You Didn't Give Them Your Phone Number. Here's How They Got It Anyway.
How a hidden layer of the ad industry connects your web visits to your phone number
Here’s a common question we see online quite a bit:
“How are companies getting my phone number? I never gave it to them.”
A recent example from a privacy forum illustrates the problem.
Someone visited the Samsung website for the first time, browsed a few phone models to compare prices, and left without adding anything to a cart or entering any information. The next day, Samsung called to ask why they hadn’t completed a purchase.
The person didn’t create an account, didn’t fill out a form and didn’t buy anything. He simply visited a website. 👇
So how did Samsung get this guy’s phone number?
The short answer is that he probably did give his number to them, just not to Samsung directly. The mechanism connecting those two facts is called identity resolution, and understanding it changes how you think about every form field you’ve ever filled out online.
You may recall that last month we ran a test on a free reverse phone lookup site.
We entered a family member’s phone number and got back his full name, home address, estimated income range, and a list of domain names he’d registered years ago and largely forgotten. We didn’t have to create an account or even make a payment. We typed in a 10-digit number and had detailed results a few seconds later.
That post was about what gets exposed once your phone number is in the data broker ecosystem. This situation is different and about how your number keeps getting passed around to companies even after you’ve done everything right.
What’s Actually Happening
When you visit a website, your browser sends a set of signals, such as your IP address, device type, browser version, and a collection of behavioral fingerprints that are surprisingly unique to you.
Most of that sounds familiar. What’s less understood is what happens to those signals next.
Companies like LiveRamp, Neustar, and Tapad maintain what the industry calls “identity graphs”. Translated, that means databases linking device fingerprints, IP addresses, cookies, and mobile advertising IDs to real-world identifiers: names, email addresses, and phone numbers.
These graphs are built from years of data collected across millions of websites and apps. One company’s graph covers more than 260 million U.S. profiles.
When you visit a site carrying one of their tracking pixels, your signals get matched against that graph. If you ever entered your phone number into any form on any site carrying one of their trackers, such as a a checkout page, a loyalty program signup, a contact form, that number is now linked to your device. The site you’re visiting today can surface it, even if you’ve never interacted with that company before.
This is distinct from what session replay tools do (recording your keystrokes in real time, which we covered previously - see here) and from what reverse phone lookup sites do (serving your data to anyone who searches).
Identity resolution is the layer that feeds both of those systems. It’s also why opted-out data broker profiles keep reappearing a few weeks after removal.
The Phone Call is the Least Of It
Getting an unexpected phone call from a retailer is annoying. That’s the visible effect, and it’s the one that tends to generate Reddit threads.
What happens beneath the surface is considerably more significant.
When identity resolution links your browsing behavior to your real phone number and name, it doesn’t just enable that call. It creates a behavioral record that is attached to your actual identity. That could include a wide array of activities like what health symptoms you researched at 11pm, whether you spent time on a bankruptcy attorney’s site, what political content you engaged with, how often you visited a payday loan page.
That record flows into the same data broker ecosystem we covered in our reverse phone lookup post. From there, it becomes accessible to insurance underwriters, employers running background checks, lenders running risk models, and anyone else paying for enriched consumer profiles.
The call is visible. The downstream use of the behavioral profile built in the process of identifying you is not.
There’s no notification, no audit trail, no way for most people to know what inferences have been drawn from their browsing history or how those inferences are affecting decisions made about them.
This is also why the standard privacy advice, such as opting out of data brokers, use incognito mode, clear your cookies, doesn’t address the actual problem. Incognito mode doesn’t prevent a site from running identity resolution scripts. Clearing cookies doesn’t erase your entry from an identity graph. And opting out of data brokers removes the current record but doesn’t stop the graph from re-linking your number to your device the next time you visit a tracked site.
One Thing You can Do Right Now
Stop using your primary phone number for anything outside trusted personal contacts and critical financial accounts. Every loyalty program, app signup, online order, and form gets a secondary number.
A Google Voice number works as a starting point (even if it does create a Google nexus). A prepaid SIM (a $5-10 card that reloads automatically) is more robust, since VoIP numbers are increasingly flagged by sites requiring verified numbers.
The secondary number can be handed out freely. Your real number stays out of the identity graphs, which means it stops accumulating behavioral data linked to your actual identity.
This is the correct upstream intervention. It’s why we recommend it in the reverse phone lookup post as a long-term protection strategy. Now you know the mechanism that makes it work.
The identity resolution industry is actively developing ways to maintain these graphs even as third-party cookies disappear. The infrastructure is expanding, not contracting. If you’ve wondered why your data broker profiles keep coming back after removal, or why a company seems to know more about you than you ever told them, this is the system responsible.
Reply and let us know: did you already suspect something like this was happening, or is this new information?
Looking for help with a privacy issue or privacy concern? Chances are we’ve covered it already or will soon. Follow us on X and LinkedIn for updates on this topic and other internet privacy related topics.
Disclaimer: None of the above is to be deemed legal advice of any kind. These are *opinions* written by a privacy and tech attorney with years of working for, with and against Big Tech and Big Data. And this post is for informational purposes only and is not intended for use in furtherance of any unlawful activity. This post may also contain affiliate links, which means that at no additional cost to you, we earn a commission if you click through and make a purchase.
Privacy freedom is more affordable than you think. We tackle the top Big Tech digital services and price out privacy friendly competitors here. The results may surprise you.
Do you own a Smart TV? If so, you won’t want to miss this post from our three part series on how To make your smart TV less creepy.
If you’re reading this but haven’t yet signed up, join for free (4.7K+ subscribers strong) and get our newsletter delivered to your inbox by subscribing here 👇