If you’ve ever had a contact allow a service to read their contacts, you are in their database. That then gets cross-referenced with the (relatively few) online store providers the first time you use that address - or the obfuscated emailname.store@* version that was meant to serialize or identify spammers but which the simplest script can undo. Now your shipping/billing address, phone, and partial purchase history can be linked with every social media company that weird chick who did upside down keg hits with you that one night decided to allow contact access. Or your aunt Gertrude.
And it’s not even that complicated. Are you in the contacts list of anyone who has ever used the internet? Google, yahoo, or microsoft definitely know who you are in their internal databases and can create a web of contacts and likely contacts just from a couple of emails. Heck, I remember when there were “contact synchronization” websites where you could transfer your contacts between gmail addresses, or to/from other mail services. It was free, so I can just about guarantee they’re selling all of your info, which has been checked and corroborated by however many of your contacts decided to use their services.
And we know how strict these big companies are about voluntary compliance to the GDPR. ;-) I’m glad at least someone is putting in rules against this fuckery but, sadly, once that data is sold to the first outside vendor (Cambridge Analytica, Palantir, etc.) it’s out there and lives on the internet forever, even if the big boys are brought to heel by the EU.