Micropayments company Coil distributes new privacy policy with email that puts users' addresses in the ‘To:’ field

Hundreds of email addresses exposed, customers predictably less-than-thrilled


Micropayments company Coil has emailed users its new privacy policy but placed hundreds of their addresses in the “To:” field and therefore breached their privacy.

The mail had the Subject line “Updates to Coil’s Terms and Privacy Policy” and offered links to the document. The Register has read it and can report that while it reveals that Coil seeks permission to share users’ details with service providers, partners, and “related entities”. We cannot find a clause that resembles: “We reserve the right to expose your email address to countless other Coil users in the ‘To:’ field of an email.”

The tweets below are typical reactions to the situation.

At the time of writing the mails appear not to have spawned a Reply-All storm. The Coil user who tipped us off to the situation told us he was “tempted to start one” and reported “everyone's been well behaved. They sent it from a no-reply email address anyway :)”.

Coil has become aware of the incident and sent an apology email with a subject line "Please forgive us".

Founder and CEO Stefan Thomas offered the following sentiments:

Earlier this evening we sent you an email updating you on changes to our Terms & Privacy Policy. Unfortunately, due to a human error related to how we interface with our mailing list provider, a number of users' email addresses were populated alongside yours.

This mistake is especially painful as we take privacy extremely seriously -- it is the cornerstone of our values. We’re deeply sorry and hope you can forgive us for this mistake. We’re here to help you with any concerns or issues you may have as a result of this error.

The company has not addressed other questions we asked regarding how the incident occurred and its plans to prevent similar events in future.

Coil offers a service that charges users $5 a month, then shares that sum with publishers and content creators. The company offers the latter a chance to monetise their work without having to operate a subscription service. Users get the chance to send some cash to sites they appreciate. ®


Biting the hand that feeds IT © 1998–2020