This study explores the widespread perception that personal data, such as email addresses, may be shared or sold without informed user consent, investigating whether these concerns are reflected in actual practices of popular online services and apps. Over the course of a year, we collected and analyzed the source, volume, frequency, and content of emails received by users after signing up for the 150 most popular online services and apps across various sectors. By examining patterns in email communications, we aim to identify consistent strategies used across industries, including potential signs of third-party data sharing. This analysis provides a critical evaluation of how email marketing tactics may intersect with data-sharing practices, with important implications for consumer privacy and regulatory oversight. Our study findings, conducted post-CCPA and GDPR, indicate that while no unknown third-party spam email was detected, internal and authorized third-party email marketing practices were pervasive, with companies frequently sending promotional and CRM emails despite opt-out preferences. The framework established in this work is designed to be scalable, allowing for continuous monitoring, and can be extended to include a more diverse set of apps and services for broader analysis, ultimately contributing to transparency in email address privacy practices.

翻译：本研究探讨了关于个人数据（如电子邮件地址）可能在未经用户知情同意的情况下被共享或出售的普遍看法，并调查这些担忧是否反映在流行在线服务和应用的实际操作中。在为期一年的时间里，我们收集并分析了用户在注册使用各领域150个最受欢迎的在线服务和应用后所收到邮件的来源、数量、频率及内容。通过检查电子邮件通信模式，我们旨在识别跨行业使用的一致策略，包括第三方数据共享的潜在迹象。该分析对电子邮件营销策略如何与数据共享实践相交织进行了批判性评估，对消费者隐私和监管监督具有重要意义。我们在《加州消费者隐私法案》（CCPA）和《通用数据保护条例》（GDPR）实施后开展的研究结果表明，尽管未检测到未知第三方的垃圾邮件，但内部及授权第三方的电子邮件营销实践普遍存在，公司经常无视用户的退订偏好发送促销和客户关系管理（CRM）邮件。本工作建立的框架具备可扩展性，支持持续监测，并可扩展至包含更多样化的应用和服务以进行更广泛的分析，最终有助于提升电子邮件地址隐私实践的透明度。