The Ethics of Identifying Someone from an Email Address (2026)

• Purpose: What decision will I make with this data, and is that decision one the subject would reasonably expect?
• Minimization: What is the least data I need to make it? Stop there.
• Accountability: If the subject asked me tomorrow what I collected and why, could I answer honestly and stand by the answer?

Any lookup that doesn't pass all three is one you shouldn't do — regardless of whether the tool will let you.

• Sales prospecting against a documented ICP with a real product fit.
• Recruiting candidates for a specific role with a real opening.
• Journalism investigating matters of public interest.
• Fraud prevention, KYC, and account-takeover defense.
• Reconnecting with a lost contact (former colleague, founder, alumnus).
• Internal due diligence on a counterparty before signing a contract.

• Profiling protected characteristics (race, religion, sexuality, health) to discriminate.
• Building a dossier on an individual without a specific, current decision tied to it.
• Stalking, harassment, or anything intended to intimidate.
• Tracking a person's location, daily movements, or social patterns.
• Doxxing — publishing identifying data to expose someone to harm.
• Coercion, blackmail, or any use intended to compel behavior.

Research is bounded: one lookup, one decision, then delete. Surveillance is unbounded: continuous collection over time without a specific decision. The exact same tools can be either depending on duration, frequency, and what's done with the data. If you find yourself running the same person through the same workflow weekly, you've crossed from research into surveillance.

GDPR (EU/UK): processing personal data needs a lawful basis. Legitimate interest covers most B2B research when documented and balanced against subject rights. CCPA (California): subjects have rights to know, delete, and opt out. UK Online Safety Act, EU AI Act: emerging duties around automated profiling. Reputable tools provide DPA, suppression-list tooling, and subject-rights workflows; choose those.

Commercial outreach should reference the public signal that triggered it: "I saw your launch post," "Congrats on the funding," "Your write-up on X stood out." This makes the lookup transparent and gives the recipient the data they need to opt out. Hidden research is what spam looks like; visible research is what good outreach reads like.

Email + LinkedIn = standard business research. Email + LinkedIn + GitHub + conference photos = a richer profile but still within normal ranges. Email + LinkedIn + home address + family members + political donations + medical hints = a dossier. Each addition compounds sensitivity. Stop at the minimum needed for the decision in front of you, not the maximum the tools will produce.

• Could I publish my purpose and method without embarrassment?
• Would the subject's reasonable expectation match what I'm doing?
• Will I delete what I don't use within 30 days?
• Have I documented the lawful basis if asked?
• Is there a way to make the decision with less data?

Five yeses and you proceed. One no and you stop.