- Information given directly the other party must not be permanently associated with the user.
- Identity issuers must not retain permanent records of uses of information permanently associated with the user.
There would be nothing technologically preventing the delivery company from retaining these records (linking tokens with addresses, for example). I don't know if there's any good solution to that.
This is just a start on how (permanent) identifiying information can be limited in its distribution. I'm sure much more could be said here.