
I was emailed after abandoning a registration form. I did not click Submit - heshiebee
https://dev.to/heshiebee/i-was-emailed-after-abandoning-a-registration-form-i-did-not-click-submit-this-is-not-ok-a63
======
stavrus
It seems a lot of people are missing the true concern here because they only
read the first half of the article.

Going to paraphrase the article a bit here but yes, the website is capturing
the filled-in data even if the user hasn't hit the submit button. However,
they're also running a tracking script from an advertisement network in the
background that attempts to capture your e-mail. If you visit Site A as a
result of one of the ads from that network, but leave without putting down
your e-mail address, and then go to Site B and do leave your e-mail address,
the ad network will send your e-mail address to Site A in an attempt to "re-
capture" that lost impression for Site A even if you never even hit submit on
Site B. They're marketing it as a way of reducing ad-spend because you don't
have to keep trying to target potential customers who've already shown
interest through more ads.

I'm not a lawyer so I'm very curious to know how this doesn't easily violate
COPPA for Site A, Site B, and the ad network, among other privacy laws. The
wording from the ad network shown in the article is a bit vague around
enabling a "triggered email sequence", so I'm wondering if they get around
some legal issues by sending emails for Site A on their behalf rather than
sharing the email address itself.

* Edited for minor typos I noticed after hitting submit.

~~~
heshiebee
This is the text from the email footer, they call themselves safeOpt, it's
part of addshoppers.com:

THIS IS A THIRD PARTY ADVERTISEMENT This email was sent to ______@gmail.com on
2020-05-16 23:06:22.669518 (UTC). If you no longer wish to receive Aeroflow
Breastpumps communications via SafeOptⓇ, please unsubscribe here.

------
beh9540
I argued against this pattern and left shortly after the owner of a company I
worked at made me implement this pattern. As the head of the department I
actually refused, but he went to one of the engineers on my team and had the
push the change.

I can never figure out why people don't realize that even if it's legal, it
comes across as creepy.

------
reggieband
If he thinks that is nefarious wait until he learns that websites were using
visually hidden fields to surreptitiously capture browser auto-complete
details. That is, if you auto complete "name" they might have an "email",
"phone number", "address", etc. field hidden from your view that also get auto
filled.

I sure hope that browser makers have patched that somehow but I still avoid
auto-complete whenever possible.

~~~
afiori
For this I absolutely hate firefox master password feature. Every once in a
while you get prompted to insert your password without any kind of indication
of why, which tabs prompted it, what domain is asking, or even whether it is
just firefox periodic syncing.

~~~
Zenbit_UX
Agreed, the worst is after you restart Firefox and have dozens of tabs from
the same site open (like reddit or HN) and each one of them requests your
master password over and over until you reject each tab's plea for you to
authenticate or finally give into the software you're supposed to be in
control of.

If anyone at Mozilla is reading this, please fix this, it's incredibly
obnoxious. I'd also appreciate it if you styled your master password prompt
better than a javascript alert dialog so I know I'm typing in my most valuable
password in the world into the browser and not some site pretending to be you.

------
threatofrain
One thing I don't think people realize is in the age of async JS, even not
doing anything is an action to be observed. Information is not sent when you
say "okay" \-- it's always being sent.

~~~
umvi
Indeed one time I put something in my cart (I think it was VMWare Player) and
then visited the checkout page and got distracted. When I revisited the tab,
there was a dialogue open offering a discount.

The page thought I was hemming and hawing on whether to buy it and then
offered a discount to help push me over the edge.

~~~
shmoogy
It was likely when your mouse left the window boundary - we use that mechanism
on our exit popups. It's super effective, I fucking hate those, but the
conversion rate increase is noticeable.

------
esaym
This happens everywhere. Since ebay has started charging tax for all items
(regardless of whether or not they are used or new) in my state, I've been
using more and more small online shops for product purchases.

In many cases you have to fill out your address and email info before you can
get to a shipping page to see shipping charges. In so many cases, even though
I did not place an order or create an account, I am still sent an email saying
that I have contents in my "shopping cart" and they are looking forward to
"making me a satisfied customer".

~~~
chrismcb
What does new or used have to do with anything? Don't blame eBay, they are
just following the law.

~~~
esaym
Beats the heck out of me. But sales tax, at least in the beginning, was a way
to generate state revenue for the sale of _new_ items. It had no baring for
private sales between two persons for a _used_ item which already had its tax
paid when it was originally bought.

------
reaperducer
This has happened to me several times since the quarantine started and I began
shopping online more.

Nothing makes me want to shop with your company less than blatantly violating
my trust before I'm even a customer.

------
ChrisMarshallNY
I knew a guy that started to fill out a shop form (card entry), and didn't
submit.

They charged the card anyway (and did not send any product).

They got an earful from him.

I suspect their form was a piece of junk, but that doesn't sound particularly
PCI-compliant, to me.

This ad-targeting, email-harvesting thing is really bad, though. It may not be
illegal in most of the US (but I'll bet it is in some states), but I will lay
odds that this company had better make sure they don't have any EU data mixed
into their little bouillabaisse.

~~~
heshiebee
That’s really crazy. It’s theft and should be prosecuted as such.

~~~
ChrisMarshallNY
Yup. He said that they probably weren't malicious about it, but hired a really
shitty Web designer. They got all cooperative when he said his next call would
be the local FBI office.

------
mcintyre1994
So in the screenshot you're giving an email and they're just storing it
without telling you before you click submit, but that AddShoppers system
sounds ridiculous. I'm guessing they just provide the data and you send the
emails through your own account and take the inevitable reputation hit of
endless spam reports yourself after you email people who've never given you
their email?

~~~
heshiebee
Exactly.

------
LorenPechtel
If I abandon a cart there's a reason! Nagging me about it isn't going to make
me purchase anything. You may __think __it did because I come back--but if
that happened it 's because I was after some other information first.

~~~
privong
> Nagging me about it isn't going to make me purchase anything.

I wonder about this. I feel the same, but wonder if it's true for everyone? I
kinda assume it must work some of the time, otherwise they wouldn't do it.

~~~
maerF0x0
often times they will nag w/ an incentive. I recently got one from MealSquares
offering 10% off my abandoned cart

This maybe the next level wikibuy/honey ... Intentionally abandon carts to get
more % off to undermine companies that do stupid things to get customers.

~~~
mstade
This is absolutely a thing. I’ve had it happen to me more than once, to the
point where I now tend to abandon carts just to see if I can get a sweeter
deal a few days later.

------
karatestomp
There are analytics tools that are in _pretty common use_ that record entire
user sessions on your site. Mouse movements, stuff typed in but not submitted,
everything.

Javascript with more than about 1% its current capabilities, in a hyper-text
document navigator and e-commerce platform, _is a security hole_. It can't be
fixed because its features _are security holes_.

~~~
Sephr
With enough effort, this can be fixed. We're working on a general solution to
this problem at Transcend¹.

1\. [https://transcend.io/consent-manager/](https://transcend.io/consent-
manager/)

~~~
XCSme
As per GDPR, shouldn't it be opt-in instead of opt-out?

------
tylermac1
I visited Jabra's website the other day, browsed a couple product pages and
then left. Sure enough about 24 hours late I get an email with a subject like
"Come check out some of these products you missed."

How the hell is that legal?

~~~
dgudkov
Once I had a call with company called ZoomInfo. This is exactly what they
pitched to me - obtaining emails of our website _visitors_. Creepy AF, but I
can easily see why many companies would trade some creepiness in exchange for
a revenue hike.

We all definitely underestimate how far marketing surveillance has gone.

------
theartfuldodger
I run this on my forms. I include a hard to follow disclaimer that says your
entries are saved in real time "for your convenience"

It freaks people out when we reach out on the partial fill, but since I sell
lead generation, it's a nice trick that they appreciate.

It's definitely problematic.

Luckily, our time is costly so only one single follow up occurs ..no list
selling, mailing lists or repeat calls occur, but would be easy to do.

Its actually just an available feature on existing form software

~~~
ta17711771
> I include a hard to follow disclaimer

Casual scum is casual.

------
stillbourne
I implemented something like this for the uni I worked for a few years ago,
basically we wanted to collect 'partials' as we called them. We were paying
for web campaigns and we wanted to increase lead intake by collecting
information as fields were filled out. We attached this to a cookie that we
assigned on user landing and as they typed in the input it was progressively
building a profile. If you never clicked submit it was not considered a full
lead and ended up in a partials database that got mined by the analytics
group.

Modern CMS's, specifically SiteCore have this kind of progressive profiling
built in. It was one of the selling points for why we adopted it in our last
rewrite.

------
jasonlotito
I'll be upfront about this. I was doing this back in 2003. My rationale?
People would forget to complete signups, or they get interrupted. My goal was
to make it as trouble-free as possible to get back to where they had left off.
And it worked really well. Granted, all this was back long before I really had
any concept of spam and privacy. It was just an honest "Oh, this could help
those users!" Obviously times are different and expectations have changed. I
wouldn't think of doing it now.

~~~
AgentME
I don't think this would be shady if a site kept an incomplete form in browser
localStorage. It's only shady when the incomplete form is sent to a server and
then acted on.

~~~
echlebek
In 2003 there was no localStorage, it would either be cookies or HTTP
requests.

------
dna_polymerase
I got a SMS the other day of an incomplete form in a Shopify shop. The service
is called SMSBump. I do not even recall giving them my number but maybe my
password manager did autofill it.

------
ck2
This happens to me with shopping carts that I never register for but started
to enter email.

You get a "left something in your cart" discount code.

So I've started to do that on purpose when I can't find a discount for a site,
works about 50% of the time. Start to checkout, enter email, get to payment
and just close tab. Wait an hour or two.

------
jugg1es
How is this any different than sites that track what people are highlighting
in the text? If anything, tracking what you highlight is a worse violation
because it can reveal your inner thoughts and values, which is more valuable
and harder to get than your email address.

------
replyifuagree
I remember reading a marketing tips page that recommended gathering the email
as the first step of a multi-step signup process. I never followed the advice
as I was just more interested in the technical details of connecting UI to my
backend schema in a rational fashion.

------
filvdg
This is so against the basics of GDPR, all these webshops that participate
risk fines for non compliance from the moment a EU citizen is being tracked.
Even if these are US companies they need to comply

~~~
dheera
> Even if these are US companies they need to comply

Only if you have an office in the EU.

Not any more than US companies need to comply with arbitrary Chinese laws, or
Japanese companies need to comply with arbitrary Saudi Arabian laws. Why does
the EU have special status in being able to impose laws on the US?

The EU can feel free to block the website if they don't like it. (But we know
their citizens would throw a riot if they started censoring the internet,
sshhh...)

However, independently of GDPR, I agree that it's wrong and that you shouldn't
be saving contact information by deception. You'd lose me as a customer if you
did that.

~~~
Nursie
I think it goes further than office location, if you do business in the EU at
all you want to watch out.

Of course the main problem with the GDPR is that it's so far not really been
enforced, so people feel free to contravene it at will.

~~~
dheera
I suppose you could also decide to either

\- (a) not do business in the EU, but leave your website accessible throughout
the world. It's upto the EU to block it if they hate it

\- (b) invite people from the EU to do business with you on US soil, where
they would be subject to US laws instead of EU laws

------
luord
This is the opposite of fighting for the users. It's outright hostile.

------
bitshaker
Formstack.com forms are able to do this and they are distributed all over the
web.

------
barbarbar
So I suppose the advice of disabling Javascript is not that bad after all.

------
Traster
What a great explanation of GDPR and why its necessary.

