Marketing firms have been collecting email addresses from web forms before users submit their information and without consent

A recent research has shown that various tracking, marketing and analytics companies have collected the email addresses of users who fill out web forms before their responses are sent and without prior consent.

For this research, by experts from Radbound University and the University of Lausanne, we looked at how web forms on 100,000 popular websites manage the data received on their forms.

In this project, the team developed software capable of measuring the collection of email data and passwords from web forms. In case you don’t remember, a web form is an input box through which users of a website can enter their data and send it to a local or remote application.

The fact that users enter their data in a form and send it to the website in question implies that consent has been given to collect this information; however, some websites running JavaScript code can respond to events before the user finishes submitting a form, collecting information without prior consent.

The researchers concluded that website users’ email addresses are sent to marketing and analytics domains before selecting the “Submit” option on at least 2,920 websites in the U.S., and on some 1,844 online platforms in the European Union. In some cases, this information is sent to the operators of the websites without encoding, encryption or any other security measures.

According to the study, most of the email addresses collected this way were sent to known tracking domains, although experts report identifying 41 tracking domains that are not on any of the popular block lists.

Another interesting finding is the incidental collection of passwords on at least 52 websites using third-party operated session replay scripts. These scripts are designed to record key user movements on a website, including keystrokes, mouse movement patterns, and other features.

These practices will not go unnoticed by data protection regulators. In their conclusions, the researchers mention that this collection of email addresses could violate various provisions of the European Union’s General Data Protection Regulation (GDPR), which would amount to millionaire fines against the infringing companies.

Currently the U.S. does not have a federal data privacy law, although there are state laws under which infringing companies could be sanctioned. Still, the researchers believe these legislations have a limited scope to address this problem adequately.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.