1. Home
  2. tech
  3. news
  4. I spent 10 minutes shopping for a mattress topper online, and it dispelled all notions of online privacy I ever held

I spent 10 minutes shopping for a mattress topper online, and it dispelled all notions of online privacy I ever held

Kelsey Vlamis   

I spent 10 minutes shopping for a mattress topper online, and it dispelled all notions of online privacy I ever held
  • I got an unsolicited email from an online store even though I never gave it my email.
  • Data-privacy experts say websites often know more about you than you think, thanks to data brokers.

I was shopping online for a mattress topper — of all the mundane things — when something creepy happened.

I had opened a website of a company that I hadn't heard of but that several popular review sites recommended. I lingered on the product page for several minutes, reading the specifications of the topper and comparing it with other options. Then I closed the window and went on with my day.

About an hour or so later, an email appeared in my inbox.

"Thanks for stopping by!" the subject line said.

The body of the email said, "Welcome!" and offered me a discount on toppers, pillows, and bedding.

I was perplexed. I hadn't purchased anything. I hadn't submitted my information in a pop-up box for a discount. How did the company get my email? The confusion quickly gave way to annoyance and discomfort. Even if they somehow had my email, why were they cold-emailing me uninvited?

Data-privacy experts I spoke with were not surprised to hear this story. Despite the sense of anonymity that comes with online browsing, the websites you visit know exactly who you are more often than you'd think.

"Welcome to the internet of the future," Rob Shavell, a cofounder and the CEO of the online-privacy companies Abine and DeleteMe, told Business Insider. "It doesn't just happen to you; it happens to millions of people every day."

Data brokers are amassing more and more information about individuals every day, compiling it into profiles that they then sell to companies or even individuals. Shavell said when DeleteMe started measuring this about five years ago, the average profile from a data broker contained 235 pieces of personal, identifiable information about a person. Today, it's over 600.

"In five years, the amount of information that the average data broker has on the average person's profile has more than doubled," he said.

That information can include where you live, who your family members are, what political party you're associated with, and what kind of car you drive.

There are also companies that do "enrichment," which Shavell described as an industry term for the practice of knowing one thing about somebody and then using it to correlate other information that is known about them.

He offered a possible explanation of what happened in my case: When I visited the website, it gathered some pieces of unique data from me, like my IP address combined with the fonts on my device or the International Mobile Equipment Identity number on my cellphone. It then shot the data it collected over to a data-enrichment broker, which determined with, say, 93% confidence that this is Kelsey Vlamis and said, "By the way, we know all of this stuff about her. What do you want to know?"

The company can then pay for whatever it wants to know about you, such as your email address and maybe even some other information that it can use to do a follow-up campaign later.

"It automatically all happens, and the transactions all get done, and you get an uncomfortably personalized email based on an action you took when you thought you were more or less anonymous," Shavell said. "And that's happening all over the internet."

If websites know who I am, why don't I get more unsolicited emails?

The explanation made sense, but it did make me wonder why I hadn't heard of this happening more often, especially because Shavell's educated guess was that in the US, slightly more than half of all people's browsing could be identified by marketers or data brokers.

But Shavell said one of the big secrets of the data-broker and marketing-technology industry was its efforts to actively avoid creating the situation I experienced.

"They want to know more and more about you but not creep you out," he said. "They actually typically don't do this. This is probably just sloppy marketing that you ran into."

That means companies are usually gathering my data without showing me their hand.

Dominic Sellitto, a clinical assistant professor of management science and systems at the University at Buffalo School of Management, calls it the "creep factor" of using someone's data. He told BI most companies would not use a person's data in this way specifically because they know it can creep people out.

"There's a certain point at which, and I'm sure it sounds like you've encountered it, where I don't like that they sent me an email unsolicited, and therefore I am less likely to purchase something from them," he said. "So companies will tend to avoid crossing that boundary."

In a situation like what happened to me, Sellitto said, it's more often the case that the company appearing to have cold-emailed you is affiliated with a company that you have given your data to — for instance, if you buy from a subsidiary of a bigger company or a sister brand to a company you have shopped at. However, in my case, I could find no evidence of a connection.

There are some options for people who are concerned about their personal data being out there. Some states, including California, Colorado, Connecticut, Virginia, and Utah, have passed data-privacy laws that give residents the right to have their personal data deleted or prevent it from being sold.

However, there are hundreds of data brokers, and they all have different processes for opting out. If you don't want to go through the process of requesting data deletion from individual data brokers, you can pay for services such as DeleteMe or Incogni, which can send requests to brokers on your behalf.

While my case was innocuous, there are plenty of circumstances in which private data can be used that are far more malicious, and Shavell said situations like this could help open people's eyes to just how accessible their personal information is.

"What we don't want to have happen is five years from now, nobody's done anything about their privacy, and then all of a sudden AI algorithms have collected so much data about us they're making decisions that impact our lives behind our back, so to speak," he said. "And we never know about it, and we feel a real loss of control."

Have a news tip? Contact this reporter at

Popular Right Now