Here's How Creepy Marketers Capture Your Email Address

Are You Getting Creepy, Unsolicited Emails?

The Brody family had a new baby, and were shopping online for some baby-related items. They filled out a form on one website, but stopped short of making a purchase. About 10 minutes later, the Mr. Brody got an email from the company, reminding him that he hadn’t yet completed his transaction. His first thought was “This is not ok.” He never pressed the Submit button to send his personal info to the website, but somehow they had his name and email address.

As I was reading this story, it reminded me that sometimes I also get emails from websites that I’ve visited, without ever making a purchase. Maybe you’ve seen them... emails that say “You left items in your shopping cart, click here to complete your purchase.” In some cases, I might have ordered from them previously, so it’s understandable that they would have my email address. Still annoying, because I didn’t “forget” to complete my purchase. I just decided not to buy, or bought it elsewhere.

In other cases, it was unclear to me how they got my email address, without me ever clicking the Submit button on an order form. That is, until I read about Mr. Brody’s experience. It turns out that the website he was on uses a technology called "AddShoppers Email Retargeting® Co-op + SafeOpt® Consumer Rights Management Integrated Platform".

AddShoppers claims to have a network of over 175 million shoppers, and by capturing the activity and information that shoppers enter on over 5000 websites, they can “resolve customer identities and deliver email regardless of customer email acquisition.” In plainer language, Addshoppers combines bits and pieces of customer data from a large network of ecommerce websites. And if you’ve made a purchase on any of them, that information will be shared with the rest of the network.

Here’s how they define "The Problem". Marketers can’t send emails to customers that have not provided their email address. Their solution is to enable marketers to “reach engaged unauthenticated site visitors with triggered emails... through privacy-first brand collaboration... for a relevant, 1:1 marketing experience.”

That’s a fancy way of saying “we’ll help you send unsolicited emails, to unsuspecting people, who already decided not to buy from you.”

Here’s an example of how that might work. Let’s say Isabelle buys a pair of shoes on Website A, which logs her personally identifying information with the AddShopper network. Days, weeks, or months later, she visits Website B, starts to browse around for a new dress, but after entering just her name on the order form, she gets a phone call from a friend. Ten minutes pass while they chat. Behind the scenes, Website B was silently monitoring where Isabelle had clicked and what she typed.

Based on her name, and perhaps other information they can glean such as her device type, operating system, and IP address, they query the AddShopper database. In plain English, that query would look like this: “Hey AddShopper, do you have anyone named Isabelle Ringing that owns a Pixel 9 smartphone running Android Version 15? Based on her IP address, we think she’s in the Chicago area.” If there’s a match, AddShopper will provide Isabelle’s email address, and before she finishes her phone call, she gets an email from Website B that says “Hey there, Isabelle... do you still want that dress?”

Disturbing Questions and Another Example

At this point, Isabelle may be asking a few questions. “How in the world did Website B get my email address? Who gave it to them? What else does this creepy website know about me, and who will they share it with?” The fact that these online stores have a privacy policy that spells out how your privacy will be violated provides no comfort at all.

You should also know that your personally identifying information can be captured without a high tech Email Retargeting Consumer Rights Management Integrated Platform thingamajig. Some websites are able to use technology built into your web browser called AJAX (Asynchronous JavaScript and XML) that can exchange data with a web server without the need to press the "Submit" or "Order Now" button on an order form. So if you enter your name, email address and phone number on a store's order form, then change your mind and back out without completing the sale, it's entirely possible that your details could have been captured, stored and shared without your knowledge.

If You Think That's Bad...

I have an even more disturbing example that deals with smartphone technology. A few months ago I walked into a CVS drugstore, poked around a bit, and left without buying anything. The next day, I got an email from CVS that said something along the lines of “Thanks for visiting your local CVS store at [address], here’s a coupon for your next visit.”

Talk about creepy. I don’t have a CVS app on my phone, and as far as I know, I had never provided my email address to them. This type of privacy intrusion must rely on GPS tracking, a technology like AddShopper that builds consumer dossiers as folks roam about online and offline, and some other secret sauce that I can’t figure out.

I looked at the CVS privacy policy, and found this: “We and our service providers may collect the physical location of your device by, for example, using satellite, cell phone tower, WiFi signals, beacons, Bluetooth, and near field communication protocols, when you are in or near a CVS store. We may use your device's physical location to provide you with personalized location-based services and content, including for marketing purposes.” I’m not picking specfically on CVS – I’m sure this happens all over the place. But it does give me an icky feeling when it happens.

Other Ways Your Email Address Can Be Exposed

Here are some other ways your email address can be captured by online marketers. Some of them rely on trickery, and in other cases, it's you handing over the keys to the kingdom.

Data Breaches are another source of unsolicited emails. Millions of consumers have had their records exposed by hackers exploiting weaknesses in online databases. I've warned about the Video Blackmail scam, which uses stolen email addresses for sale on the dark web.

Phishing Emails – Fake but convincing emails pretending to be from reputable companies, may trick you into entering your email on a web form.

Giveaways & Contests – Online sweepstakes or freebie promotions that require you to enter your email will reward you with an avalance of spam.

Squeeze Pages – Some sites require an email to access content (like an ebook, PDF or video) without making it clear that you'll be subscribed to marketing lists.

Discounts & Coupons – Similar to the above, many online stores offer a discount or special offer in exchange for your email address.

Online Quizzes – So you took a "fun personality quiz" and now they want your email address to see your personalized results? Pass.

You can use a disposable email address (see Defend Your Inbox With a Disposable Email Address) when shopping, or turn off the Location Services on your smartphone to foil some of these tactics. But the bottom line is that privacy, in terms of where you go and what you buy (both online and offline) is fast eroding.

Has anything like this happened to you? What steps did you take to boost your online privacy? Please post your comments or questions below.