How to Protect Your Email Data

How Do Companies Collect Email Data?

We typically think of our data being compromised due to cybercrime. However, we also (often accidentally) make our own email data available to companies on a regular basis. And, if you use a big-name email provider like Google or Outlook, it’s possible that your email provider is harvesting your email data directly.

Here are some of the most common ways your email data gets picked up by companies:

• Cyberattacks:
  Phishing, spoofing, malware, and man-in-the-middle (MITM) attacks are all common email security threats that bad actors can use to gain access to your email login credentials. Once inside your account, they can also access and leak all of the emails in your account, including those that contain sensitive information.
• Other companies’ data breaches:
  Having your own account hacked isn’t the only way a data breach can affect you or your business. If you have an account with another company that experiences a data breach, your information may be included in the leak and picked up by scammers or data brokers.
• Public sharing, web scraping, and third-party apps:
  We often make our own email addresses available to companies without thinking when we share contact info publicly on the internet or sign up for third-party apps. Bots can easily collect email addresses posted on the web or social media platforms, and many third-party apps actively sell user data to data brokers.
• Using weak passwords:
  Using predictable passwords (like your birthday or a pet’s name) or reusing a password across multiple accounts can expose your information. These practices make it easier for bad actors to guess your password and to access multiple accounts that all use the same password, making you much more vulnerable to a breach.
• Email scanning:
  Email providers, particularly big companies, often scan your email for a variety of purposes.

How Do Companies Use Email Data?

Companies use your email data for two main reasons:

1. To increase their own efficiency through sales and/or product advancements
2. To improve the user experience through personalization

These efforts can range from valuable to annoying or even predatory:

Data profiling

Companies can use your email data to track metrics like email open rates, click-through rates, and purchase history. Because your email often serves as a central identifier across multiple platforms (accessing the same app on your phone and your TV, or using the same email for all your social media accounts), companies can also track your activity across devices and across services to create a digital profile based on your online behavior.

Security features

Email providers often use data from email scanning to increase your security by identifying and filtering out spam emails and other malicious messages. Behavioral tracking can also help companies notice when your activity suddenly changes, allowing them to identify identity theft quickly or fraud and to send you accurate security alerts.

Convenience features

Companies can use the information they learn from tracking your data or scanning your email to support convenience features like autofill or predictive text composition tools, predictive search, generated email summaries, or to deliver personalized content on various platforms.

Marketing and targeted ads

The most common way companies apply the knowledge they’ve gained through data profiling is targeted marketing. Companies often send newsletters, product or discount announcements, and ads that are catered to your preferences based on your past purchase history or search behavior.

Sales to third parties

Many third-party apps sell customer data in order to make more money. This data is often purchased by data brokers who not only buy data but also collect it through web scraping and sometimes through public records. Data brokers often create sets of data to sell to other companies, which then analyze customer behavior to create more effective marketing campaigns.

AI model training

Big-name email providers have also been rumored to use email scanning to feed their AI models. In part, the data gained from this scanning is used to power convenience features like AI-generated email summaries—but that’s not all. While Google has stated that data from scanned emails has not been used to feed its AI assistant Gemini, the company is currently involved in a lawsuit where the plaintiff claims that Google secretly enabled smart features in Gmail to track and analyze private user communications without user consent, starting in October 2025.

Get Email Service That Doesn’t Scan for AI

Protecting Your Email Data: Best Practices

Given the many ways that companies can end up with access to your email data, safeguarding it may feel like a hopeless cause. However, there are methods for protecting your email data from both hackers and data-hungry business agencies.

1. Keep Your Personal & Business Email Separate

Because account linking makes it easy for companies to track your activity across platforms and devices, maintaining separation between your personal and business email accounts is more than just a matter of professionalism.

Here’s how having a professional business email account and keeping business and personal communication separate contributes to your security:

• Minimizes information leaked in data breaches: If your personal email data is included in a breach, your business email data will remain safe.
• Limits cross-contamination between accounts: Your personal shopping habits won’t inform how your business’s data profile, while your company’s financial details and sensitive client information won’t become accessible if someone hacks your personal email.

2. Choose the Right Business Email Provider

Using a free email account through a provider like Gmail or Yahoo to create your business email may keep your personal and business accounts separate, but it won’t provide you with the highest level of data protection. The best way to keep your data safe is to use a secure email provider and set up a custom, domain-based email account.

Reasons to avoid free email providers:

• Your sensitive data may be scanned and used by the company in predatory ways
• Your behavior may be tracked to provide you with more targeted ads
• You may not have access to advanced security features like end-to-end encryption or robust spam filtering
• Your provider may not meet industry-specific standards for data privacy, such as HIPAA requirements for healthcare providers

What to look for in a secure email provider:

• Two-factor authentication and access controls for different users to prevent unauthorized access to emails containing sensitive data
• Powerful spam filters and threat detection against phishing and malware attacks
• Support for end-to-end encryption to protect email content privacy from inbox to inbox
• The ability to enable SPF, DKIM, and DMARC DNS protocols to verify email senders and prevent domain spoofing (hackers pretending to send emails from your domain)
• Trustworthy data storage policies, such as owning their own data centers rather than relying on Amazon Web Services (AWS) or Google Cloud
• Industry-specific compliance features, like a Business Associate Agreement for HIPAA compliance
• The ability to set up multiple email addresses so that you can use email aliases (an alternative email address that forwards to your inbox) to keep your email address private when signing up for services or apps

3. Follow Secure Email Protocols

Establishing secure email protocols for your company will help you and your employees to create layers of protection for your email data.

Pay attention to device and network security

Making sure that you install all of the latest software updates on your devices and staying off of unsecured Wi-Fi networks are simple but incredibly important aspects of protecting your data, email, and otherwise.

Software updates often contain patches that fix previous vulnerabilities or guard against newly discovered threats, and avoiding unsecured Wi-Fi networks prevents hackers from intercepting your emails using Man-in-the-Middle (MIIM) attacks or injecting your device with malware. If you must use an unsecured Wi-FI network, you can use a Virtual Private Network (VPN) service, which creates an encrypted tunnel that keeps your data secure.

Train all staff to use strong passwords

Inform your employees of the dangers of using passwords that are easy to guess or reusing the same password for multiple accounts. A strong password often contains a mix of letters, numbers, and symbols, and many experts suggest using a pass phrase rather than simply a word to make it even harder for others to figure out your password.

Using a password manager is also a great way to make sure you and your staff use strong passwords and that your passwords are kept safe. A password manager is a software application used to create, manage, and store passwords within a secure, encrypted digital vault, so that you don’t have to bother with writing down or trying to memorize passwords. Some popular password managers include BitWarden and 1Password.

Enable high-level security features

To prevent unauthorized access to your accounts and email, make sure that you’re using the following:

• Two-factor authorization for email logins to prevent unauthorized logins
• End-to-end encryption when sending emails to keep your email content safe in transit
• DKIM, SPF, and DMARC DNS protocol to verify the authenticity of emails you receive and to prevent bad actors from spoofing your email address so that they can send scam emails that look like they’re coming from you.

If your email provider offers two-factor authentication, you should have the ability to enable it when you set up your email account.

End-to-end encryption can be a feature that’s offered by your email provider or that you can add using a browser extension or third-party software. If end-to-end encryption is offered by your email provider, you may need to actively enable it within your account to make sure that it is applied.

You should be able to configure your DKIM, SPF, and DMARC protocols if your business has a domain-based email account. Accessing your DNS protocols can look different from service to service, so you’ll need to get in touch with your provider to figure out the exact process for your account.

Teach employees to recognize scam emails

Training your employees to recognize phishing and other types of scam emails can help you prevent email data leaks and theft. Simple practices can go a long way when it comes to protecting your company from hackers and malware.

Watch out for:

• Urgent requests for sensitive information, especially financial
• Urgent requests to click on links or open attachments
• Generic greetings and text that contains a lot of typos
• A sender’s email address that doesn’t exactly match emails previously sent by the same company or individual

Simple practices can go a long way when it comes to protecting your company from hackers and malware.

Keep your information off of third-party apps

While it may be impossible to avoid using third-party apps, there are a couple ways to prevent your email information from being collected and sold.

• Limit what you share: One way is to carefully read third-party app privacy and permissions policies so that you can avoid using apps that may sell your data and can disable permissions whenever possible.
• Use an email alias: An email alias is a substitute email address that forwards to your inbox and that you can use in place of your actual email address when signing up for apps or services. Using an email alias allows you to create an extra barrier of protection between your real email address and threats to your data privacy.

Exercising caution will help you stay safe on apps.

Disable tracking and personalization features

Apps and email providers will often give you the opportunity to turn off tracking and other personalization features in your settings. This can help prevent your email messages from being scanned to feed AI models and can help reduce the number of targeted ads you receive based on your online behavior.

Unfortunately, these features are sometimes turned back on when a service is updated, so you’ll need to routinely check to make sure that tracking and personalization features remain turned off in your account.

Sign Up for Secure Business Email