Have you ever given your email address to a company and, then, suddenly started receiving loads of web spam? A surge in email spam can happen for many reasons but companies selling your email address to third parties is always one of the most frustrating.

Luckily, there’s a sneaky hack in Gmail that you may use to identify any company selling your email address.

Three phone screens with facebook notifications about a privacy policy update

Are Companies Really Selling My Email Address?

Data privacy laws in the United States are complex. At the time of writing, there’s no federal law that prohibits companies from collecting, using, sharing, or selling your data without your consent. Unlike in the EU–where GDPR regulates all data collection and handling–the US only has a handful of federal laws for specific use cases.

No Federal Law Prevents Companies Selling Your Email Address

For example, theHealth Insurance Portability and Accountability Act(HIPAA) regulates communication in the healthcare industry and the use of certain types of data. Likewise, you’ve got theGramm-Leach-Bliley Act(GLBA) that regulates how financial providers inform consumers about data sharing and provide an opt-out system.

Privacy Regulations Are (Slowly) Improving at the State Level

Thankfully, things are slowly changing at the state level. In December 2020, the State of California implemented the country’s first comprehensive data privacy legislation, theCalifornia Consumer Privacy Act(CCPA).

In March 2021, Virginia became the second state to implement a similarly comprehensive privacy legislation with theVirginia Consumer Data Protection Act(VCDPA).

A screenshot showing the email headers in Gmail

As more states follow suit, consumer data protections are improving in the U.S. but it’s important to understand their limitations. For one thing, a lack of federal regulation means specific laws can vary from one state to the next. Secondly, even the strictest of existing privacy guidelines still allow companies to sell your data–as long as they get your permission.

Privacy Regulations Don’t Fully Solve the Problem

1. Create a Gmail Account For Signups

The hack we’re talking about uses a specific Gmail feature, so you’ll need a Gmail account to do this. Some other email clients support similar features, but they might be called something else and work slightly differently–so let’s stick to Gmail to keep things simple.

Once you’re familiar with this technique, you can always search for other alternative email clients that support similar features if you don’t want to use Gmail for any reason.

A screenshot showing how to view an email message source in Outlook

To make the most of this hack, we recommend creating a new Gmail account for signing up for things. You can still use your main account for important stuff like banking or service providers you trust. However, it’s a good idea to create a clean, secondary account that you can use for anything less trustworthy–like new eCommerce sites, price comparisons, content downloads, etc.

Gmail allows you to append additional text to your email address by using the plus (+) sign. For example, if your address is youremail@gmail.com, you can add a+sign after the prefix and append any text you like before the domain–for example: youremail+append@gmail.com.

A screenshot showing where to find the “To:” field in a message source, using Outlook

When you do this, Gmail ignores the plus sign and any text between it and the domain (@gmail.com). This means you can provide an appended email for any signup, and you’ll still receive all subsequent emails to your original address.

More importantly, any company that sells your email address will pass along the appended email address you provided because this is the address they have on file.

A screenshot showing how to reveal sender information in Gmail without opening emails

3. Check the “To” Email Address For Suspected Spam

If your new Gmail account starts receiving anything that looks like spam, you can easily check if a company has sold your email address. All you have to do is look at theto:field in the email headers.

You can do this in any email by clicking theTo metab under the email sender’s address.

If a company has sold your email address to a third party, their company name will show in the appended address you originally provided: youremail+companyname@gmail.com.

4. How to View the “To” Email Address Without Opening Emails

The only problem with this strategy is you have to open an email in Gmail to view the email address the sender used. Opening the odd spam email by mistake isn’t necessarily a big problem but marketing spam is one thing; phishing and other email scams are something else entirely.

While only 2.5% of email spam is considered scams or fraud, according toMailmodo, unnecessarily opening spam emails isn’t a great idea.

The more spam emails you open, the more likely you are to accidentally click on dodgy links or images that could point you towards security threats. Any such clicks will also confirm your email address is active and, potentially, make you a bigger target for scammers.

Although the risk is relatively small, you can get around this issue by checking the email headers of anything you don’t recognize-without opening the email. Annoyingly, Gmail doesn’t allow you to do this, so we have to use a workaround.

The solution is toadd your Gmail account to Outlookor another client that allows you to access email headers without opening emails. In Outlook, you can do this by right-clicking an email and selectingView > View message source.

This shows up the email’s source code in a dialog box without opening the email itself. You can scroll down the source code until you find theTo:field, as shown below.

If you struggle to find this field, you can use the search function in your browser to locate it. For example, you can do this in Chrome by pressingCMD+Fon Mac orCtrl+Fon Windows and typing “To:” into the search bar.

PressEnterand this will automatically scroll to theTo:in the message source and highlight it for you.

5. Mark Email As Spam And Block the Sender

Now that you know whether a company sold your email address, you may mark the email in question as spam. If you want, you can also block the sender’s email address to stop future emails reaching you. Again, the easiest way to do this is to open the email where you can click the three-dot icon and selectBlock [sender]but this requires you to open the email.

This time, there is a workaround for this in Gmail. If you hover over the sender’s name, this reveals a contact card, showing their name, email address, and other details. Hover over the email address under the senders name, and this reveals an icon for copying the sender’s email address.

With this, you can go toSettings > See all settings > Filters and blocked addresses > Create a new filter. This allows you to set up a filter that automatically sends emails from the sender to your spam folder.

6. Contact the Company That Sold Your Email Address

If you’ve identified the company that sold your email address to third parties, the final step is to ask them to remove you from their email list. If the company doesn’t provide an easy way to opt out online, you should contact them in writing by sending a request to be removed from their mailing list.

You’ll also want to do the same with the company that bought your email and started sending unsolicited emails. Now, depending on the privacy laws of your state, neither company is necessarily obligated to respect your request. However, if they refuse, you could threaten to report them to theFederal Trade Commissionthat enforces theCAN-SPAM Act.

The CAN-SPAM Act protects the right of individuals and organizations to “have you stop emailing them”.

Take Back Control Over Your Email Accounts

Companies selling your email address is one of many reasons spam can overtake your inbox. So, it’s important to take further steps to protect your email account, reduce spam, and minimize potential security threats.