On May 30, 2025, the data broker Meltwater began sending unsolicited emails to a very small portion of Optery customers with the subject line “Your data subject request”, in reference to our opt out requests to Meltwater on their behalf. We understand how alarming it can be to receive a message like this from a company you didn’t contact directly, especially one that references a subject matter you had appointed Optery to handle.
If you did not receive this email from Meltwater, we have no reason to believe you were affected.
If you did receive this email, we share your concerns and frustration and want to provide an explanation.
TLDR
- In August 2024, Optery briefly attempted to submit opt out requests to Meltwater, but they refused to comply unless we provided a customer email address in our opt out requests. They made no other objections to the content or format of our opt out requests.
- Optery evaluated Meltwater’s Trust Center (https://trust.meltwater.com/) and their significant security and privacy credentials (e.g. ISO 27001:2022, ISO 27701, ISO/IEC 42001:2023, GDPR, CCPA, UK Cyber Essentials, ISO 42001), and on April 15, 2025, deemed them safe, and began including customer email address in its opt out requests to Meltwater, as requested. However, only for customers that had opted-in both to Optery’s Expanded Reach feature and the Use For Removals feature that permits Optery to include customer email address when a data broker requires it.
- For those customers Meltwater was able to locate in its records, Meltwater confirmed successful completion of the opt out request.
- However, for those customers Meltwater was not able to locate in its database, on May 30, 2025, Meltwater began sending unsolicited emails informing customers their records were not found and that Optery included additional personal information beyond what was required to complete the opt out.
- Optery views this as a “bait and switch” – with Meltwater first refusing to comply with our opt out requests without an email address, not flagging that there was anything else problematic with the format of our requests, and then utilizing the emails supplied for alternative purposes without permission. Each data subject request from Optery clearly stated the following directive: “The Data Subject’s personal information listed below may only be used to process this opt-out request.”
- On May 30, 2025, Optery was informed of the unsolicited emails from Meltwater to the small portion of customers, and we immediately disabled all opt out requests to Meltwater until the situation is resolved.
- Optery is reviewing the personal information included in our opt out requests to all data brokers to ensure unnecessary personal information is not included.
- If you do not want your email included in your opt out requests, you should not opt in to the Use For Removals feature. This will, however, reduce the number of data brokers we can successfully remove you from. Note that even if you have opted into the Use For Removals feature, your email is not included in opt outs unless it’s explicitly required by the data broker.
- We are investigating what options we may have in light of what we believe is the unauthorized use of email addresses that were used for purposes other than executing data subject requests.
Background
Each data broker has slightly different requirements for processing opt outs. For example, some data brokers only want Linkedin URL because their entire database is keyed off of scraping Linkedin. Other data brokers require the name of the company you work for for disambiguation. Many require first name, last name, home address and age. Others, like Meltwater, require an email address, or otherwise will refuse to process the opt out request.
For data brokers like Meltwater that require an email address, we have an opt-in feature called Use For Removals which permits inclusion of a verified email address when required by a data broker to complete an opt-out. These emails are only used for data brokers that specifically require them. They are included in a small minority of cases, when no other option exists, as was the case with Meltwater.
The other thing to keep in mind is that when submitting opt out requests, there’s an inherent catch-22 where in order to opt out of data broker sites, you must first provide enough identifying information for them to locate you in their records, otherwise, how else would they know who to opt out.
Optery classifies data broker coverage into three general categories:
- Data brokers covered by the Core, Extended, and Ultimate plan. Generally speaking, Optery submits requests to these data brokers if we’re reasonably sure they have you in their records, or if they’ve proved themselves over time to honor opt out requests reliably. You can think of these data brokers as the core of Optery’s coverage.
- Data brokers covered by the Expanded Reach feature. Expanded Reach provides coverage for data brokers who do not yet meet Optery’s rigorous removal verification standards, but that still provide a viable opt out mechanism. These data brokers typically do not post and sell information publicly, but instead do so in the shadows out of the sight of everyday consumers, so it can be more difficult to provide verifiable opt out statuses. Many of our competitors’ data-broker coverages are essentially equivalent to Optery’s Expanded Reach feature, lacking the automated screenshots and verifications available in Optery’s Core, Extended, and Ultimate plans.
- Custom Removals. In addition to the 640+ data brokers covered by Ultimate + Expanded Reach, Optery covers an additional ~600 data brokers via Custom Removals, bringing the total data brokers covered by Optery to over 1,200+ data brokers – the broadest data broker coverage in the industry by far. We do not currently post our list of data brokers approved for Custom Removals publicly, but we plan to soon.
What Happened?
August 2024: We briefly began submitting opt-out requests to Meltwater. Meltwater responded right away, declining to process any requests unless they included the customer’s email address – and made no other objections to the format or data we supplied. In response, we immediately suspended all opt-out submissions to Meltwater.
April 15, 2025: After evaluating Meltwater’s Trust Center (https://trust.meltwater.com/) and their robust security and privacy credentials (including ISO 27001:2022, ISO 27701, ISO/IEC 42001:2023, ISO 42001, GDPR, CCPA, UK Cyber Essentials), we deemed them safe, and resumed opt-out submissions – this time including the customer email addresses as requested by Meltwater. But only for customers that had opted-in both to Optery’s Expanded Reach feature and the Use For Removals feature that permits Optery to include customer email address when the data broker requires it.
May 30 and June 2025: For customers whose email addresses Meltwater was able to locate, Meltwater confirmed successful completion of the opt out request.
For customers Meltwater could not find in its system, Meltwater used those very email addresses – provided for the narrow purpose of opting-out – to send unsolicited emails informing recipients that no records existed for them and to criticize Optery for sharing additional personal information beyond what was required. Even though each data subject request carried the clear directive:
“The Data Subject’s personal information listed below may only be used to process this opt-out request.”
May 30, 2025: Upon learning of Meltwater’s outreach on May 30, 2025, we immediately suspended all opt-out submissions to Meltwater until this matter is resolved.
Why We Believe Meltwater’s Actions Were Wrong
- Bait and Switch. Meltwater first refused to comply with our opt-out requests without customer email address, and flagged no other issues, then repurposed the emails requested, for the unrelated matter of sending alarming messages to Optery customers. Given the enormous volume of opt out requests we process, it’s very common for data brokers to request different data types or formats, as occurred when Meltwater originally communicated the necessity of including customer email address in each data subject request. While many data brokers engage in shenanigans, our interactions with them are largely collegial and professional, but we felt this was quite the “bait and switch”. If there was a problem with the format of our requests, it should have been flagged to us for immediately rectification, and not to our customers via unsolicited emails.
- Breach of Limited-Use Instruction and Privacy-law Frameworks. Our data subject requests expressly instructed Meltwater that our customers’ data “may only be used to process this opt-out request.” We believe Meltwater’s repurposing of the email addresses included in those data subject requests to send alarming messages to our customers was a breach of that instruction and of privacy-law frameworks (e.g., CCPA) that restrict the information contained in data subject requests from being used for un-related purposes.
How We Resolve to Do Better
We resolve to conduct a thorough review of the information sent in our opt out requests to all data brokers we cover to minimize the possibility of unnecessary personal information being included in our data subject requests.
In Closing
We encourage all Optery customers to revisit the Help Desk articles on how the Expanded Reach and Use For Removals features work, and to update your settings as necessary in accordance with your preferences. Also keeping in mind the inherent catch-22 for submitting opt out requests.
We are investigating what options we may have in light of what we believe is the unauthorized use of email addresses for purposes other than executing data subject requests.
Our team works tirelessly for our customers, always striving to earn the trust you’ve placed in us. We regret any distress this incident may have caused, and we remain committed to continuous improvement in data-removal effectiveness and security.