https://twitter.com/hunterwalk/status/856187175989264384

So the moment I read Mike Isaac’s TK profile it jumped out that Unroll.me was going to have a problem on their hands. Their consumers were surprised at what was being done with their data and no one likes surprises. Regardless of legality (it appears 100% legal) and regardless of uniqueness (what unroll.me is doing isn’t unique), their PR team’s initial response was “read the ToS.” Uh, no, wrong answer. Their CEO then published a blog post which was either sincere or insincere depending on your parsing of “sorry” and general cynicism. Others chimed in with “what did you think, it was free” vs the “my data is my data” purity test. Then today, a friend of the CEO wrote a passionate essay basically saying the CEO is a good guy and tech industry sucks overall.

But let me parse a bit why Unroll.me faced a backlash despite having the right to aggregate and sell anonymized data in exchange for giving you a free product:

Surprised Users! It seems that somewhere along the way Unroll.me evolved how they were monetizing their understanding of your inbox. At first it was to serve you targeted ads in their notification emails to you, but then it became about aggregating and anonymizing data to sell to third parties (this is what Uber purchased). They may have updated the ToS to give them this right, but they seemingly never communicated proactively in plain language what this meant. Why? Because it’s another friction in conversion and, as an industry, we measure funnel dropoff to a second decimal but don’t measure trust often or well. And they put trust at risk.  If they’d proactively notified users and provided an explainer, perhaps they could have mitigated the surprise proactively:

“Hi. In order to keep this service free for you we’re doing something new to help us pay the bills. In helping you manage your inbox we do analysis on which businesses are sending you email and what they’re notifying you about. This information – in aggregate and anonymized – is useful as a market data product we make available to third parties. For example, we may create research reports which help airlines understand trends in travel based on email receipts. Your individual info is never shared, your personal email data NEVER leaves our secure servers and you can [opt out of this panel and upgrade to our premium product; delete your account and all info we have stored; etc] at any time.”

Net-net, the expansion of their business model was perfectly legit but sensitive enough to the average consumer who thought the service was just helping them identify and unsubscribe from mailing lists. Which brings us to….

Ad Targeting vs Data Selling. But Unroll.me was always targeting you based on your data! Yes, they were serving you targeted ads in email notifications based on their understanding of your interests. However, this still feels like they’re keeping your data within their walls. Of the thousands of ads you might see, they’re selecting one that’s relevant to you. This isn’t at scary as the idea that your data (even anonymized and aggregated) is being bundled and sold outside of their corporate systems. Again let me emphasize this post is about why people felt angry, it’s emotion not logic. There was a toxic shock reaction to the idea of one’s data being decoupled from their use of the service and sold. It’s why a company using your data to improve your experience (and their monetization) inside of their product is perceived differently than your data being used by that same company to inform a 3rd party.

But Her Emails. The Unroll.me value prop is simply stated – here’s a picture from five minutes ago

From this simple screen you are prompted to give full access to your email account. Obviously many people gave that access (I did a while back but a few years ago decided no startup should have access to my inbox – too risky). The average person doesn’t think it’s scanning the contents of all your email, just recognizing sender and subject lines. Even a technically aware person might think they’re working off some collaboratively filtered white list and black list of sender addresses, not scanning your Lyft receipts and recording metadata. Unroll.me was building a much more sophisticated view of you as a user than they may have needed to deliver much of their core value proposition. Again, not illegal, but ultimately invasive.

I’m writing this up because nearly a decade of work at Google gave me some insider perspectives on how consumer react to different assumptions around privacy (I was there when Gmail launched and was ‘reading’ your emails). And I’d urge startups to not be too cute but evading the discussion with their users but instead follow a set of best practices around ensuring users have control of their data and understand the tradeoffs they’re making in how you are using it to their benefit as well as the company’s needs.

From an outsider perspective Unroll.me did nothing illegal, or even that uncommon, and every consumer should be proactive in learning how the services they trust maintain or abuse that trust. But Unroll.me did fall short of best practices and potentially even crossed into a gray area ethically depending on the nature of any internal conversations around the level of consumer disclosure they should make once their business model changed.