You've been there. You sign up for a website — maybe to download an ebook, claim a discount code, or start a free trial. You confirm your email. You get what you wanted.
Then three weeks later, your inbox starts filling up with emails from companies you've never heard of, promoting products you never asked about. Your email address has been sold. But how exactly does that happen — and where does it end up?
Step 1: The Sign-Up
When you enter your email address on a website, it's immediately stored in their customer database alongside whatever else they know about you — your IP address, your browser, your approximate location, and any other information you provided.
Most privacy policies contain language like "we may share your information with trusted third-party partners" or "we work with advertising networks to deliver relevant offers." This is the legal cover for selling your data. By clicking "I agree," you consented — even if you never read it.
Step 2: The First Sale
The website sells your email to a data broker. Data brokers are companies whose entire business model is collecting personal information and reselling it. The largest ones — Acxiom, Experian Marketing Services, Oracle Data Cloud — hold records on hundreds of millions of people.
Your email address isn't sold alone. It's enriched with other data points the broker already has about you: your name, address, phone number, estimated income bracket, purchase history, and browsing behaviour patterns. This creates a profile that's far more valuable than just your email.
The sale price for an individual email address in a bulk list is fractions of a penny. But sold in batches of millions, it's a significant revenue stream.
Step 3: The Profile Building
Once in the data broker ecosystem, your email becomes a cross-referencing key. Brokers use it to link your activity across different websites, apps, and devices. Every time a company you've signed up to shares data with the same broker, another piece of your profile is added.
This is why you might see eerily relevant ads for something you searched on one device appear on a completely different device — your email is the common thread connecting the dots.
Step 4: The Secondary Sales
Data brokers don't sell to just one buyer. Your data is sold again and again to:
- Email marketing companies who build contact lists for their clients
- Ad networks who use it for targeted advertising
- Lead generation agencies who pass it to sales teams
- Other data brokers who aggregate it further
- Affiliate marketers who earn commission per lead generated
Each sale creates another copy of your data in another database. By this point, your email address might exist in dozens of separate systems with no way to remove it from all of them.
Step 5: The Spam Arrives
Eventually your email ends up on a bulk email list. You start receiving marketing emails from companies you've never interacted with. Some are legitimate (albeit unsolicited) marketing. Others are aggressive spam. Some are phishing attempts that use data from your profile to make the emails more convincing — referencing your name, approximate location, or recent purchases.
Step 6: The Data Breach Risk
Every database your email lives in is a potential breach point. The more companies that have your address, the more exposed you are. When any one of them is hacked, your email — and everything linked to it in their system — is exposed and may end up on dark web marketplaces.
Cybercriminals buy these breach datasets and use them for credential stuffing attacks (trying your email and leaked passwords across banking and shopping sites), targeted phishing, and identity theft.
How Long Does This Process Take?
Faster than most people expect. Some data brokers purchase fresh sign-up data in real time via APIs. If a website has a real-time data sharing agreement with a broker, your email can be in a marketing list within hours of you entering it.
In practice, most people start seeing increased spam within 2–6 weeks of signing up to a new website that sells data.
Can You Stop It Once It's Started?
Partially. You can:
- Opt out from data brokers directly — most major brokers offer opt-out forms, but there are hundreds of them and the process takes weeks
- Unsubscribe from legitimate marketers — this removes you from their list but not from broker databases
- Use email filters to automatically divert suspicious senders to spam
But realistically, once your real email is in the data broker ecosystem, you can't fully remove it. The most effective approach is prevention.
How to Prevent It in the First Place
The only reliable way to stop your email from entering this cycle is to never give your real address to untrusted sources. Use a disposable email address for:
- Free trials and sign-ups you're unsure about
- One-time downloads and gated content
- Competitions and giveaways
- Any website you're visiting for the first time
When the disposable address expires, everything sent to it is gone. Even if it's sold to a broker, the address no longer exists — it can't be used to track you, spam you, or build a profile.
The Uncomfortable Truth About "Free" Services
When a service is free, you are often the product. The data you generate — including your email address — is monetised to fund the service. This isn't necessarily malicious, but it's worth being clear-eyed about.
The next time a website asks for your email in exchange for something free, ask yourself: is this worth giving them a permanent connection to my identity? If the answer is no, use a disposable address instead.
