FTC documents on a desk beside a laptop showing an inbox

In April 2017 the New York Times revealed that Unroll.me had been selling its users' email receipt data to Uber. The backlash was immediate. Unroll.me's CEO posted a public apology. Two years later federal regulators acted, and the Federal Trade Commission opened a formal investigation that ended in a consent order.

Short answer. In August 2019 the FTC reached a consent order with Unroll.me: no monetary fine, but the company had to stop misrepresenting its data practices, notify the consumers it misled, and delete the e-receipts it had stored. A related class action (Cooper v. Slice Technologies) was dismissed in June 2018. Unroll.me still shares anonymised commercial-email data under its parent company NielsenIQ. If that trade-off is not for you, Leave Me Alone is the best Unroll.me alternative in 2026.

Disclosure. Leave Me Alone is our product and we rank it first. Every legal claim below links to a primary document: the FTC complaint and order, the court docket, or contemporaneous legal analysis. Spot an error? Email us and we correct with a timestamp.

What this article covers

The legal record: the FTC consent order, what the order does and does not require, the parallel class action and why it failed, and what Unroll.me's privacy posture looks like today. The original 2017 incident is told separately in the 2017 data-selling story.

What the FTC found

The FTC filed an administrative complaint against Unrollme Inc. on August 8, 2019 (FTC v. Unrollme Inc., Complaint, August 8, 2019). The core finding was that Unroll.me misled consumers about how it handled their email, then used that misleading reassurance to overcome their hesitation at sign-up.

The complaint identified seven specific findings:

  1. Unroll.me required users to grant full access to their email account in order to use the unsubscribe service.
  2. Parent company Slice Technologies extracted the full contents of users' commercial e-receipts in the background, including names, billing and shipping addresses, and product details.
  3. Slice used that data to build an anonymised market-research panel sold to commercial clients.
  4. To overcome user hesitation during sign-up, Unroll.me displayed reassuring pop-ups. From January 2015 to November 2015: "Don't worry, we won't touch your personal stuff." From November 2015 to October 26, 2016: "Don't worry, this is just to watch for those pesky newsletters, we'll never touch your personal stuff."
  5. More than 20,000 consumers completed sign-up after seeing one of those pop-ups.
  6. The pop-ups were materially deceptive: they directly contradicted the practice of capturing commercial e-receipts in full.
  7. The deception caused or was likely to cause substantial injury to consumers, who would not have signed up had they known the truth.

The legal theory was a straight Section 5 FTC Act claim: unfair or deceptive acts affecting commerce. Legal analysis by Zwillgen at the time framed it precisely: "the FTC said the company misled users about how it accessed and used their email" (Zwillgen, FTC Says Unrollme Deceived Consumers). A summary by Manatt published on Lexology placed the case in the broader pattern of FTC enforcement against email-management tools and dark-pattern consent flows (Manatt via Lexology, FTC Unrolls Settlement Over Privacy Violations). IAPP's contemporaneous coverage emphasised that the case was about misrepresentation, not the underlying data sharing, which Unroll.me's privacy policy already disclosed in broad terms.

What Unroll.me agreed to do

The proposed consent order was published the same day as the complaint (FTC Decision and Order, August 8, 2019) and finalised in December 2019 (FTC final settlement, December 2019). Four binding requirements. No upfront monetary fine.

1. Stop misrepresenting data practices. Unroll.me is permanently prohibited from misrepresenting the extent to which it collects, uses, stores, shares, or discloses information from consumers. Any future claim about what the service does with email content must be accurate.

2. Notify the misled users. Unroll.me had to send a notification to every consumer who completed sign-up after seeing one of the two deceptive pop-ups. The notice had to explain plainly how their e-receipts were actually collected and shared with Slice's market-research clients.

3. Delete stored e-receipts. Within ten days of the order, Unroll.me had to delete all previously stored e-receipts (and any personal information within them) from its own systems and from Slice's systems. The only exception: users who provided express, affirmative, opt-in consent to keep their data.

4. Compliance reporting for 20 years. The consent order remains in force until 2039. Unroll.me must file periodic compliance reports with the FTC. Any future violation of the order can trigger civil penalties of up to $42,530 per violation under FTC Act Section 5(l).

The FTC voted 5-0 to accept the proposed order in August 2019 and 4-1 to finalise it in December, with Commissioner Rohit Chopra abstaining. Reporting by MediaPost noted that the Electronic Privacy Information Center had asked the FTC to require notification to Unroll.me's entire user base, not just those who saw the specific deceptive pop-ups (MediaPost, FTC Settles with Unrollme, Rejects EPIC Request). The Commission declined, saying the complaint was confined to "a clear subset of users."

It is worth being precise about what an FTC consent order is. It is a negotiated settlement entered into to avoid trial; the respondent does not admit liability but agrees to be bound by the order's terms. The order itself is publicly enforceable. The 20-year duration and the civil-penalty mechanism are what give the settlement teeth, not an upfront fine.

Cooper v. Slice Technologies: why the private suit failed

The FTC case was not the only legal challenge. In September 2017, in the wake of the New York Times story, a group of users filed a proposed class action in the United States District Court for the Southern District of New York: Cooper v. Slice Technologies, Inc., No. 1:17-cv-07102 (Justia docket).

The plaintiffs advanced three theories of harm: that Unroll.me had sold raw email account data, sold anonymised email data, and sold imperfectly anonymised email data. They invoked the federal Stored Communications Act and several state consumer-protection statutes.

The court dismissed the case on June 6, 2018, more than a year before the FTC reached its consent order. The dispositive issue was Unroll.me's privacy policy. As legal scholar Eric Goldman summarised it, the policy stated that Unroll.me "may collect, use, transfer, sell, and disclose non-personal information for any purpose" (Eric Goldman, Court Dismisses Privacy Claims Against UnrollMe, June 2018). The court found that language authorised the precise conduct the plaintiffs complained about, defeating their consent argument under the Stored Communications Act.

In a widely quoted passage the judge acknowledged being "somewhat uncomfortable" with the result, but concluded the arrangement reflected the "Faustian bargain that undergirds much of the internet: you give me a free service, and I [...] suppress the knowledge that you are probably selling my data to digital touts." A summary by Top Class Actions reached the same conclusion: the suit was thrown out on consent grounds before reaching the merits (Top Class Actions, Unroll.me Class Action Claims User Data Sold to Third Parties).

Two takeaways from the dismissal:

  • It is a private-suit ruling on contract interpretation, not a finding that Unroll.me's conduct was lawful in a general sense. The FTC came to the opposite conclusion the following year on a different legal theory (deceptive sign-up flow).
  • Goldman flagged the broader pattern: courts rarely scrutinise privacy policies with rigour, and boilerplate consent language can shield a company from private liability even when its practices would otherwise look bad to a regulator. Practical implication: a click-through privacy policy is a weaker user protection than people assume.

The class action did not result in any settlement, monetary or otherwise, for users.

What Unroll.me actually changed in its privacy policy

The consent order required honest language and the deletion of stored e-receipts from the affected cohort. It did not require Unroll.me to abandon the underlying business model. After the settlement Unroll.me's published policies and support content were rewritten to disclose the data flow upfront rather than mask it.

The current support page (Unroll.me, What do we do with your data?) describes a measurement panel and provides an opt-out mechanism that lets users keep using the unsubscribe service without contributing to the panel. Unroll.me was rolled under NielsenIQ (NIQ) through Slice's earlier acquisition; NIQ's product-platforms privacy notice as of 2025 confirms commercial-email information and demographic detail are shared with NIQ clients for market analysis.

Two structural differences from the pre-FTC era:

  • The reassuring pop-ups about "personal stuff" are gone. They had to be, under the consent order's misrepresentation prohibition.
  • The data flow is now disclosed in the support documentation rather than buried. Users who want only the unsubscribe service can opt out of panel contribution.

The business model itself was not touched. Inbox access is still exchanged for participation (default-on, opt-out) in a market-research panel. The order made the transaction transparent, not optional.

Did anything really change for users?

Procedurally, yes. The deception is over. Users today are told what Unroll.me does with their data, an opt-out exists, and the company is on a 20-year compliance leash with the FTC.

Substantively, the trade is the same. The free service still requires giving a third party full read access to your inbox. Anonymised commercial-email data still flows to a market-research operation, now under the NIQ brand. The opt-out helps, but it is opt-out, not opt-in. EPIC's criticism during the FTC proceeding (that the settlement was too narrow because it only notified users who saw the specific deceptive pop-ups) has not been formally answered.

For European users the situation is different for a separate reason: Unroll.me withdrew from the EU in 2018 rather than comply with GDPR. That story is covered in Unroll.me's EU exit.

If the underlying model bothers you (inbox access in exchange for market-research data, opt-out by default), the FTC order did not solve that. It made it transparent. Whether transparent is enough is a personal call.

Frequently asked questions

Was Unroll.me fined in the FTC settlement?

No. The August 2019 consent order included no upfront monetary penalty. The FTC's enforcement mechanism is prospective: any future violation of the order can result in civil penalties of up to $42,530 per violation. The absence of a fine was one reason Commissioner Rohit Chopra abstained and one of the points EPIC criticised.

What exactly did the FTC say Unroll.me did?

The FTC's August 2019 complaint identified two deceptive sign-up pop-ups used between January 2015 and October 2016: "we won't touch your personal stuff" and "we'll never touch your personal stuff." More than 20,000 consumers signed up after seeing one of them. The FTC found those statements were materially deceptive because Slice was capturing and storing the full contents of users' commercial e-receipts at the same time and selling anonymised data commercially.

Is the Unroll.me lawsuit still ongoing?

No. Cooper v. Slice Technologies, Inc. (S.D.N.Y., No. 1:17-cv-07102) was dismissed on June 6, 2018 on consent grounds: the court found Unroll.me's privacy policy disclosed data sharing in language broad enough to authorise the challenged practice. There is no known active litigation against Unroll.me on these grounds as of 2026.

Did affected users get any compensation?

No. The class action was dismissed without compensation. The FTC consent order required notification of misled users and deletion of stored e-receipts, but no monetary remedy. Affected users received an explanation, not a payout.

Does the FTC settlement mean Unroll.me is "safe" now?

It means Unroll.me cannot legally misrepresent its data practices and is under FTC compliance reporting until 2039. It does not mean the data-sharing business model has stopped. The current support page and parent-company privacy notice confirm commercial-email data still flows to NIQ's market-research clients. Safer than 2017, same business model.

Scope and limits of this article

A few honest constraints worth stating.

This is a desk review of the public record: the FTC complaint and order, the court docket and ruling, contemporaneous legal commentary, and Unroll.me's current published policies. It does not assess the technical implementation of Unroll.me's systems today or audit what data NielsenIQ actually holds. Verifying that would require internal access I do not have.

It also does not retell the underlying 2017 incident in detail. For that, see the 2017 data-selling story.

Quotations from court documents and the FTC complaint use the wording from those documents directly. Where I summarise, I link to the primary source so you can read the original.

Bottom line

The 2019 FTC consent order was a real enforcement action with three concrete effects: it banned the deceptive sign-up language, required deletion of stored e-receipts from the misled cohort, and put Unroll.me on a 20-year FTC compliance regime. There was no fine and no compensation for users.

The parallel class action Cooper v. Slice Technologies was dismissed in 2018 because users had technically consented to data sharing through a privacy policy that disclosed it in broad legal language. A private suit failing on consent grounds is not the same as a regulator clearing the conduct, which the FTC made clear the following year.

What neither outcome did: end the underlying business model. Free unsubscribe service in exchange for inbox access feeding a market-research panel is still how Unroll.me works in 2026, now under NielsenIQ, with an opt-out instead of a hidden default.

If you want an inbox cleaner that does not monetise your email at all, that charges a straightforward subscription fee and participates in no panel, no data sale, and no research operation, Leave Me Alone was built on exactly that model.

Sources