internet-of-bullshit-whatever.
Lalalalalalallamo! Holy shit I love being European, truely fortunate that I wasn't born a fat shit, lose asshole, wallmartian, who can do nothing except brown tongue your jewish masters all day on the interbutts.

I am eurphic that the GDPR is causing you so much butt hurt. Pooper peeved. Ass pained, lalalalalala.
Consumer protection laws are oppressive. REALLY? I mean REALLLLY, I am laughing at your life right now.

EU and "consumer protection laws"

[stud9920]

I am a huge fan of the EU. Not only because it's a bringing prosperity to my city (Brussels), is a net contributor to local and world peace, allows me to travel and pay more easily in a territory 50x as large as my own country, the Microsoft and Google lawsuits and many more reasons, but I truly despise the way they design the consumer protection laws.
Instead of punishing technology's abuses, they are really trying to make people's lives miserable.

Visiting a web site ? half of your screen is covered by the cookie warnings, even though 99,99% of website owners only actually use cookies for session management. And it would have taken very few effort for the lawmakers to add a "ignore and hide cooking warnings" general setting, which on EU scale would have made it to all browsers. This instead of just banning cookie tracking

Travelling across the border ? You'll get a SMS telling you that the tariff is....the same as home, which is nice, but that SMS / Tariff info was only relevant when operators were taking outrageous roaming fees. The message, though, is still mandatory.

Entering your car and want some navigation ? A stupid warning "driving while operating this device' is dangerous" (granted, that one may be even worse in the US)

And now GDPR: 99,99% of customer / subscriber information IS relevant, and is NOT used in abusive way. As a small non-profit sport club structure, it took us 2 months of iterative work to make ourselves minimally compliant, including a web site migration towards EU (on US owned servers). There is exactly zero gain for our members, whom we can not service if we don't have that minimum info from them, and which we have zero incentive to abuse. Of course, the have absolutely zero manpower to actually control/enforce the compliance in the millions of businesses and associations having files

All this while the ones most inclined to abuse their customers will still get away with it, and for which well-targeted raids might actually be cost effective.

Backup

[DeVilla]

Honest question. How are folks implementing backups that comply with GDPR? Seems there would be some cases where you couldn't backup data on a per-user basis. Mutable backups just seem totally wrong.

A lot of GDPR is clearly well thought out and easy to design too as a result. Migrating a non-GDPR based design could be a pain. But the requirements to be able discard backups in a month seems like it could be tricky in certain cases without compromising backup integrity.