How to Protect Your Privacy When Shopping Online

How to Protect Your Privacy When Shopping Online

My sister called me in December — right after the holidays — because she was getting text messages from a mattress company. She bought a mattress in October. One mattress. She's not in the market for another mattress. She will not be in the mattress market for approximately eight to ten years.

But somehow she was on a mattress SMS list, a bedding accessories email list, and had received a physical mailer from a "sleep wellness" brand she had never heard of — all traceable back to one checkout form she filled out six weeks earlier.

This post is for anyone who has ever bought one thing online and then felt like that purchase followed them around the internet for months.

Here's what actually happened to my sister's data. The mattress retailer collected her email, phone number, and shipping address at checkout. That contact record — attached to a purchase category, a price point, and a timestamp — is genuinely valuable to a specific set of advertisers. Home goods brands, furniture stores, interior design subscription boxes. She self-selected as someone who spends money on home purchases. That's a targetable profile. So the retailer either sold it directly or shared it with "partners" (which is the polite word for buyers).

And look, the checkbox to opt out of this was probably there. Pre-unchecked, buried below the payment fields, in light gray text that says something like "I'd like to receive offers from our trusted partners." (Which nobody reads. I don't read it either unless I'm specifically auditing a checkout flow.)

The frustration isn't that retailers market to their own customers. Fine, whatever. The frustration is the third-party bleed — the part where buying a mattress somehow puts you on a list for a company you've never interacted with, in a category you didn't ask about, with no clear way to trace how they got your contact.

So. The practical question is: what can you actually control at checkout without making the purchase annoying.

Honestly, more than most people think. Your email address is the most re-sellable piece of data in that form. Your shipping address is required if you want the thing delivered. Your phone number usually isn't required — most sites mark it optional even if the field looks mandatory. And your email? For a one-time purchase from a store you'll probably never visit again, a temporary address works fine.

It's not a complete solution. Some sites require a real email for order tracking and return processing, and in those cases you're right to use your real address — you need that thread. But for the "create an account to check out faster next time" pop-up that appears on a site you found via a Google ad at 11pm? Temp inbox. Every time.

The Economics Behind Why They Want Your Email

Retail contact records have a market. That's just true. A verified email address attached to a completed purchase — especially one with a known product category and price point — can sell for anywhere from a few cents to a couple dollars per record depending on the vertical and how fresh it is. Home goods, electronics, apparel, and baby products are particularly high-value categories because they signal life stage and spending behavior. Your mattress purchase doesn't just tell a data broker you bought a mattress. It tells them roughly how old you might be, whether you own or rent, and what your discretionary spending looks like.

The common mistake is thinking that unchecking the marketing preferences box at checkout protects you from this. It often doesn't — that checkbox controls whether the retailer's own marketing team emails you, not whether they share your record with third parties (which is governed by a separate clause buried in the privacy policy). For real. These are two different data flows with two different controls, and most people never see the second one.

We ran a test last quarter — set up 15 clean Mail On Deck addresses and completed real purchases across 15 different mid-size retail sites, with marketing preferences unchecked on every single one. Over 30 days, 9 of those 15 addresses received at least one email from a domain that was not the original retailer. Three of them received emails from four or more unrelated senders. Unchecking the box on the checkout form did not prevent third-party contact in 60% of our test cases.

How to Actually Fix This

The checkout workflow:

• Before you start filling out any retail checkout form, open a new tab and go to MailOnDeck.com. A disposable inbox is generated automatically — copy the address.
• In the checkout form, paste the temp address into the email field. For the phone number field, check whether it's actually required — most sites mark it optional. If it's optional, leave it blank.
• For the shipping address: use your real one. You need the package. That part is non-negotiable and honestly fine — your shipping address is less re-sellable than your email because it's harder to act on digitally.
• Complete the purchase. Flip to the Mail On Deck tab and wait for the order confirmation email — it usually arrives within a minute. Save or screenshot the order number and any relevant details you'll need.
• If the site requires email verification before showing you the order confirmation, complete that step from the Mail On Deck tab, then screenshot or copy the confirmation details you need for tracking or returns.
• For return purposes: if you think there's any chance you'll need to contact customer service tied to this order, either save the order confirmation from the temp inbox before it expires, or use a dedicated throwaway account that you check occasionally rather than a fully disposable one.

3 variations worth building into your habit:

• For guest checkout vs. account creation: always choose guest checkout when it's available. Creating an account ties your purchase history, browsing behavior, and contact info into a single profile that's significantly more valuable to data brokers than a one-off transaction record. Guest checkout + temp email is the cleanest combination.
• For sites that require account creation: use the temp inbox for signup, complete email verification, then immediately go into account settings and check what communication preferences are enabled by default. Most platforms auto-enroll you in 3-4 email types. Uncheck everything before you close the tab — it's faster to do it now than to deal with the sequence that fires starting tomorrow morning.
• My personal rule for any "save your card for faster checkout" prompt: I don't. Ever. Not because of fraud risk specifically, but because a saved payment method is a behavioral signal that the platform uses to model your purchase likelihood and target you accordingly. Pay as guest, use the temp email, and let the transaction end when the transaction ends.

Retail data collection is a feature of how these businesses make money, not a bug — and the only real opt-out is deciding what you hand them in the first place.