The Cookie That Never Expires

You probably remember when the tracking cookie died. Browsers blocked them, regulators demanded banners for them, and the advertising industry spent years announcing its move to a “post-cookie world.” It felt like a win for privacy.

It wasn’t a win. It was a substitution. The identifier that replaced the cookie is your email address.

Why your email address is a better cookie than the cookie ever was

A cookie lived in one browser on one device, and you could clear it whenever you wanted. Your email address follows you everywhere. You type it into every store, newsletter, app, loyalty program, and login screen. It is the same on your phone, your laptop, and your work computer. It survives for decades.

The advertising industry noticed. The standard practice today is to take the email address you provide, run it through a hashing function, and use the result as a tracking identifier. The industry calls this a “hashed email” and describes it as privacy-safe because the hash can’t be reversed back into your address. What that description leaves out: it doesn’t need to be reversed. Every company that hashes your address gets the same code. The code IS you.

This is not a fringe practice. It is the documented foundation of the post-cookie ad industry. Identity resolution vendors openly sell email-centric identity graphs built on exactly this matching. Marketing platforms publish guides on unlocking the hashed email “goldmine” sitting in customer databases. Analytics tools document how clicking a newsletter link that carries your email hash stitches your devices together into one profile. None of this is hidden. It is the product.

So here is the trade you actually made when the cookie died: an identifier you could clear in two clicks was replaced by one you’ve used for fifteen years and gave to everyone.

What the graph knows

Once your email address is the key, everything keyed to it can be joined. The shoes you browsed on your laptop connect to the news you read on your phone. The purchase you made in a store, where the cashier asked for your email “for the receipt,” joins the profile too. Data breaches add their contents to the pile – and your address has almost certainly been in several.

It gets one step stranger. Marketing emails carry per-recipient trackers – invisible images and rewritten links that identify you specifically. When you forward one of those emails to a friend and they open it, their device announces itself against your tracking identifier. Email platforms acknowledge that forwarded opens register against the original recipient. The email you shared becomes a signal that the two of you are connected and what you both found interesting. Academic researchers studying email tracking found that a substantial share of commercial emails leak the recipient’s address – often in hashed form – to third parties the sender never mentioned.

Is your email address personal information? Both GDPR and CCPA say yes, plainly. But the legal classification understates the situation. Your email address is not just a piece of personal data. It is the join key – the one identifier that links all the others together.

You can’t clear it – but you can stop using it

You can’t reset your email address the way you cleared cookies. Changing it means losing access to everything attached to it, which is exactly why it makes such a durable identifier.

What you can do is stop handing the join key to everyone who asks.

If the email address is the cookie, then an alias is the cookie blocker. Give every company a different address that routes to your real inbox, and the hashes stop matching. The store, the newsletter, and the loyalty program each hold a different code, and the graph can’t join them. You stay reachable – real mail still arrives, replies still work – but the one thread tying your profiles together is gone.

That is half the answer. The other half is the trackers inside the email itself, because an alias does nothing about the invisible image that reports when you read a message. Those have to be removed before the email reaches you, which is what a privacy relay does: it takes each message apart, discards the tracking machinery, and rebuilds a clean copy for delivery. An email that has been through that process can even be forwarded to a friend without reporting on them when they open it.

This is the model EMail Parrot is built on – aliases that keep your real address out of the graph, and a relay that strips the tracking before delivery. But whether or not you ever use our service, the underlying point stands on its own:

The cookie didn’t die. It moved into your email address. Treat that address accordingly – like the permanent identifier it has become, not like a piece of contact information.