REVEALED: How Creepy Marketers Get Your Email Address

Category: Email , Privacy

Have you ever visited an online store, and later got an email from that website, even though you never provided your email address? I find this disturbing, and you probably will too, when you learn how and why this is happening. Read on to learn the source of mystery marketing messages...

Are You Getting Creepy, Unsolicited Emails?

I recently read the story of the Brody family who had a new baby, and were shopping online for some baby-related items. They filled out a form on one website, but stopped short of making a purchase. About 10 minutes later, the Mr. Brody got an email from the company, reminding him that he hadn’t yet completed his transaction. His first thought was “This is not ok.” He never pressed the Submit button to send his personal info to the website, but somehow they had his name and email address.

As I was reading this story, it reminded me that sometimes I also get emails from websites that I’ve visited, without ever making a purchase. Maybe you’ve seen them... emails that say “You left items in your shopping cart, click here to complete your purchase.” In some cases, I might have ordered from them previously, so it’s understandable that they would have my email address. Still annoying, because I didn’t “forget” to complete my purchase. I just decided not to buy, or bought it elsewhere.

In other cases, it was unclear to me how they got my email address, without me ever clicking the Submit button on an order form. That is, until I read about Mr. Brody’s experience. It turns out that the website he was on uses a technology called "AddShoppers Email Retargeting® Co-op + SafeOpt® Consumer Rights Management Integrated Platform".

Mystery Messages in your email

AddShoppers claims to have a network of over 150 million shoppers, and by capturing the activity and information that shoppers enter on over 5000 websites, they can “resolve customer identities and deliver email regardless of customer email acquisition.” In plainer language, Addshoppers combines bits and pieces of customer data from a large network of ecommerce websites. And if you’ve made a purchase on any of them, that information will be shared with the rest of the network.

Here’s how they define "The Problem". Marketers can’t send emails to customers that have not provided their email address. Their solution is to enable marketers to “reach engaged unauthenticated site visitors with triggered emails... through privacy-first brand collaboration... for a relevant, 1:1 marketing experience.” That’s a fancy way of saying “we’ll help you send unsolicited emails, to unsuspecting people, who already decided not to buy from you.”

Here’s an example of how that might work. Let’s say Isabelle buys a pair of shoes on Website A, which logs her personally identifying information with the AddShopper network. Days, weeks, or months later, she visits Website B, starts the browses around for a new dress, but after entering just her name on the order form, she gets a phone call from a friend. Ten minutes pass while they chat. Behind the scenes, Website B was silently monitoring where Isabelle had clicked and what she typed.

Data breaches are another source of unsolicited emails. Millions of consumers have had their records exposed by hackers exploiting weaknesses in online databases. I warned about the Video Blackmail scam, which uses stolen email addresses for sale on the dark web.

Based on her name, and perhaps other information they can glean such as her device type, operating system, and IP address, they query the AddShopper database. In plain English, that query would look like this: “Hey AddShopper, do you have anyone named Isabelle Ringing that owns a Pixel 6a smartphone running Android Version 12? Based on her IP address, we think she’s in the Chicago area.” If there’s a match, AddShopper will provide Isabelle’s email address, and before she finishes her phone call, she gets an email from Website B that says “Hey there, Isabelle... do you still want that dress?”

Disturbing Questions and Another Example

At this point, Isabelle may be asking a few questions. “How in the world did Website B get my email address? Who gave it to them? What else does this creepy website know about me, and who will they share it with?” The fact that these online stores have a privacy policy that spells out how your privacy will be violated provides no comfort at all.

You should also know that your personally identifying information can be captured without a high tech Email Retargeting Consumer Rights Management Integrated Platform thingamajig. Some websites are able to use technology built into your web browser called AJAX (Asynchronous JavaScript and XML) that can exchange data with a web server without the need to press the "Submit" or "Order Now" button on an order form. So if you enter your name, email address and phone number on a store's order form, then change your mind and back out without completing the sale, it's entirely possible that your details could have been captured, stored and shared without your knowledge.

I have an even more disturbing example that deals with smartphone technology. A few months ago I walked into a CVS drugstore, poked around a bit, and left without buying anything. The next day, I got an email from CVS that said something along the lines of “Thanks for visiting your local CVS store at [address], here’s a coupon for your next visit.”

Talk about creepy. I don’t have a CVS app on my phone, and as far as I know, I had never provided my email address to them. This type of privacy intrusion must rely on GPS tracking, a technology like AddShopper that builds consumer dossiers as folks roam about online and offline, and some other secret sauce that I can’t figure out.

I looked at the CVS privacy policy, and found this: “We and our service providers may collect the physical location of your device by, for example, using satellite, cell phone tower, WiFi signals, beacons, Bluetooth, and near field communication protocols, when you are in or near a CVS store. We may use your device's physical location to provide you with personalized location-based services and content, including for marketing purposes.” I’m not picking specfically on CVS – I’m sure this happens all over the place. But it does give me an icky feeling when it happens.

You can use a disposable email address (see Defend Your Inbox With a Disposable Email Address) when shopping, or turn off the Location Services on your smartphone to foil some of these tactics. But the bottom line is that privacy, in terms of where you go and what you buy (both online and offline) is fast eroding.

Has anything like this happened to you? What steps did you take to boost your online privacy? Please post your comments or questions below.

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 3 Apr 2023

For Fun: Buy Bob a Snickers.

Prev Article:
Fileless Malware: The Ghost in Your Computer

The Top Twenty
Next Article:
Would You Click This Link?

Most recent comments on "REVEALED: How Creepy Marketers Get Your Email Address"

Posted by:

03 Apr 2023

We experienced this, again, just this weekend.

Fortunately, as we always make throw away email addresses, we were able to cut them off immediately.

I sure am wondering if we should have marked it as SPAM first as this is unacceptable behavior if I never hit "submit" on their website.

Posted by:

03 Apr 2023

Salutations to all. Last week I got a mail advising me that I had just won an item that I've never bid on. Bid site has "416" on its name. I don't bid anymore there...Regards to all.

Posted by:

03 Apr 2023

CVS is especially abusive. Under the guise of helping you, they send voice mail, email and texts for reminders of Rx's that you have not even filled in months and are expired. They have even filled Rx's where my insurance has "no automatic refills" and where I have had them put in my records manually "do not automatically refill".

Posted by:

03 Apr 2023

Finally, I know how this keeps happening to me. Dastardly tactic for sure. Most importantly, Bob, thanks for showing how to foil this practice.

Posted by:

Hugh Gautier
03 Apr 2023

Then it seems that I did something right when I set up that account those many years ago. But I went a step further with the address ... is my trash address. You would have to be a bird breeder to know what those letters and numbers represented. But it has worked for a number of years now. True, it does give a location, but what are the rest of those letters and numbers? It is still working, and when I look at the source of the message I can see where it was sent and then what was done to it to get it to me. A prime example is one that comes from I didn't have anything to do with India and the company that this supposed person is sending from, I never made any inquirys. Any time I see it gets blocked and immediately goes directly into the Spam folder, but best of all, I'm not downloading any messages onto my system until I have checcked them on my ISP's email server. Call me paranoid but that spam doesn't have a chance of getting onto my computer system until I have checked it on the ISP's server. This way of checking does the trick for me. They get who is sending that spam out not my computer which can't send the blocked senders anywhere but into the system's trash.
The individual's computer doesn't report spam senders to anyone, so they are wasting their time. True it does make a file of spam sent to the person but that won't stop it without being proactive and stopping it on the ISP's server.

Posted by:

03 Apr 2023

This has been happening for a while now. Discovered yesterday that Google tracks lots of stuff on you, including sites visited. Yesterday I turned everything off on my account to see if that helps.

EDITOR'S NOTE: To see if it helps how?

Posted by:

Bob S
03 Apr 2023

Is there any extensions for the browser that one can install to block this?

Posted by:

03 Apr 2023

According to the U.S. Supreme Court, I have NO expectation of privacy when in public. In fact, if it can be seen from a public place, it is not private. Not your back yard or the interior of your home, unless you take measures to block public view (put up a tall opaque fence around your back yard and/or close your curtains). The sidewalk in front of your home and the street you live on are public places.

The Internet is a public place too, so you should not expect ANY privacy there either. In fact, if anything, the Internet takes being in public to a whole new level. Everywhere you go on the Internet, and all the servers you traverse to get there, have the right to record/track your activity, then use that information anyway they want. This 'tracking' starts with your ISP and any servers they use to provide Internet access to you, then it goes out to any servers you traverse to get to a website (the World Wide Web), and it culminates at the website. ALL of these entities have the right to record your activity on their equipment, then use that information in any way they see fit.

Commercial enterprise has tracked your activity since the first store opened. Sellers do, and always have, kept track of what they sell, and to whom (they keep records). As technology has advanced, so has the ability of sellers to track their customers. As far as I can see, nothing has changed other than the depth and breadth of information sellers can amass.

With the advent of the cell/smart phone, being outside has become as trackable as being on the Internet, and your service provider and any other providers whose networks you travers as you move about in public have the right to record and use your activity in any manner they choose while you use their equipment. So why is anyone surprised about this? The bottom line for me is that you shouldn't do anything on the Internet that you wouldn't do in any other public place, and NEVER EVER expect any measure of privacy when there.



Posted by:

03 Apr 2023

Facebook have always plundered my browser history for targeted ads (i.e. ads they get paid for providing information to the advertiser) so for many years I have used a separate browser just for Facebook. They have recently discovered a way to plunder my un-related browser history so that I get targeted ads from my private, separate browser history - that isn't creepy, that is plain data theft.

Posted by:

03 Apr 2023

Fortunately there is no CVS store where we live but now I know to avoid them...thanx for the info!

Posted by:

04 Apr 2023

Well said Ernie. We should all get our heads around the points Ernie makes.

Posted by:

04 Apr 2023

I recently bought an item online from the Asian store first letter: T
Item came fast and I was very pleased with my purchase.
A few days passed and then "BAM" started getting about 1oo emails each day, my spam folder catches all of them, however it really ticks me off!
Of course I never open any of them.

Posted by:

04 Apr 2023

You need to start with Microsoft and Google for sending the largest number of UNSOLICITED emails
especially with sex sites content, etc.

EDITOR'S NOTE: What makes you think Microsoft and Google are sending those messages?

Posted by:

05 Apr 2023

@Ernie/Oldster -- you are really missing the point. Your extreme viewpoint aside (when I'm shopping online I'm not out in public, I'm on a private company website and none of the public can see what I'm doing), why should we accept that our privacy is irrelevant? Why should we accept that companies scrape our data and sell it?

A fantastic book -- The Age of Surveillance Capitalism -- talks about how scraping our data has become the basis of business models for so many enterprises. And it's not just about taking our personal data and selling it to the highest bidder in order to help sell more stuff to us. It's about modifying social and human behavior.

It should give you an icky feeling -- it should be disturbing. And it would be way better if more people resisted the continuing erosion of our privacy.

Posted by:

05 Apr 2023


I was NOT saying that we should be O.K. with the fact that our activity is being recorded. I was simply asking why anyone is surprised by it, and that we should act accordingly. Facts are facts, and everything I said in my previous post was/is true (AFAIK). You are free to agree or disagree, but I stand by what I said.

I didn't say that your connection to some online store and your purchase information was public, but your activity to connect to that store over the Internet was/is. Your ISP (for the most part), the servers over which you connect(ed) to the store, and the store itself all have the right to log (record) whatever travels over their hardware. Additionally, the store has the right to do whatever they want to do with the information they log (record), including selling it in some form, as is true with any hardware over which your connection is routed. The good news is that each packet you send/receive to/from a website will usually traverse a different path across the Internet to get to/from your computer or the website you are connecting with, so what you do on the Internet is less likely to be captured in whole by the servers between your computer and the website you connect to, although it could still be possible, if not virtually improbable.



Posted by:

Leo N.
06 Apr 2023

...and probably you forgot another possible way of leak: if you keep your Google Account logged in, other websites could probably capture your login info. Try to visit Quora and you will see a message saying "Sign in to Quora with Google" and it shows my email and name (and a blue button says "Continue as Leo"). OK, Quora is honest, and they probably won't capture your login, but what if other no honest websites using the same technology and capture that info?. Hopefully there is no way to capture info from an iFrame, but it doesn't make me feel comfortable. I'm an old time reader of your newsletter, you always have very interesting articles (thanks for keeping us informed).

Posted by:

06 Apr 2023

Call me paranoid, but I never use my phone for anything but maps, a flashlight, a camera, a WiFi signal strength meter, etc, and a phone in case my car breaks down and I need to call for help. No email has ever been sent or received on the phone. My grandkids scoff, but that's OK, I sleep well at night.

Posted by:

Sandy Jewell
07 Apr 2023

I have found that shortly after purchasing anything from Amazon, I start receiving unsolicited emails from companies I've never heard of and also text messages with links. So often I tell myself that I won't shop Amazon again, but I do.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- REVEALED: How Creepy Marketers Get Your Email Address (Posted: 3 Apr 2023)
Copyright © 2005 - Bob Rankin - All Rights Reserved