Martech firms among third parties scooping email addresses from websites prior to submission

  •   May 16, 2022

Email addresses and passwords are being collected from website logins and sent to trackers before consumers submit the data or give consent, according to a new research paper by several academics. Some of that data is apparently going to martech providers. Email addresses can be used to track consumer behavior both on- and off-line,

Of the 100,000 sites examined, email addresses were collected from 1,844 websites in the EU and 2,950 sites in the U.S., according to “Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission.”


2022 MarTech replacement survey

Have you moved from homegrown legacy applications to commercial solutions (or vice versa)? Let us know!

Take the 2022 MarTech Replacement Survey today!


U.S. vs. EU results. “Comparing results from the EU and the U.S. vantage points, we found that 60% more websites leaked users’ emails to trackers, when visited from the U.S. Measuring the effect of consent choices on the exfiltration, we found their effect to be minimal. Based on our findings, users should assume that the personal information they enter into web forms may be collected by trackers — even if the form is never submitted,” write researchers Asuman Senol (imex-COSIC, KU Leuven), Gunes Acar (Radboud University), Mathias Humbert (University of Lausanne and Frederik Zuiderveen Borgesius (Radboud University).

The top third-party collectors of email addresses include martech firms Taboola, Bizible (part of Marketo), Glassboxdigital.io, rlcdn.com (AtData, formerly TowerData, formerly Rapleaf), Fullstory, Wunderkind, Awin and Zenaps. 

Awin issued a statement in response to queries: “We’re currently investigating the behavior of this technology but can reassure users that the information is immediately hashed before it reaches us and is only collected to ensure proper attribution to the services they engage.”

None of the other companies have so far responded to requests for comment.

Read next: Why data compliance is more than consent management

The paper, to be presented at USENIX Security’22 in August, reported, “Taboola said in certain cases they collect users’ email hashes before form submission for ad and content personalization; they keep email hashes for at most 13 months; and they do not share them with other third parties. Taboola also said they only collect email hashes after getting user consent; however, our findings and subsequent manual verification showed that was not always the case.”

While this activity is legal at a federal level in the U.S., it is banned in the EU under GDPR.


Get the daily newsletter digital marketers rely on.

Processing…Please wait.


The worst offending categories include: Fashion/Beauty (11.1% EU; 19% U.S.) Online Shopping (9.4% EU; 15.1% U.S.); and General News (6.6% EU; 10.2% U.S.).

Why we care. With the end of cookies, it is inevitable that marketers will look for new sources of consumer data. Few are as useful as email addresses which are unique and persistent and can be tracked across the web and in the real world via things like loyalty programs. However, taking them without consent is a blatant violation of law in the EU and privacy expectations in the U.S.

The post Martech firms among third parties scooping email addresses from websites prior to submission appeared first on MarTech.

This marketing news is not the copyright of Scott.Services – please click here to see the original source of this article. Author: Constantine von Hoffman

For more SEO, PPC, internet marketing news please check out https://news.scott.services

Why not check out our SEO, PPC marketing services at https://www.scott.services

We’re also on:
https://www.facebook.com/scottdotservices/
https://twitter.com/scottdsmith
https://plus.google.com/112865305341039147737