Thousands of websites regularly disclose identifying data to third-party information brokers, advertisers and marketing companies, according to a new study.
This practice is well known but what is new is that this data is sometimes collected without you even clicking on the consent box and submitting the form to the website. Indeed, the study conducted by researchers from KU Leuven, Radboud University and the University of Lausanne has found that thousands of websites transmit information to third-party trackers even before site visitors press “Enter” or the registration button.
You may think that filling out the form and then deciding not to submit will save you from the data collectors. However, the research shows that ‘keyloggers’ record everything the user types on their keyboard before they have even agreed to submit this information. The use of scripts that monitor and capture keystrokes when the user fills out a form had already been reported in early May 2022 by Gizmodo.
An email address, IP address, tracking cookie, identification number, and online identifier are almost always considered personal data under GDPR rules, the same for email addresses (encrypted or not), as long as they contain a unique identifier that can be linked to a person.
Several sectors affected
According to the study, more than 100,000 sites worldwide are affected by keyloggers. Of the 2.8 million web pages analysed, 1844 sites in Europe allowed trackers to exfiltrate email addresses regardless of the “submission status” of the data entered, while 2950 sites in the USA did the same. Worse, 52 websites collect passwords at the time they are written by the user.
The fashion and beauty sectors are the most represented in sites with such behaviour, both in the United States and Europe. Online shopping sites are the second most represented.
In the EU, the top five tracking domains collecting emails belonged to: Taboola, Adobe, FinStory, Awin, and Yandex. Meta and TikTok were also the two largest companies among the tracking domains that collected user data, mainly emails.
The top five websites that disclosed data to third-party tracking domains in the EU were: usatoday.com, trello.com, Independent.co.uk, Shopify.com, and marriott.com.
The sites concerned would have corrected their online behaviour after disclosure of the study. However, “based on our findings, users should assume that the personal information they enter into web forms can be collected by trackers – even if the form is never submitted,” the researchers concluded.
The tracking domains collecting passwords in the EU were: Yandex.com, Yandex.ru, mixpanel.com, and lr-ingest.io.
The researchers admitted that they surprised by these results, thinking they might find a few hundred websites where emails are collected before submission is complete, but they say the findings far exceeded their expectations.