Does anyone know for sure that cookies or browser uniqueness were exploited to identify the visitor? I've used LeadLander, and as far as I can tell LeadLander and Relead both use reverse DNS to find what company the visitor is from. They track what pages the visitor goes to, and time spent (Google Analytics style). Plus "helpful" information like the company's location, and publicly available info about who works there.

That sort of information doesn't feel creepy to me, it's basically what you could do manually with info from the server logs and lots of searching (DNS, Google, LinkedIn).

If they are using information from another website where the user is logged-in to get the contact information it might be illegal, as it is likely that the first website's privacy policy doesn't say they are giving away that information. If company X uses LeadLander, and LeadLander gathers a user's email address from them, then gives that address to company Y when the same person visits, company X might be breaking the law because they are giving away personal information without stating it in their privacy policy. And privacy policies are required by California law.