Shipping address privacy risk starts with a boring-looking form field. A store needs an address to deliver a package. That part is normal. The privacy problem is that an address can also connect the cart to a household, neighborhood, property type, income proxy, delivery constraint, fraud model, tax jurisdiction, local inventory system, and future marketing profile. Before the package arrives, the address may already have made the shopper easier to classify.
The data-broker angle matters because addresses are durable. The FTC's data broker report described an ecosystem where consumer information is collected from many sources, packaged, and used for marketing, risk mitigation, and other products. A shipping address is a strong join key: it can connect names, household members, purchase history, public records, neighborhood segments, and offline identifiers. Even if the shopper thinks the session is just one order, the address can help merge it with a bigger file.
Location sensitivity is not limited to GPS. The FTC's discussion of mass data collectors, including actions involving location and browsing data, shows why regulators treat place-based information as sensitive. A home address can reveal routines and household context even without live tracking. Combine it with delivery windows, pickup choices, mobile-app location prompts, and nearby-store availability, and the merchant can learn more than the fact that a package should go to a door.
Personalization can then turn logistics into treatment. Stores may show different shipping speeds, local inventory, pickup nudges, fraud checks, payment options, or promotions based on address-derived context. Some of that is operationally reasonable. The concern is opacity: shoppers rarely know when address, device, account, and cart signals feed risk scoring or offer ranking. If a neighborhood proxy changes what the site shows, the user usually sees only the outcome, not the classification behind it.
The California privacy regime is useful here because it treats personal information broadly and gives consumers rights around access, deletion, opt-out, and sensitive data rules. A shipping address is plainly personal information in ordinary use. That does not mean a merchant cannot process it to ship an order. It does mean shoppers should be skeptical when a one-time purchase turns into long-term account creation, resale of contact details, endless catalogs, or location-flavored ad targeting.
Pew's privacy research explains the emotional side. People know companies collect a lot, but they often cannot tell which small field will become a durable identifier. The address form is especially tricky because it feels mandatory and practical. A shopper may avoid an account, decline marketing, and block some cookies, then still hand over the strongest offline connector in the whole transaction because delivery requires it.
A practical defense is to choose pickup lockers or store pickup for sensitive orders when appropriate, avoid saving addresses to accounts you do not need, use guest checkout when possible, limit app location permissions, opt out of data sale or sharing where rights apply, and treat health, family, financial, or gift purchases as higher-sensitivity shipments. cloak's role is to make this visible at checkout: when a store starts using address, location, and profile clues beyond basic fulfillment, the user deserves a plain warning before logistics becomes leverage.