A Cursory Look at Personally Identifiable Information in Retail Email Campaign Links

Recently I’ve made a habit out of reading my email subscriptions. Occasionally, I even click on the links. After clicking on a few I started to notice some trends. All links followed the same structure:

First, they hit a separate dedicated server

… for tracking your click. It usually contains some hashes. REI had a particularly insane one:

https://notices.rei.com/pub/cc?_ri_=X0Gzc2X%3DYQpglLjHJlYQGp7JHk5v8vY6zcdNKw9551olzavUBNzezgBjApPlizgvzgMDDS3zfKFCjUBHyMjzbhzfzd1zcfVXtpKX%3DSRRBDWSB&_ei_=EujB6hIv0aswczclI2xtxYcKiBs0_rYJOZS-vwWyGcEb_PeKiImdar5HfChz4jyDseXg-TsdOLTe4lPmJXO7FdLAyiv7me1eq_u8dJbIu10IAyJ_-GmcT4cKqHq_3Q45qxhHhBQRGx5LJI6ElNRrDe2TxQqL0aK2jLROg3ze2MWc_NqN87Z_bKPM2U6bV_GDWm-QoosA4O7eQ0.

But they can be pretty simple too:

http://email2.anthropologie.com/a/hBWcrL$BDprJRB9JC8jNtJ4dBaO/shop?CELL_CODE=00902153

As for subdomain naming, out of my eleven, two chose “link”, another two chose “email”, and Anthropologie opted for “email2”. (I’d hedge email1 went the way of R1-D1.)

Second, they all redirect

… immediately to the appropriate page on the site, filling in params for further tracking. Most kept the personal information out of there — so gold stars to Anthropologie, Birchbox, Kate Spade, Macy’s, Madewell, Nordstrom Rack, REI, the Reformation, and Sephora.

She has a knack for not exposing her customer’s personal information to the browser”, Kate Spade might say.

It’s Loft and Everlane that fell short and ended up exposing some PIIs.

Why is having Personally Identifiable Information (PII) in the request not the best idea?

  1. Your information could end up in ad requests. Google DoubleClick explicitly warns for them here.
  2. PIIs are exposed to your browser, which in turn could expose your information if it tries to fetch external images or javascript files.

Let’s take a closer look:

Everlane

https://www.everlane.com/collections/womens-newest-arrivals?first_name=Helen&mobile_login_gate=true&email=myemail%40gmail.com&gated_image=20150804_Backpack_Launch_Hero-W.jpg&last_name=weng&utm_source=Sailthru&utm_medium=email&utm_campaign=ABAW%202015%20Ribbed%20Knit%20Sweaters%20Launch&utm_term=Members%20%E2%80%94%20Female%20%2B%20Unknown

Here you can see my first name, last name, and email all in plain text. Three pieces of personal identifying information. I doubt they need all three; if they need any I’d recommend a hash. Although from what I’ve seen no other campaigns except Loft keeps around the clickthrough email, hashed or not.

I took a look at Everlane and found two requests to DoubleClick and a few to Google Analytics, which makes #1 a valid concern.

Loft

http://www.loft.com/new-arrivals/catl00009?cid=E0010132&cm_em=myemail@gmail.com&dtm_em=096a12f15918c7623d78c7cc85c84d32

Loft exposes my email too, but not my first or last name. Actually what’s interesting is my email already appears hashed in the original link:

http://mail.loft.com/a/hBWcpy7BgYd1XB9JCSjNtqOnDFE/image1?EMAIL_HASH=096a12f15918c7623d78c7cc85c84d32&email=myemail@gmail.com

So what happened? Loft also exposes my email in the unsubscribe link:

http://ebm.cheetahmail.com/r/regf2?a=0&aid=1617026391&n=109&t=hBWeTSlBgYd1XB9JEh$NtqOnDnH&email=myemail@gmail.com&cid=E0010165&cm_em=myemail@gmail.com&dtm_em=096a12f15918c7623d78c7cc85c84d32

Like Everlane, Loft also makes several requests to DoubleClick.

And the others

Overall I’m pleased with how undecipherable the rest of the tracking params are, even the unsubscribe links! So I’ll keep on merrily clicking my way on to savings. Thanks email campaigns; now if you could only fix your too-low-res-for-retina images then you’ll have my wallet completely your mercy.

Anthropologie

http://www.anthropologie.com/anthro/category/sweaters/clothes-sweaters.jsp?utm_campaign=Email&utm_medium=Promotional&utm_source=121715_cozy&utm_content=shop&cm_mmc=Email-_-121715_cozy-_-%23U00902153-_-shop#/

Birchbox

https://www.birchbox.com/shop/gwp-nye-wanderlust-w3ll-people?utm_source=Sailthru&utm_medium=email&utm_campaign=121715_W_S_NYEGWP&utm_term=W_Current_Subs

Macy’s

http://www1.macys.com/?cm_mmc=MCOM-_-20151217_MCOM_RTWPetiteNYEDress-_-homepage-_-POB3_121715EMAILMCOMPlusNYEDressPOB3MUSE&cm_lm_mo=twkwEBFbgl@TFzbk.gBF

Kate Spade

https://www.katespade.com/new/collections/the-holiday-collection/?cm_mmc=ExactTarget-_-12182015_Novelty-_-12182015_Novelty-_-https%3a%2f%2fwww.katespade.com%2fnew%2fcollections%2fthe-holiday-collection%2f&utm_source=email&utm_medium=email&utm_campaign=12182015_Novelty&utm_content=https%3a%2f%2fwww.katespade.com%2fnew%2fcollections%2fthe-holiday-collection%2f&extgid=extg_12182015_Novelty&cp=1174538173

Madewell

https://www.madewell.com/gift_guide/GIFTWELLGUIDE.jsp?srcCode=MWEMBR01574&rmid=Dec_1216_Sweater_Gifts_25Off_Entire_Purchase_Banner_US_ONLY&rrid=705178&uea=gI2l214DqSF8j9dVrs7Jl5y7L3D1suKGJJaGeJy4Ai4%3D

Nordstrom Rack

https://www.nordstromrack.com/clearance/Women/Clothing/Coats%20%26%20Jackets?cm_mmc=email-_-121615-_-21206-_-tile1&cm_mmca1=121615_MKD_F&cm_mmca2=Rack_A_F&cm_mmca3=2356&cm_mmca4=2144&cm_mmca5=3cf8d249-2747-11e5-854e-2aba26916440&sid=1090795&mid=2356&aid=21206&cid=Rack_A_F

REI

http://www.rei.com/s/deals?ir=collection%3Adeals&page=1&RMID=20151216_RUSH_Holiday_SL1&cm_mmc=email_com_gm-_-holiday_gifting-_-121615-_-img_hero&ev36=22354730&RRID=50643544&ev11=1

Sephora

https://www.sephora.com/profile/myBeautyBag/?om_mmc=tr-us_US_Ratings_and_Reviews-he-reviewbeautybag&emtc2=e62fb3af-cc57-42c4-a1a1-85bc8cdc865e&emlid=e7acf0818337475aa1d5b27790279aeb&ematg=6482928002&emcid=34924696&viq_epid=bb2b32e7-0dc6-4139-a1f7-856899397920%7C34924696

The Reformation

https://www.thereformation.com/nye-collection?utm_source=NEW+Master+List+-+LA%2FNY%2FWEBSITE&utm_campaign=7e5d525603-NYE+DRESSES+%2B+MORE+ADDED+TO+SALE&utm_medium=email&utm_term=0_7ffc02ea5a-7e5d525603-337865049
One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.