A phone number at checkout looks simple. The store wants a way to call about a delivery problem, send a receipt, stop fraud, or recover an account later. In some cases, that is a legitimate operational need. The privacy question is whether the phone field is truly tied to the purchase, or whether it is quietly doing more work: creating a reusable identity key, helping the store match records, and making the shopper easier to track across future visits.

The difference matters because phone numbers are sticky. A cookie can be cleared, but a phone number follows the person across devices, apps, and sessions. If a retailer treats the number as a general-purpose identifier, it can link orders, loyalty profiles, support tickets, marketing consent, and return history. That is a bigger deal than a delivery callback. It is the start of a durable customer graph.

NIST’s digital identity guidance is useful even outside government systems because it treats authentication as a specific risk decision rather than a blank check to collect whatever happens to be available. A phone-based code can prove control of a number, but control is not the same thing as broad identity proof. A checkout should ask for the least identifying thing that actually solves the immediate problem, then stop there.

The CPPA’s data minimization advisory makes that standard concrete: collection, use, retention, and sharing should be reasonably necessary and proportionate to the disclosed purpose. If the purpose is shipping updates or account recovery, a phone number may be justified. If the purpose is marketing, analytics, or cross-device matching, the same field becomes much harder to defend. Purpose matters. So does scope.

Pew’s privacy research helps explain why shoppers distrust this kind of ask. Many people feel they have little control over what companies collect and how it is used. That sense of loss is especially strong at checkout, where the shopper is already invested and may not want to abandon the cart. A phone field presented at that moment can feel less like a choice and more like a condition of entry.

There are also household risks. One phone number may belong to a parent, a teen, a caregiver, or a shared family line. If the store binds that number to every order, then one purchase can contaminate the profile for everyone who uses the device or line. A family might start seeing the same promotions, the same reminders, or the same account recovery prompts even when only one person touched the cart.

A practical defense checklist is straightforward. Ask whether the number is needed for delivery, fraud checks, or account recovery. Look for a guest checkout path. Decline marketing or SMS consent unless you actually want it. Use email or a virtual contact method when the store accepts it. If the number is only there to speed up post-purchase upsells, that is a sign the field is serving the retailer more than the buyer.

cloak’s job is not to ban every phone request. It is to make the purpose visible before the number becomes a permanent join key. If a store cannot explain why a phone field is necessary for this purchase, a normal shopper should be able to skip it without losing the ability to buy.

That last part matters because pressure often appears as a false tradeoff. The site may imply that a phone number is required for checkout when the real need is only a receipt, a shipping address, or a fraud check. Good UX would show the reason, offer a fallback path, and avoid asking for the number again after the order is done. If a merchant can complete the purchase without the phone field, the burden should be on the merchant to justify why the field appears at all.

A clean fallback could be as simple as an email receipt, a carrier tracking page, or a one-time support link that does not become a reusable login. That is enough for most purchases and keeps the shopper from handing over a permanent contact key.