You probably remember when the tracking cookie died. Browsers blocked them,
regulators demanded banners for them, and the advertising industry spent years
announcing its move to a "post-cookie world." It felt like a win for privacy.
It wasn't a win. It was a substitution. The identifier that replaced the cookie
is your email address.
Why your email address is a better cookie than the cookie ever was
A cookie lived in one browser on one device, and you could clear it whenever
you wanted. Your email address follows you everywhere. You type it into every
store, newsletter, app, loyalty program, and login screen. It is the same on
your phone, your laptop, and your work computer. It survives for decades.
The advertising industry noticed. The standard practice today is to take the
email address you provide, run it through a hashing function, and use the
result as a tracking identifier. The industry calls this a "hashed email" and
describes it as privacy-safe because the hash can't be reversed back into your
address. What that description leaves out: it doesn't need to be reversed.
Every company that hashes your address gets the same code. The code IS you.
This is not a fringe practice. It is the documented foundation of the
post-cookie ad industry. Identity resolution vendors openly sell
email-centric identity graphs
built on exactly this matching. Marketing platforms publish guides on
unlocking the hashed email "goldmine"
sitting in customer databases. Analytics tools document how
clicking a newsletter link that carries your email hash
stitches your devices together into one profile. None of this is hidden. It is
the product.
So here is the trade you actually made when the cookie died: an identifier you
could clear in two clicks was replaced by one you've used for fifteen years
and gave to everyone.
What the graph knows
Once your email address is the key, everything keyed to it can be joined. The
shoes you browsed on your laptop connect to the news you read on your phone.
The purchase you made in a store, where the cashier asked for your email "for
the receipt," joins the profile too. Data breaches add their contents to the
pile -- and your address has almost certainly been in several.
It gets one step stranger. Marketing emails carry per-recipient trackers --
invisible images and rewritten links that identify you specifically. When you
forward one of those emails to a friend and they open it, their device
announces itself against your tracking identifier.
Email platforms acknowledge
that forwarded opens register against the original recipient. The email you
shared becomes a signal that the two of you are connected and what you both
found interesting. Academic researchers studying email tracking found that
a substantial share of commercial emails leak the recipient's address -- often
in hashed form -- to third parties the sender never mentioned.
Is your email address personal information? Both GDPR and CCPA say yes,
plainly. But the legal classification understates the situation. Your email
address is not just a piece of personal data. It is the join key -- the one
identifier that links all the others together.
You can't clear it -- but you can stop using it
You can't reset your email address the way you cleared cookies. Changing it
means losing access to everything attached to it, which is exactly why it
makes such a durable identifier.
What you can do is stop handing the join key to everyone who asks.
If the email address is the cookie, then an alias is the cookie blocker. Give
every company a different address that routes to your real inbox, and the
hashes stop matching. The store, the newsletter, and the loyalty program each
hold a different code, and the graph can't join them. You stay reachable --
real mail still arrives, replies still work -- but the one thread tying your
profiles together is gone.
That is half the answer. The other half is the trackers inside the email
itself, because an alias does nothing about the invisible image that reports
when you read a message. Those have to be removed before the email reaches
you -- which means stripping the tracking machinery and rebuilding a clean
copy for delivery. An email that has been through that process can even be
forwarded to a friend without reporting on them when they open it.
The cookie didn't die. It moved into your email address. Treat that address
accordingly -- like the permanent identifier it has become, not like a piece
of contact information.
Originally published at emparrot.com.
Top comments (0)