Unroll.me to close to EU users saying it can’t comply with GDPR

Put on your best unsurprised face: Unroll.me, a company that has, for years, used the premise of ‘free’ but not very useful ’email management’ services to gain access to people’s email inboxes in order to data-mine the contents for competitive intelligence — and controversially flog the gleaned commercial insights to the likes of Uber — is to stop serving users in Europe ahead of a new data protection enforcement regime incoming under GDPR, which applies from May 25.

In a section on its website about the regional service shutdown, the company writes that “unfortunately we can no longer support users from the EU as of the 23rd of May”, before asking whether a visitor lives in the EU or not.

Clicking ‘no’ doesn’t seem to do anything but clicking ‘yes’ brings up another info screen where Unroll.me writes that this is its “last month in the EU” — because it says it will be unable to comply with “all GDPR requirements” (although it does not specify which portions of the regulation it cannot comply with).

Any existing EU user accounts will be deleted by May 24, it adds:

The EU is implementing new data privacy rules, known as General Data Protection Regulation (GDPR). Unfortunately, our service is intended to serve users in the U.S. Because it was not designed to comply with all GDPR requirements, Unroll.Me will not be available to EU residents. This means we may not serve users we believe are residents of the EU, and we must delete any EU user accounts by May 24. We are truly sorry that we are unable to offer our service to you.

While Unroll.me, which is owned by Slice Technologies, also claims on the very same website that its parent company “strips away personal information” (i.e. after it has passed personal data attached to commercial and transactional emails found in users’ inboxes) — to “build anonymized market research products that analyze and track consumer trends” — it has been criticized for not being transparent about how it parses and sells people’s personal information.

And in fact if you go to the trouble of reading the small print of Unroll.me’s privacy policy it says it can share users’ personal information how it pleases — not just with its parent entity (and direct affiliates) but with any other ‘partners’ it chooses…

We may share personal information we collect with our parent company, other affiliated companies, and trusted business partners. We also will share personal information with service providers that perform services on our behalf. Our non-affiliated business partners and service providers are not authorized by us to use or disclose the information except as necessary to perform services on our behalf or comply with legal requirements.

So it’s not hard to see why Unroll.me has decided it must shut up shop in the EU, given this ‘hand-in-the-cookie-jar’ approach to private data. (In a GDPR FAQ on its site it tries to suggest it needs more time to comply with the enforcement requirements — couching the regulation as “so vast and appropriately comprehensive” it simply hasn’t had time to get its ducks in order; yet the final text of GDPR was agreed at the end of 2015, and the regulation was proposed three years before that, so all companies handling personal data in the EU have had years to get aware and get prepared.)

The move also flags up contradictions in Unroll.me’s messaging to its users. For instance we’ve asked the company why it’s shutting down in the EU if — as it claims on its website — it “respects your privacy”. We’re not holding our breath for a response.

The market exit also looks like a tacit admission that Unroll.me has essentially been ignoring the EU’s existing privacy regime. Because GDPR does not introduce privacy rules to the region. Rather the regulation updates and builds on a data protection framework that’s more than two decades old at this point — mostly by ramping up enforcement, with penalties for privacy violations that can scale as high as 4% of a company’s global annual turnover.

So suddenly the EU is getting privacy regs with teeth. And just as suddenly Unroll.me is deciding it needs to shut up the local shop… 🤔 (And nor is it the only one… )

It’s true that GDPR does tighten existing consent requirements for processing personal data — but only slightly. Current EU rules already require that consent be freely given, specific and informed. GDPR adds that it must also be a “clear affirmative act” and “unambiguous”, along with requiring data controllers are able to demonstrate that a service user whose personal data is being processed has given consent for that to happen.

But the core EU requirement of ‘freely given, specific and informed’ consent stands. Which does rather suggest that Unroll.me was already trampling over the privacy rights of EU users — given it’s the threat of big fines that’s the shiny new thing here…

GDPR also takes aim at the practice of burying information that users need to decide whether or not to consent to their personal data being processed in difficult to find and read dense legalese.

And the regulation’s requirements on that front are forcing companies to be more up front about what exactly they intend to do with people’s data. (Even if some tech giants are still trying their hand at socially engineering and manipulating ‘consent‘.)

“Consent [under GDPR] must also now be separable from other written agreements, and in an intelligible and easily accessible form, using clear and plain language,” data protection expert Jon Baines, an advisor at UK law firm Mishcon de Reya LLP, told us recently. “If these requirements are enforced by data protection supervisory authorities and the courts, then we could well see a significant shift in habits and practices.”

As well as signs of shifts in business processes, it looks like some of the changes that GDPR can take (early) credit for include expedited market exits by companies with business models that rely on not being adequately up front with their users.

In the case of Unroll.me, any non-EU users should really be asking themselves if they need this ‘service’ — and/or asking the company lots of questions about what it’s doing with their private information; who it’s selling their information to; and what those third parties are using their data for?