A TechCrunch investigation found that the U.S. Postal Service shared its online customers' addresses with advertising and tech giants Meta, LinkedIn and Snap.
USPS announced Wednesday that it had addressed the issue and stopped the practice, claiming it was “unaware” of the problem.
TechCrunch discovered that the USPS shares its customers' information through hidden data-collection code (also known as tracking pixels) used throughout its websites. Technology and advertising companies create this kind of code to collect user information, like which pages users visit, every time a webpage containing the code is loaded in a customer's browser.
In the case of the USPS, part of the data collected included the mailing addresses of customers who were logged into USPS Informed Delivery, a service that allows them to see photos of their mail before it arrives.
It is unclear how many people's personal information was collected and for how long. Informed Delivery had more than 62 million users as of March 2024.
“The Postal Service uses the analytics platform for internal purposes to understand usage of our products and services and aggregate that information to help market our products,” USPS spokesperson Jim McKean said in a statement to TechCrunch.
“The Postal Service does not sell or provide any personal information collected from this analytics platform to any third parties, and was not aware of any configuration of the platform to collect personal information from URLs and share it with social media without our knowledge.”
“We took immediate action to remedy this issue,” the spokesman said, without specifying what actions they had taken. The spokesman declined to comment further.
Reached for comment, Facebook spokesman Emil Vásquez said: “Our policies are clear that advertisers should not submit sensitive personal information through our business tools. Doing so is against our policies, and we coach advertisers to configure their business tools appropriately to prevent this from happening. Our systems are designed to detect and filter out potentially sensitive data.”
Spokespeople for LinkedIn and Snap did not immediately respond to TechCrunch's inquiries for comment.
TechCrunch's testing found that the USPS website shares the postal addresses of logged-in USPS Informed Delivery customers with Meta, LinkedIn and Snap. TechCrunch tested this by inspecting network traffic with a tool built into most modern browsers.
In our testing, we found that data collection code on the USPS website was scraping customers' addresses from the Informed Delivery landing page after they logged in and sending it to the business.
The code also collected other data, such as information about users' computer types and browsers, but that data was partially pseudonymized — essentially scrambled in a way that makes it harder for humans to identify where the data came from and who the parties were, by using random identifiers instead of actual customer names. But researchers have long warned that pseudonymized data could still be used to re-identify seemingly anonymous individuals.
TechCrunch also found that tracking numbers entered into the USPS website were shared with advertisers and technology companies, including Bing, Google, LinkedIn, Pinterest and Snap. Some in-transit tracking data, such as the mail's actual location within the postal system, was also shared, even if the customer wasn't logged into the USPS website.
A USPS spokesman declined to comment on whether the postal service would ask tech companies to delete the data they collect.
A spokesman for the USPS Office of Inspector General, the federal watchdog that oversees the postal service, had no comment at press time.
The USPS is the latest organization to restrict the use of web tracking codes in recent years.
In 2023, telehealth wellness startup Cerebral and alcohol recovery apps Tempest and Monument revealed they shared personal health information, including user-submitted ratings, with tech and advertising companies after removing the tracking codes.
That same year, the FTC filed enforcement actions against GoodRx, a healthcare data giant that agreed to pay $1.5 million for sharing customers' health data with advertisers, and BetterHelp, an online therapy company that was ordered to pay $7.8 million for sharing patients' private health survey responses.
Updated with comment from Meta.