Square Sells Access To Your Inbox. No One Seems To Know If the Law Cares. (protocol.com) 46
An anonymous reader shares a report: I wanted to know how all these merchants had gotten my professional contact info. What I discovered was both unsurprising in today's world of relentless online marketing and aggressive consumer data sharing, and also a bit disquieting. It also had less to do with these small shops than I might have expected: Square's parent company, Block, was selling access to customers' inboxes, even if all we do is elect to receive a receipt from a single transaction (more on that below). Privacy experts said selling marketing information in this way clearly falls short of best privacy practices. And while it doesn't appear to violate data protection laws, the practice is walking a fine line.
"They're trying to solve for a lot of different nuances whilst trying to serve their objective and their merchant objective, which is keeping as many people opted in as possible," said Sucharita Kodali, a vice president and retail analyst at Forrester. Experts also told Protocol the situation seems to highlight how Block, as well as other payment processors and fintech platforms, operate in a bit of a privacy gray zone. Sometimes that gray zone leaves no one in charge of consumers' data rights, and sometimes it means the companies, deep within their terms of service, have legal loopholes that give them room to use our information in ways we might not expect.
"They're trying to solve for a lot of different nuances whilst trying to serve their objective and their merchant objective, which is keeping as many people opted in as possible," said Sucharita Kodali, a vice president and retail analyst at Forrester. Experts also told Protocol the situation seems to highlight how Block, as well as other payment processors and fintech platforms, operate in a bit of a privacy gray zone. Sometimes that gray zone leaves no one in charge of consumers' data rights, and sometimes it means the companies, deep within their terms of service, have legal loopholes that give them room to use our information in ways we might not expect.
'Access to your inbox' (Score:5, Insightful)
Re: (Score:2, Informative)
The way I read it is that Square maintains an inbox for its users (possibly simply for email forwarding) where it receives confirmation emails from all the businesses where you pay with it. So it would have quite a good idea of where you shop, what for, and for how much money.
Re:'Access to your inbox' (Score:5, Insightful)
Only I can access my inbox, as far as I know.
Anyone who has your email address has write access to your email inbox. This is why, when I need a receipt, I ask for a printed one.
Re: (Score:3)
Re: (Score:2)
I don't even care about spam anymore, now that gmail handles it so well. I just unsubscribe from any legit mailings I don't want, and let the report spam button take care of the rest. I'm rarely if ever interrupted by unwanted email junk anymore.
Re: (Score:3)
Generally does not mean what you think it means. Only I can access my inbox, as far as I know.
I dunno if they do it any more, but when I was invited to join LinkdIn, they asked me for my email password. They mined people's address books and spammed the bejabbers out of everyone in it.
I respectfully declined.
Re: (Score:3)
Why "respectfully?" Anybody who thinks it's OK to harvest their member's email passwords like that doesn't deserve respect. At the very least, my response would be, "Not only no, HELL NO! "
Re: (Score:2)
I respectfully declined. Why "respectfully?" Anybody who thinks it's OK to harvest their member's email passwords like that doesn't deserve respect. At the very least, my response would be, "Not only no, HELL NO! "
Well, I did tell them their practice was completely against my employer's TOS, and I could be fired. But I didn't tell them to go screw themselves.
Linked in too maybe? (Score:2)
Re: (Score:2)
They don't even need to harvest LinkedIn. There are third-party aggregators who do it, compile a nice company directory, and then sell it to marketers and other scum (including phishers).
Tie up their resources (Score:3)
Be obnoxious to them, every single time you receive spam through them. Call them. Ask inane questions through their web page contact form. Ask them to make small changes to your contact information. Mention that they spammed you, but only after you've taken a couple of minutes of their time. Do it every single time.
Re:Tie up their resources (Score:4, Informative)
Be obnoxious to them, every single time you receive spam through them. Call them. Ask inane questions through their web page contact form. Ask them to make small changes to your contact information. Mention that they spammed you, but only after you've taken a couple of minutes of their time. Do it every single time.
The only effect this strategy will have will be to waste your time. Well, maybe you'll get some gratification in the process, but you're kidding yourself if you think it will change their behavior.
Re: Tie up their resources (Score:2)
Re: (Score:2)
Spammers rely on your inactivity. Spam is profitable because the cost to the spammer is negligible. If people stop being passive about it, at least the otherwise legitimate businesses which can't play the whack-a-mole disappearing game every once in a while will have to stop spamming. This isn't a solution for all spam, but divide and conquer.
Re: (Score:2)
Spammers rely on your inactivity. Spam is profitable because the cost to the spammer is negligible. If people stop being passive about it, at least the otherwise legitimate businesses which can't play the whack-a-mole disappearing game every once in a while will have to stop spamming. This isn't a solution for all spam, but divide and conquer.
The only thing spammers rely on is the probability that a tiny percentage of their recipients will be gullible enough to click on their links. Do you seriously believe that they read and respond to input on a web page, assuming that they even have one? The overwhelming majority of spammers are NOT legitimate businesses, unless you consider an outfit offering "Cheap V!agra and Ci@lis!!!" to be legitimate.
I receive quite a bit of unsolicited marketing email messages at work, mostly from IT companies that assu
Re: (Score:2)
Profit is a two-variable entity. You can try to reduce spam-driven revenue, but that depends on the gullible people who respond to spam. If you're not one of those, you have scant influence on revenue. The other variable is cost, and you can influence that, by taking up some resources. You don't do it by responding to the spam email. You contact them through means that waste their time. You call them. You open a support ticket.
Re: (Score:2)
Hey, you do you. Personally, I value my own time more than the time of someone at a company hawking products I have no use for.
Every minute I spend wasting someone else's time is a minute of my time that I'll never get back, and the best result I can hope for by doing that is that they might eventually drop my address from their mailing lists. I doubt it, though -- it's probably cheaper for them to deal with your attempts to annoy them than it is to pay their email marketing service purge addresses from the
Re: (Score:2)
Most likely Square is the one sending the message on their behalf.
So if you don't like it, you could just unsubscribe (or if you never subscribed to Square, mark the message as spam) and be done with it.
Re: (Score:2)
Square at the time claimed they didn't give out customer email addresses, but Organi
Re: (Score:2)
Nah, stop spending money at places that use Square. Tell the vendor about your experience with Square and that you cannot support Square. Tell the vendor that you'd like to support them but you cannot because of Square. These privacy violations need to hit Square where it hurts, right in the income. If enough people skip vendors using Square then they'll go under or start acting right.
No more Square for me.
Re: (Score:2)
Square needs to be spanked hard (Score:4, Interesting)
This is a company that decides on its own whether or not to allow certain businesses access to financial services. Such practices are evil in general and it speaks to the disturbing trend of elected government abdicating its authority and responsibility to govern while allowing unelected bureaucrats and individual businesses to do its dirty work.
Re: (Score:2, Funny)
I had no idea Kanye had a Slashdot account.
Criminal (Score:2)
If that's not criminal, it ought to be. In the EU, at least it would violate the GDPR.
If you are paying at a merchant, you may think to check the T&C of the merchant. Literally no one is going to think to check on the payment service. They have zero business selling your data. Even in the US I would assume that financial data (which this is) would be subject to some protections.
Jail a few CxOs and this crap will stop.
Hide my email (Score:2)
Here we are... (Score:4, Informative)
Buy a stick of gum with a retail account, and the opt-out universe manifests... you will get an email detailing the purchase, then one offering a coupon on your next stick of gum, then one asking how your in-store experience is, another asking to rate the gum, another asking to subscribe and like to the gum company's facebook, instagram, twitter feed, tiktok, linkedin, indeed, yelp, foursquare, and tripadvisor pages, endless suggestions to join everything from the Gummo Marx fan club to the sustainable chicle growers collective, and then weeks later out of nowhere another series of emails offering curated tours of the great candy stores of the world... and I wish I were making *all* of this up. Know how you'll know if you did a good job? I'll buy more gum and you'll see that in your daily drawer. Also, get off my lawn.
If we don't have a law (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Burner email addresses (Score:1)
Re: (Score:2)
This is why having one's own domain is nice. You can add email aliases to your heart's content, and even if they strip out the "+" part, it will do them no good.
Re:Burner email addresses (Score:4, Informative)
Or you can make up your own "address" with either @gop.com or @democrats.org and make it someone else's problem.
This is illegal under privacy/antispam laws in WA (Score:2)
The states antispam law makes this explicitly illegal.
Don't many vendors get that data anyway? (Score:2)
Last time I worked with electronic payments on non-retail systems (i.e. if you bought something from our website), I think they all provided you with some information about the customer's identity, and it always included an email address. I don't mean to imply it should be abused as a marketing contact, but I can see how some personalities might see it differently and get in trouble.
It's hard to believe Square is unique here, other than the fact that they sell the info to the vendor, rather than the vendor
California? (Score:2)
I wonder how this works with California law, which requires that merchants do not keep credit card info after purchases.
I realized years ago that giving Square my email address after a purchase might result in Square selling data about me, so I just decline the receipt.
Why give them your real email? (Score:2)
Re: (Score:2)
Because providing my email address to the vendor (and Square in the process) means that I can get their in-store rewards, no email no in-store rewards. In the case I'm thinking of, those rewards can be worth $50/year or more to me and I would still shop there anyway.
Re: (Score:2)
Because providing my email address to the vendor (and Square in the process) means that I can get their in-store rewards, no email no in-store rewards. In the case I'm thinking of, those rewards can be worth $50/year or more to me and I would still shop there anyway.
However, that does not require your real email. I use my burner email for that or the + modifier depending on the case.
Re: (Score:2)
I like the vendor and don't care if they have my real email. Completely not obvious that Block takes advantage there. I use burners or individual/specific email addresses for things but didn't in this case as I trust the vendor.
Re: (Score:2)
I like the vendor and don't care if they have my real email. Completely not obvious that Block takes advantage there. I use burners or individual/specific email addresses for things but didn't in this case as I trust the vendor.
I agree with you there. I use my real address, often with the + modifier, for vendors I trust. The + makes it easier to sort my mail to submailboxes; in the burner email it tells me who sold my address.
Wrong phrasing: Not "sells access to your inbox" (Score:1)
but instead "sells your email address".
Please try harder, slashdot editors.
PS: Have you missed me? I haven't commented for long!