Court Dismisses Privacy Claims Against Email Subscription Management Tool–Cooper v. UnrollMe

UnrollMe-300x65UnrollMe provides a service allowing users to opt-out of unwanted emails. It does this by getting its users’ email account login credentials, which allows UnrollMe to access users’ email inboxes. This lawsuit alleges that UnrollMe sold users’ data. (🚨 Irony level: high 🚨) The court dismisses the lawsuit on the merits.

Plaintiffs alleged several flavors of improper disclosure by UnrollMe:

  • The sale of raw email account information
  • The sale of anonymized email data
  • The sale of imperfectly anonymized emails

The court first evaluates standing. While the first allegation (sale of non-anonymized personal information) is most effective for standing, the complaint didn’t sufficiently allege this. The third disclosure, which raises the possible risk of de-anonymization, is too remote in terms of harm because the complaint doesn’t allege de-anonymization actually occurred. This leaves the second category. The court says this is sufficient for standing. Assuming users do not consent, the sale of anonymized emails is sufficient for Article III standing purposes.

The court turns to the merits and the sole allegation that warrants consideration is the sale of anonymized email data. UnrollMe argued that users consented via the privacy policy. The policy stated:

We . . . collect non-personal information − data in a form that does not permit direct association with any specific individual. We may collect, use, transfer, sell, and disclose non-personal information for any purpose. . . . We collect such commercial transactional messages so that we can better understand the behavior of the senders of such messages, and better understand our customer behavior and improve our products, services, and advertising. We may disclose, distribute, transfer, and sell such messages and the data that we collect from or in connection with such messages; provided, however, if we do disclose such messages or data, all personal information contained in such messages will be removed prior to any such disclosure.

We may collect and use your commercial transactional messages and associated data to build anonymous market research products and services with trusted business partners. If we combine nonpersonal information with personal information, the combined information will be treated as personal information for as long as it remains combined.

[emphasis added]

Plaintiffs argued that they allowed UnrollMe “to access their emails” to clean up their inboxes and not for any other purpose. But the court says the language of the policy is clear. UnrollMe’s privacy policy authorized the exact conduct plaintiffs complained of.

Plaintiffs argued that the policy is misleading, because it says that UnrollMe “may” sell consumer data, not that it “would do so”. Plaintiffs pointed to a ruling in the Gmail email scanning case that relied on a similar distinction. The court disagrees with that ruling and also distinguishes the policy language in that case–which was in the passive voice–from the active voice in this case.

Plaintiffs also argued that, even if they consented to the interception of communications under ECPA, such interception was for a tortious purpose. However, plaintiffs are unable to point to anything tortious beyond lack of consent.

Plaintiffs also argued the consent provision was unconscionable, but the court says there is no lack of meaningful choice. The court is somewhat uncomfortable the bargain UnrollMe struck, but it’s one online consumers engage in all the time:

It is probably true that UnrollMe’s unwitting consumers simply wanted to clean up their inboxes. But it is also true that those consumers agreed to the Faustian bargain that undergirds much of the internet: you give me a free service, and I suppress the knowledge that you are probably selling my data to digital touts. We may not like it, but it is not per se unlawful.

The court finally dismisses plaintiffs’ argument that UnrollMe exceeded the scope of consent. The complaint only definitively states that UnrollMe sold anonymous data. With respect to UnrollMe’s failure to sufficiently anonymize data, the allegations are too vague. Thus, consent to the sale of anonymous data negates the claims alleged by plaintiffs.

__

It’s interesting that the UnrollMe service actually obtains user passwords. This sounds like it could violate the terms of service for email accounts. Interestingly, courts have not held that waiver of federal privacy statutes have to satisfy an evidentiary burden that’s higher than normal (e.g., the waiver has to be clear and equivocal or established by clear and convincing language).

Courts are not very strict about scrutinizing privacy policies. This dispute vaguely reminds me of the Hoang/IMDb case, where IMDb received the benefit of the doubt with respect to its privacy policy. She lost on appeal following a jury verdict, but the court in that case also had an opportunity to take a close look at a privacy policy but did not hold it up to harsh scrutiny. See “In IMDb Privacy Case, 9th Circuit Rejects Hoang’s Appeal”.

The court alludes to the Faustian bargain consumers agree to. This is not the first court to have cited to the adhesive nature of the data-for-service exchange. As with other courts, it does not change the court’s ruling. For what it’s worth, the recent EU data privacy rules frown on the lack of granular control offered here.

Plaintiffs have a few weeks to appeal. I predict they will.

__

Eric’s Comment: If you’re using UnrollMe, I trust this opinion will prompt you to reconsider. More generally, I categorically refuse to give anyone (other than Gmail) unrestricted access to my email inbox because my inbox holds the key to pretty much everything else in my life, including the ability to reset the login credentials of most of my third party accounts. Giving inbox login credentials to a third party service whose provenance I don’t really know (which is actually owned by a market research company) and with unknown security practices? That sounds insane.

Case citation: Cooper v. Slice Techs, Inc., 208 US Dist LEXIS 95298 (S.D.N.Y. June 6, 2018)

Related posts:

In IMDb Privacy Case, 9th Circuit Rejects Hoang’s Appeal

UN’s “Privacy Rapporteur” Speaking at Santa Clara University April 9

Plaintiff’s Location-Based Privacy Claim Against BART Reporting App Fails

Narrow Definition of “Personally Identifiable Information” Kills VPPA Case–Eichenberger v. ESPN

App Listening For Audio Beacons May Be Illegal Wiretapping–Rackemann v. Colts

On Remand, Ninth Circuit Says Robins Satisfied Article III Standing

Facebook Persistent Tracking Lawsuit Crashes Again

Your Movements Shall Be Traced: The New EU Regulation on Cross-Border Portability (Guest Blog Post)