Last week, Unrollme Inc.’s (“Unroll.me”) privacy policy came under fire from consumers and privacy advocates in response to news that Unroll.me collects and sells data associated with user email messages.

Why should website and mobile app providers have a clear and conspicuous privacy policy?

Unroll.me’s Data Collection Practices

Unroll.me owns and operates a free-to-use website and iOS mobile application that “cleans up” users’ email inboxes. Users are able to link their Outlook, Gmail, Yahoo! Mail, AOL Mail and iCloud email accounts with the service, which are scanned for recurring email subscriptions. At its core, the Unroll.me service allows users to unsubscribe from unwanted emails.

On April 23, 2017, the New York Times reported that data firm Slice Technologies, Inc. (Unroll.me’s parent company) anonymizes and compiles data from Unroll.me users’ email messages. Such data is then sold to third parties including Uber Technologies Inc., which reportedly used the information to keep tabs on transportation rival Lyft, Inc.

Fallout and Response

The public backlash concerning Unroll.me’s data collection practices and privacy policy has been substantial. Hundreds of users have taken to social media and the Unroll.me website to announce their feelings of betrayal and the deletion of their Unroll.me accounts. Likewise, privacy advocates, such as the Electronic Frontier Foundation and Center for Digital Democracy, have issued statements publicly questioning the integrity of Unroll.me’s data collection practices.

In an Unroll.me blog post published that same Sunday entitled “We Can Do Better,” CEO Jojo Hedaya pointed to the company’s Terms of Service and “plain-English Privacy Policy” as evidence of Unroll.me’s proper disclosure of data collection, and stressed the anonymized nature of the information that Unroll.me collects from users’ email accounts. Hedaya also conceded, however, that “recent customer feedback tells me we weren’t explicit enough.”

How Clear Is Your Privacy Policy?

Due to the complex regulatory framework governing the collection, use and sharing of personally identifiable information – and the potential for public relations disaster, as the above-referenced case illustrates – it makes good business and legal sense to craft a clear and conspicuous privacy policy that is tailored to the needs of your business, and that provides your website and mobile app visitors with the information that they require to make informed decisions about the provision of their personal data and how it is used.