When COVID-19 forced Compass Coffee to close down its Washington, D.C.–area shops, the roastery’s owners turned to email to stay in touch with customers. They knew just the tool: The company was already all in on Square. Compass co-founder Michael Haft had even taken a glass-blowing class from Jim McKelvey, who co-founded the service.
“It’s always just been a great point-of-sale system — very intuitive for our baristas, very easy for customers,” Haft said. To his delight, Haft discovered that Square also gave Compass the potential to reach out to both a small number of its most loyal customers as well as many, many would-be local coffee sippers. Now, he pays $200 per month for access to a list of at least 15,000 email addresses of his more casual customers in Square’s directory, he said, which is “absolutely” a huge multiple of the ones Compass collected itself.
I was speaking with Haft because I’ve been receiving Compass marketing messages at my work email address — as I have been from fruit stands, an artisanal butcher, and a cheesemonger, plus a Korean bowl spot I run to for dinner too often and the boutique where I bought a set of cloth napkins the color of autumn leaves last year. It’s a record of my bougiest shopping habits, and as marketing goes, most of the messages are more appealing than what I get from major mainstream retailers that don’t use Square.
Here’s the thing though: I can’t remember ever having checked out at any of these merchants using my work email address, much less using it to sign up for marketing. A search of my account didn’t turn up any records. Annoyed with the most insistent emailers, I reached out to the sellers who reached out to me — except, as a reporter rather than as a customer — to figure out what was going on.
I wanted to know how all these merchants had gotten my professional contact info. What I discovered was both unsurprising in today’s world of relentless online marketing and aggressive consumer data sharing, and also a bit disquieting. It also had less to do with these small shops than I might have expected: Square’s parent company, Block, was selling access to customers’ inboxes, even if all we do is elect to receive a receipt from a single transaction (more on that below).
Privacy experts said selling marketing information in this way clearly falls short of best privacy practices. And while it doesn’t appear to violate data protection laws, the practice is walking a fine line.
“They’re trying to solve for a lot of different nuances whilst trying to serve their objective and their merchant objective, which is keeping as many people opted in as possible,” said Sucharita Kodali, a vice president and retail analyst at Forrester.
Experts also told Protocol the situation seems to highlight how Block, as well as other payment processors and fintech platforms, operate in a bit of a privacy gray zone. Sometimes that gray zone leaves no one in charge of consumers’ data rights, and sometimes it means the companies, deep within their terms of service, have legal loopholes that give them room to use our information in ways we might not expect.
‘Surprising is never good’
My work inbox’s collision with Square-powered marketing seemingly began in June, when I had a receipt for a small processing fee related to obtaining a press pass sent to it. I paid with a personal card, and that transaction added my work address to my existing Square profile, which was in turn already linked with that card. That was all it took. Even though I’ve never used that particular card at most of the businesses now emailing me, and I don’t get any other receipts sent to my work email, the address was circulated to marketing lists far and wide.
Once it became part of my profile, the email address was sucked into the machine inside Square that sells email marketing services to smaller businesses, like Haft’s, that want to keep in touch with their customers. As Haft discovered, Square provides those merchants the ability to manage their campaigns. It also takes its vast store of contact information — which a close reading of its terms of service reveals it collects from consumers who want a receipt sent to them — and gives smaller businesses access to those email and text inboxes. That includes the ability to reach out to customers whose details the sellers never collected themselves. All Square needs is for the targeted customer to have made a purchase at some point from the merchant that wants to send that ad.
Hence the state of my inbox.
That advertising network is indeed huge. Square’s ubiquitous card scanners and checkout consoles are first among equals in the fintech revolution that made it so most small businesses could easily afford to take credit card payments. Block disclosed in securities filings that it handled more than 3 billion card payments in 2021 and kept 261 million consumer profiles — a major increase from more than 2 billion payments and 210 million profiles in 2020. It serves everyone from parents running a local bake sale for the PTA to regional chains like Compass.
A spokesperson for Square said in a statement that the company “helps sellers connect with their buyers and offer an easier, faster checkout experience by saving buyer contact information, so buyers don’t need to re-type their email address every time they wish to receive receipts,” adding that it “reminds consumers of these options in every receipt.” In other words, Square says its system is really all just about customer convenience — making sure you get payment receipts with minimal friction.
For a while, I ignored being a small part of that marketing edifice. Being alive in 2022 requires a certain tolerance for getting hit with ads, even from businesses you may not have given your information to in the first place. I spent some time quietly annoyed with the more persistent local shops. Friends and Protocol colleagues reported facing similar problems with Square, though, so — remembering that consumers are generally supposed to have the ability to delete our data under Europe’s GDPR, California privacy law, and other state approaches — I decided to purge my work address from my profile and, if I could, opt out of the marketing.
It wasn’t easy. As a tech policy reporter, I’m probably more used to chasing down and exercising my privacy options than most users, but Block had hidden the options behind multiple verification prompts and nested them within seemingly unrelated menus like a credit card preferences screen.
The emails Square generates are “one of my biggest pet peeves,” Megan Gray, a Washington, D.C.-based privacy lawyer who formerly worked at DuckDuckGo and the Federal Trade Commission, said of Square’s privacy practices.
For instance, when I signed in (as prompted) with my phone, I had to enter a code that was texted to me, navigate to a menu on credit cards — not the menu about emails — then confirm the information on my card, and then “unlink” the address from my account.
Eventually, I also discovered I could go to the login page and, instead of using my phone, click the link at the bottom that reads, “Sign in with email.” Following that process and then going to the “notifications” section allows you to opt out of receiving automatic receipts, messages from individual businesses, or marketing as a whole (in my case, from more than 100 businesses).
Most consumers have too much “shit to do” to take advantage of such a convoluted system for opting out, Gray said.
“We have to go grocery shopping. We need to pick up the kids,” she said. “The dog vomited on the carpet. We do not have time or bandwidth to figure all of this out because it is not intuitive.”
Even after I figured out how to opt out of the emails en masse, I encountered challenges. At one point, I went back through the cell phone login to make sure I hadn’t missed anything. I saw that Square claimed, in the section that was devoted specifically to contact info, not to even know an email address for me, even though it was sending me ads there. I thought I might be able to exercise some control if I added my address there specifically. When I again followed the verification prompts, however, the system told me that the address already existed on another profile. I apparently had two separate profiles: one tied to my cell phone and one tied to my work email address. There might even be a third tied to my personal email address. All of these profiles had all my info somewhere in them. It’s just that Square objected when I tried to confirm those details across profiles. If this seems head-spinning, that’s how it all felt.
I apparently had two separate profiles: one tied to my cell phone and one tied to my work email address. Screenshot: Ben Brody/Protocol
“It’s so odd that I can’t imagine why they might make it work this way,” said Harry Brignull, an expert in digital design techniques that nudge consumers toward particular actions, often known as dark patterns. Brignull said he couldn’t rule out sloppy programming, but noted that the checkout features in-store tend to be “pretty slick.”
“I’d be willing to bet that they already know how to design things very, very well in order to make money,” he added.
Square said that, unless buyers link up their profiles, the company keeps them separate “to protect user information.”
Privacy experts largely said Block probably isn’t violating the law — specifically, California’s privacy rules, which act as a de facto national standard. After all, I did eventually find a way to access my info, correct it, and delete it. I also found I could opt out of the marketing emails after a lot of digging. Square anonymizes email addresses when allowing a business to target consumers whose information the merchants didn’t collect. That could just be a way for Square to keep a tight grip on valuable information about its merchants’ consumers, much as Facebook and Google do when selling insights based on data they keep in-house. It also means Square is staying on the right side of existing California law that regulates sharing of consumer data.
Still, the experts said the high-friction, unintuitive process was nothing the company should be proud of. Some of them also noted that the way Square takes in customer data on behalf of small merchants and then quietly uses that same data to power a marketing platform seems to at least violate consumers’ expectations.
“It is often surprising to people — and surprising is never good when it comes to privacy,” said Hayley Tsukayama, senior legislative activist at the Electronic Frontier Foundation.
In an FAQ about its standing under California law, Square says it “acts primarily as a service provider” when it comes to everyday buyers. That means it has fewer privacy obligations because, as it facilitates payments, it’s just carrying out whatever directives the actual customer-facing merchant asked for. In most cases, however, those small, local retailers are themselves exempt from California law, meaning that Square gets to collect information on hundreds of millions of transactions while consumers get very few rights from any of the firms they deal with.
In addition, the main limitation placed on service providers in California is they’re not supposed to reuse the data for their own operations — which is exactly what Square appears to be doing. That seems to be why, in a separate privacy statement aimed only at merchants who use Square, the company says that, when it’s selling marketing services, the company actually stops being a service provider. Square said it also stops being a service provider much earlier, when it is merely sending customers receipts that they’ve asked for. That seems to be how the company justifies reusing that data: Although consumers might opt in to get a tallied list of charges from the businesses they’re actually buying something from, Square actually offered to send those receipts under its own initiative, donning a legal label that then allowed it to reuse the data for any purpose, including marketing.
Square, in its statement, said it complies with all requirements stipulated under California’s privacy law and “continually evaluates ways to make our tools easier to use for both sellers and buyers.”
At one point, though, the company did seem aware it was playing in a new area, full of questions.
“We often bring things into the world that are novel, and how regulatory frameworks or legal principles will apply to them is not always clear,” Dana Wagner, then general counsel at Square, said to Bloomberg Law back in 2016. “And sometimes institutions or regulators or other members of the industry find that a little terrifying.”
“There are certainly companies that do play in the gray area to their advantage,” Tsukayama said. “It is just a model that was not contemplated” when regulation was crafted. She described Square’s position as being in “a weird, in-between-y area.”
But the company’s model — both providing infrastructure for small businesses and also selling marketing back to those businesses — is increasingly common, especially after COVID-19. Toast, which powers a lot of restaurant ordering, similarly sells marketing.
Ultimately, Haft of Compass Coffee said when his business started to send more marketing through Square during the pandemic, it helped keep in touch but initially put off some customers. He eventually scaled back, focusing more on birthday promotions, which offer free drinks and tend to get opened by the majority of those who receive them. Open rates have since shot up, and even though individual retailers’ messages do include unsubscribe buttons, opt-out rates have decreased to a quarter of what they were when he started.
Haft said he’d found that his original marketing approach was certainly helpful, but came with downsides, including the fact that Square controls much of the stores’ relationship with their customers even though Compass had to deal with whatever reaction customers had to the messages.
“When you send an email that doesn’t land, you get a huge unsubscribe rate,” Haft said. “If you send out garbage, people, they hate you.”