This study addresses user privacy violations in email marketing, particularly unauthorized data sharing and ineffective unsubscribe mechanisms. Method: Over one year, we empirically monitored email traffic following user registration with 150 major online services, systematically analyzing origin, frequency, content, and temporal patterns to construct the first scalable email provenance analysis framework. Contribution/Results: We conducted the first large-scale post-GDPR/CCPA empirical validation of authorized third-party email delivery practices. Results show that over 85% of services continue sending emails after users unsubscribe; no unsanctioned third-party spam was detected, revealing a regulatory gray area arising from “authorized sharing” under current compliance frameworks. Our findings provide critical empirical evidence for evaluating privacy protection policies and improving email marketing governance.

This study explores the widespread perception that personal data, such as email addresses, may be shared or sold without informed user consent, investigating whether these concerns are reflected in actual practices of popular online services and apps. Over the course of a year, we collected and analyzed the source, volume, frequency, and content of emails received by users after signing up for the 150 most popular online services and apps across various sectors. By examining patterns in email communications, we aim to identify consistent strategies used across industries, including potential signs of third-party data sharing. This analysis provides a critical evaluation of how email marketing tactics may intersect with data-sharing practices, with important implications for consumer privacy and regulatory oversight. Our study findings, conducted post-CCPA and GDPR, indicate that while no unknown third-party spam email was detected, internal and authorized third-party email marketing practices were pervasive, with companies frequently sending promotional and CRM emails despite opt-out preferences. The framework established in this work is designed to be scalable, allowing for continuous monitoring, and can be extended to include a more diverse set of apps and services for broader analysis, ultimately contributing to transparency in email address privacy practices.