Proton and GitHub users report receiving unsolicited AI marketing emails despite explicit opt-outs, highlighting systemic consent issues in tech's AI rollout.
Recent incidents involving Proton and GitHub have exposed troubling patterns in how technology companies handle user consent for AI-related marketing. Both companies sent promotional emails about their artificial intelligence products to users who had explicitly opted out of such communications, raising questions about compliance with data protection regulations and ethical marketing practices.
Proton's Lumo Email Controversy
On January 14, 2026, Proton sent an email titled "Introducing Projects - Try Lumo's powerful new feature now" to business customers. The problem? Recipients like web developer David Bushell had specifically disabled "Lumo product updates" in their communication preferences. 
shows the unchecked toggle confirming this opt-out status.
When questioned, Proton Support initially suggested the user modify existing opt-out settings, then claimed the email constituted a "Proton for Business newsletter" rather than a Lumo update. This justification appeared contradictory since the message originated from @lumo.proton.me and exclusively promoted Lumo features. 
displays the email's explicit Lumo branding and subject line.
GitHub's Copilot SDK Push
Microsoft-owned GitHub exhibited similar behavior days later. Users received "Build AI agents with the new GitHub Copilot SDK" emails despite having all newsletter subscriptions disabled. The platform provides no visible setting to block Copilot promotions, burying notification controls in a hard-to-find "Opt-Out Preferences" page. 
reveals how Copilot communications remain enabled even when other newsletters are disabled.
Systemic Consent Issues in AI Rollout
These incidents reflect a broader industry pattern where:
- Companies create ambiguous subscription categories that bypass explicit opt-outs
- Marketing teams operate independently of privacy controls
- AI products receive special exemption from standard consent protocols
The approach conflicts with GDPR Article 7 requirements for unambiguous consent and contradicts principles of privacy-focused companies like Proton. It also parallels concerning AI industry practices like unauthorized content scraping and ignoring copyright restrictions.
Technical and Ethical Implications
The consent bypass mechanisms raise technical questions:
- Are marketing systems improperly segmented from preference databases?
- Do new product launches trigger temporary opt-out overrides?
- Why can't users completely disable promotional categories?
Ethically, these practices damage trust in companies positioning themselves as privacy advocates. As businesses increasingly bundle AI features into core products, transparent consent mechanisms become critical for maintaining user agency.
Path Forward
Both Proton and GitHub face reputational challenges from these incidents. Clear solutions include:
- Unified preference centers without categorical loopholes
- Technical audits of email targeting systems
- Explicit consent requirements for new product categories
- Granular opt-outs specific to AI features
Until companies implement such measures, users remain vulnerable to consent violations masked as product updates. The pattern suggests AI integration is being prioritized over fundamental user rights - a concerning trend for privacy-conscious technology consumers.
Relevant resources:
Comments
Please log in or register to join the discussion