A new report from the Wall Street Journal has revealed that third-party app developers have access to the emails of millions of Gmail account holders. Two companies have reportedly even allowed employees to read said emails. While Google claims that these developers have been thoroughly vetted, there are still fears that this could end up as a data breach similar to the Cambridge Analytica fiasco.

According to the Wall Street Journal, Gmail users that have signed up for some services, specifically travel and shopping price comparison tools, have agreed to terms and conditions that enabled the developers of this software and services to read their emails.

Third-party app developers could be reading your Gmail https://t.co/AEp04dLdmm

— Engadget (@engadget) July 3, 2018

Gmail’s access settings do allow app developers and data companies to see the user’s emails and the private details that go with it, like the recipient’s address and time stamps. They can actually even view the whole message. And while application does require user consent, the permission form is admittedly vague on letting humans read emails instead of just machines.

These third-party developers claim to only use the information gathered from Gmail account holders for advertising purposes and targeted shopping suggestions. Google asserted that it has extensively vetted these developers, a process that entails checking that the company’s identity is represented by the app, that the data requested is in line with the service it offers, and that its privacy policy clearly states that it will monitor emails.

The Wall Street Journal report mentioned two specific apps that had access to said emails – Edison Software and Return Path. The former reportedly had employees read thousands of emails to assist in the training of its “Smart Reply” feature while the latter also allowed staff to read private messages to help in the development of the company’s software. Both companies said they have permission from users and that their actions were covered in their terms and conditions.

In a blog post, Return Path gave assurances that they “take great care to limit who has access to the data, supervise all access to the data.”

Meanwhile, Edison Software CEO Mikael Berner clarified the context in which their engineers read “a small random sample of de-identified messages” by saying it was for R&D purposes. He also revealed that the company stopped the practice some time ago and that all the data has been expunged “in order to stay consistent with our company’s commitment to achieving the highest standards possible for ensuring privacy.”

It’s not certain yet what kind of blowback the news that Google has allowed third-party developers access to user emails might have on the company. In all likelihood, it will be scrutinized the same way Facebook was after the Cambridge Analytica issue.