Table of Contents
Online shopping is convenient, saves time, and everything is just a click away. But how often do we stop to think about what happens to the data we leave behind, or the risks that might come with it?
Where shopping data goes
Retailers often store purchase histories, addresses, and account details for years, sometimes longer, unless legal requirements or customer requests mandate deletion. They may also share customer information with third-party companies for marketing or analytics purposes.
“While companies often admit to sharing user data with third parties, it’s nearly impossible to track every recipient. That lack of control creates real vulnerabilities in data privacy management. Very few organizations thoroughly vet their third-party data-sharing practices, which raises accountability concerns and increases the risk of breaches,” said Ian Cohen, CEO of LOKKER.
The criminal marketplace for stolen data has exploded in recent years. In 2024, over 6.8 million accounts were listed for sale, and by early 2025, nearly 2.5 million stolen accounts were available at one point.
The role of data brokers
Data brokers, which collect and sell personal information to advertisers or other firms, play a big role in this ecosystem. Researchers recently showed how easy it is to buy phone location data from brokers and use it to track U.S. Securities and Exchange Commission employees as they visited corporate offices.
The study showed just how dangerous this can be, with the potential for deadly consequences if such information falls into the wrong hands.
How criminals use shopping data
Even limited purchase information can prove valuable to criminals. A breach exposing high-value transactions, for example, may suggest a buyer’s financial status or lifestyle. When combined with leaked addresses, that data can help criminals identify and target individuals more precisely, whether for fraud, identity theft, or even physical theft.
In July 2025, luxury fashion brand Louis Vuitton confirmed a data breach that affected thousands of customers. The breach exposed personal information, including names, contact details, and purchase histories.
Criminals often merge this type of data with phishing tactics and other leaked information to build complete identity profiles. With AI, these phishing campaigns are tailored to individuals’ preferences, making targeted emails harder to spot and far more likely to succeed.
Your right to delete shopping data
At a time when privacy is becoming a luxury, we can take steps to limit the amount of data we leave online. If not completely, then at least partially.
One key mechanism is the right to be forgotten, a legal principle allowing individuals to request the removal of their personal data from online platforms. The European Union’s GDPR is the strongest example of this principle in action.
While not as comprehensive as the GDPR, the US has some privacy protections, such as the California Consumer Privacy Act (CCPA), which allow residents to access or delete their personal data. Several US states, following California’s example, are strengthening consumer rights protections.
When it comes to online shopping data, there are steps you can take to reclaim some of that control:
Check your account’s privacy settings: Many online stores let you view, download, or delete your personal data right from your account.
Request data deletion formally: Use the platform’s “contact us” or privacy request form. You can even mention GDPR or CCPA if applicable, it shows you know your rights.
Manage your marketing preferences and tracking settings: Unsubscribe from promotional emails, disable personalized ads, or manage cookies to reduce how much data is collected.
Delete saved payment methods and addresses: This limits sensitive information that’s stored in your account.
Review connected apps and accounts: Remove any third-party apps or services that might have access to your shopping data.
Even with deletion requests, some information may remain to comply with legal obligations, complete transactions, or exist in backups or third-party systems.
According to DataGrail, data deletion requests are surging, rising 82% year-over-year and surpassing access and do-not-sell requests for the fourth consecutive year.
“People demand privacy, and the more we understand what people like about privacy, the better firms can improve their products and services to meet these preferences,” noted Dr. Joy Wu, Assistant Professor, UBC Sauder School of Business.
