Square sells access to your inbox. No one seems to know if the law cares.

When my work inbox got flooded with reminders of my most twee shopping habits, I found out the Block-owned service throws up obstacles to getting out of its marketing business.


Square is walking a fine line with its privacy practices.

Illustration: Christopher T. Fong/Protocol

When COVID-19 forced Compass Coffee to close down its Washington, D.C.–area shops, the roastery’s owners turned to email to stay in touch with customers. They knew just the tool: The company was already all in on Square. Compass co-founder Michael Haft had even taken a glass-blowing class from Jim McKelvey, who co-founded the service.

“It’s always just been a great point-of-sale system — very intuitive for our baristas, very easy for customers,” Haft said. To his delight, Haft discovered that Square also gave Compass the potential to reach out to both a small number of its most loyal customers as well as many, many would-be local coffee sippers. Now, he pays $200 per month for access to a list of at least 15,000 email addresses of his more casual customers in Square’s directory, he said, which is “absolutely” a huge multiple of the ones Compass collected itself.

I was speaking with Haft because I’ve been receiving Compass marketing messages at my work email address — as I have been from fruit stands, an artisanal butcher, and a cheesemonger, plus a Korean bowl spot I run to for dinner too often and the boutique where I bought a set of cloth napkins the color of autumn leaves last year. It’s a record of my bougiest shopping habits, and as marketing goes, most of the messages are more appealing than what I get from major mainstream retailers that don’t use Square.

Here’s the thing though: I can’t remember ever having checked out at any of these merchants using my work email address, much less using it to sign up for marketing. A search of my account didn’t turn up any records. Annoyed with the most insistent emailers, I reached out to the sellers who reached out to me — except, as a reporter rather than as a customer — to figure out what was going on.

I wanted to know how all these merchants had gotten my professional contact info. What I discovered was both unsurprising in today’s world of relentless online marketing and aggressive consumer data sharing, and also a bit disquieting. It also had less to do with these small shops than I might have expected: Square’s parent company, Block, was selling access to customers’ inboxes, even if all we do is elect to receive a receipt from a single transaction (more on that below).

Privacy experts said selling marketing information in this way clearly falls short of best privacy practices. And while it doesn’t appear to violate data protection laws, the practice is walking a fine line.

“They’re trying to solve for a lot of different nuances whilst trying to serve their objective and their merchant objective, which is keeping as many people opted in as possible,” said Sucharita Kodali, a vice president and retail analyst at Forrester.

Experts also told Protocol the situation seems to highlight how Block, as well as other payment processors and fintech platforms, operate in a bit of a privacy gray zone. Sometimes that gray zone leaves no one in charge of consumers’ data rights, and sometimes it means the companies, deep within their terms of service, have legal loopholes that give them room to use our information in ways we might not expect.

‘Surprising is never good’

My work inbox’s collision with Square-powered marketing seemingly began in June, when I had a receipt for a small processing fee related to obtaining a press pass sent to it. I paid with a personal card, and that transaction added my work address to my existing Square profile, which was in turn already linked with that card. That was all it took. Even though I’ve never used that particular card at most of the businesses now emailing me, and I don’t get any other receipts sent to my work email, the address was circulated to marketing lists far and wide.

Once it became part of my profile, the email address was sucked into the machine inside Square that sells email marketing services to smaller businesses, like Haft’s, that want to keep in touch with their customers. As Haft discovered, Square provides those merchants the ability to manage their campaigns. It also takes its vast store of contact information — which a close reading of its terms of service reveals it collects from consumers who want a receipt sent to them — and gives smaller businesses access to those email and text inboxes. That includes the ability to reach out to customers whose details the sellers never collected themselves. All Square needs is for the targeted customer to have made a purchase at some point from the merchant that wants to send that ad.

Hence the state of my inbox.

That advertising network is indeed huge. Square’s ubiquitous card scanners and checkout consoles are first among equals in the fintech revolution that made it so most small businesses could easily afford to take credit card payments. Block disclosed in securities filings that it handled more than 3 billion card payments in 2021 and kept 261 million consumer profiles — a major increase from more than 2 billion payments and 210 million profiles in 2020. It serves everyone from parents running a local bake sale for the PTA to regional chains like Compass.

A spokesperson for Square said in a statement that the company “helps sellers connect with their buyers and offer an easier, faster checkout experience by saving buyer contact information, so buyers don’t need to re-type their email address every time they wish to receive receipts,” adding that it “reminds consumers of these options in every receipt.” In other words, Square says its system is really all just about customer convenience — making sure you get payment receipts with minimal friction.

For a while, I ignored being a small part of that marketing edifice. Being alive in 2022 requires a certain tolerance for getting hit with ads, even from businesses you may not have given your information to in the first place. I spent some time quietly annoyed with the more persistent local shops. Friends and Protocol colleagues reported facing similar problems with Square, though, so — remembering that consumers are generally supposed to have the ability to delete our data under Europe’s GDPR, California privacy law, and other state approaches — I decided to purge my work address from my profile and, if I could, opt out of the marketing.

It wasn’t easy. As a tech policy reporter, I’m probably more used to chasing down and exercising my privacy options than most users, but Block had hidden the options behind multiple verification prompts and nested them within seemingly unrelated menus like a credit card preferences screen.

The emails Square generates are “one of my biggest pet peeves,” Megan Gray, a Washington, D.C.-based privacy lawyer who formerly worked at DuckDuckGo and the Federal Trade Commission, said of Square’s privacy practices.

For instance, when I signed in (as prompted) with my phone, I had to enter a code that was texted to me, navigate to a menu on credit cards — not the menu about emails — then confirm the information on my card, and then “unlink” the address from my account.

Eventually, I also discovered I could go to the login page and, instead of using my phone, click the link at the bottom that reads, “Sign in with email.” Following that process and then going to the “notifications” section allows you to opt out of receiving automatic receipts, messages from individual businesses, or marketing as a whole (in my case, from more than 100 businesses).

Most consumers have too much “shit to do” to take advantage of such a convoluted system for opting out, Gray said.

“We have to go grocery shopping. We need to pick up the kids,” she said. “The dog vomited on the carpet. We do not have time or bandwidth to figure all of this out because it is not intuitive.”

Even after I figured out how to opt out of the emails en masse, I encountered challenges. At one point, I went back through the cell phone login to make sure I hadn’t missed anything. I saw that Square claimed, in the section that was devoted specifically to contact info, not to even know an email address for me, even though it was sending me ads there. I thought I might be able to exercise some control if I added my address there specifically. When I again followed the verification prompts, however, the system told me that the address already existed on another profile. I apparently had two separate profiles: one tied to my cell phone and one tied to my work email address. There might even be a third tied to my personal email address. All of these profiles had all my info somewhere in them. It’s just that Square objected when I tried to confirm those details across profiles. If this seems head-spinning, that’s how it all felt.

I apparently had two separate profiles: one tied to my cell phone and one tied to my work email address. Screenshot: Ben Brody/Protocol

“It’s so odd that I can’t imagine why they might make it work this way,” said Harry Brignull, an expert in digital design techniques that nudge consumers toward particular actions, often known as dark patterns. Brignull said he couldn’t rule out sloppy programming, but noted that the checkout features in-store tend to be “pretty slick.”

“I’d be willing to bet that they already know how to design things very, very well in order to make money,” he added.

Square said that, unless buyers link up their profiles, the company keeps them separate “to protect user information.”

Good service?

Privacy experts largely said Block probably isn’t violating the law — specifically, California’s privacy rules, which act as a de facto national standard. After all, I did eventually find a way to access my info, correct it, and delete it. I also found I could opt out of the marketing emails after a lot of digging. Square anonymizes email addresses when allowing a business to target consumers whose information the merchants didn’t collect. That could just be a way for Square to keep a tight grip on valuable information about its merchants’ consumers, much as Facebook and Google do when selling insights based on data they keep in-house. It also means Square is staying on the right side of existing California law that regulates sharing of consumer data.

Still, the experts said the high-friction, unintuitive process was nothing the company should be proud of. Some of them also noted that the way Square takes in customer data on behalf of small merchants and then quietly uses that same data to power a marketing platform seems to at least violate consumers’ expectations.

“It is often surprising to people — and surprising is never good when it comes to privacy,” said Hayley Tsukayama, senior legislative activist at the Electronic Frontier Foundation.

In an FAQ about its standing under California law, Square says it “acts primarily as a service provider” when it comes to everyday buyers. That means it has fewer privacy obligations because, as it facilitates payments, it’s just carrying out whatever directives the actual customer-facing merchant asked for. In most cases, however, those small, local retailers are themselves exempt from California law, meaning that Square gets to collect information on hundreds of millions of transactions while consumers get very few rights from any of the firms they deal with.

In addition, the main limitation placed on service providers in California is they’re not supposed to reuse the data for their own operations — which is exactly what Square appears to be doing. That seems to be why, in a separate privacy statement aimed only at merchants who use Square, the company says that, when it’s selling marketing services, the company actually stops being a service provider. Square said it also stops being a service provider much earlier, when it is merely sending customers receipts that they’ve asked for. That seems to be how the company justifies reusing that data: Although consumers might opt in to get a tallied list of charges from the businesses they’re actually buying something from, Square actually offered to send those receipts under its own initiative, donning a legal label that then allowed it to reuse the data for any purpose, including marketing.

Square, in its statement, said it complies with all requirements stipulated under California’s privacy law and “continually evaluates ways to make our tools easier to use for both sellers and buyers.”

At one point, though, the company did seem aware it was playing in a new area, full of questions.

“We often bring things into the world that are novel, and how regulatory frameworks or legal principles will apply to them is not always clear,” Dana Wagner, then general counsel at Square, said to Bloomberg Law back in 2016. “And sometimes institutions or regulators or other members of the industry find that a little terrifying.”

“There are certainly companies that do play in the gray area to their advantage,” Tsukayama said. “It is just a model that was not contemplated” when regulation was crafted. She described Square’s position as being in “a weird, in-between-y area.”

But the company’s model — both providing infrastructure for small businesses and also selling marketing back to those businesses — is increasingly common, especially after COVID-19. Toast, which powers a lot of restaurant ordering, similarly sells marketing.

Hot water

Ultimately, Haft of Compass Coffee said when his business started to send more marketing through Square during the pandemic, it helped keep in touch but initially put off some customers. He eventually scaled back, focusing more on birthday promotions, which offer free drinks and tend to get opened by the majority of those who receive them. Open rates have since shot up, and even though individual retailers’ messages do include unsubscribe buttons, opt-out rates have decreased to a quarter of what they were when he started.

Haft said he’d found that his original marketing approach was certainly helpful, but came with downsides, including the fact that Square controls much of the stores’ relationship with their customers even though Compass had to deal with whatever reaction customers had to the messages.

“When you send an email that doesn’t land, you get a huge unsubscribe rate,” Haft said. “If you send out garbage, people, they hate you.”


Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep ReadingShow less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep ReadingShow less
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep ReadingShow less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep ReadingShow less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.


Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep ReadingShow less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories