DEV Community

loading...
Cover image for I was emailed after abandoning a registration form. I did not click Submit. This is not ok.

I was emailed after abandoning a registration form. I did not click Submit. This is not ok.

Heshie Brody on June 01, 2020

We had a baby recently and my wife and I were online shopping for breast pumps. Our health insurance company website redirected me to a website nam...
pic
Editor guide
Collapse
cubiclesocial profile image
cubiclesocial

Well, that's a clear violation of the CAN-SPAM U.S. Federal Law if there ever was one. The penalty for sending spam like that is $16,000 USD per violation with no limits enforceable by the FTC (i.e. if they send a mere 1,000 such messages, that's punishable for $16 million USD). And the Federal government sure could use the cash right now.

But it seems like you could do some exciting things with that form. Fill it in with: 'abuse@ theirwebhostingprovider.com' (whoever their provider is) in an Incognito window from a different WiFi network than yours and see what happens. If their system sends an automated email about breast pumps to their own hosting provider's abuse department, that will be quite difficult to explain away! "Um, we sent that message...because...um...we'll have to get back to you on that..."

Collapse
greenroommate profile image
Haris Secic

Super funny, love it, it's basically trolling.

On the other hand they could be in range of law where they have the right to keep these things and send such emails. Some sites have Terms & Conditions which makes them avoid these kind of things. I don't think this can go directly under CAN-SPAM. You actually went to the site filled in email yourself willingly giving away the address. Now it might be in T&C on their site that you accept such thing if you proceed.

Problem for them might be that you didn't press "I accept / agree / Allow ..." and they just have the info somewhere hidden which I'm unsure how much would it make an issue for them.

Collapse
lifelongthinker profile image
Sebastian

T&Cs always have to abide by law. Companies can write in their T&Cs what they want, that does not make them lawfully sound and solid.

Collapse
helanan profile image
Helana

Very true, Im sure they are not allowed to sell their platform to Canadian companies, I wish we had the same protection in the US but unfortunately we do not. I used to work for a couple of popular email marketing platforms and honestly the people who are buying this companies services/platform are idiots. This is a terrible way to target new customers. No one responds to spam mail well, the amount of click thru's and actual ROI you would see from a platform like this has to be very very low. You make a great point also that half of the data that they do acquire is most likely dirty data that isn't even useful! This is essentially a very legal scam.

Collapse
jonstrayer profile image
Jon Strayer

It doesn't read to me as of they read the email address out of the form. What I think was going on is that he had freely given his email address to another customer of AddShoppers and AddShoppers passed it on to Aeroflow. So the problem is either browser fingerprinting or third party cookies. My bet is on the cookies.

Collapse
lifelongthinker profile image
Sebastian

I like that idea 😁

Collapse
garretharp profile image
Garret

They use liquidweb.com for those wondering!

lifelongthinker profile image
Sebastian

A "gray" area? With all due respect, but what is this behavior if not a blatant violation of the core principle of transparency and consent? No, this behavior is a brutal act against what the GDPR stands for: it is intransparent, it is uninformed on the part of the data subject, and it is without consent.

From the GDPR (see Wikipedia):
"consent must have been explicit for data collected and each purpose data is used for (Article 7; defined in Article 4). Consent must be a specific, freely-given, plainly-worded, and unambiguous affirmation given by the data subject".

Thread Thread
petedermott profile image
Pete Dermott • Edited

So looking at this GDPR blog post they allow site admins to opt out of collecting PII and will work with existing cookie notification systems in order to respect customers choices, its a bit of a cop-out but they put the onus on the merchant to get consent and give them seemingly adequate tools to do so.

Checking the site mentioned as an EU customer with tracking protection and ad blocking turned off I see no GDPR notification and they are still making the request, so in this case it would be in violation of GDPR, however given that the form is for US customers enquiring about using health insurance to get a breast pump, its a bit of a moot point.

Thread Thread
petedermott profile image
Pete Dermott

So looking at this GDPR blog post they allow site admins to opt out of collecting PII and will work with existing cookie notification systems in order to respect customers choices, its a bit of a cop-out but they put the onus on the merchant to get consent and give them seemingly adequate tools to do so.

Checking the site mentioned as an EU customer with tracking protection and ad blocking turned off I see no GDPR notification and they are still making the request, so in this case it would be in violation of GDPR, however given that the form is for US customers enquiring about using health insurance to get a breast pump, its a bit of a moot point.

Collapse
nirlanka profile image
Nir Lanka ニル

I'm speechless. This is very creepy. Gotta build a browser extension that monitors requests being made while filling forms (though now that I think of it, that may not be allowed).
Wish there was a legal way to handle this.

Collapse
arerbacad profile image
arerbac-ad

Maybe could be an extension that holds the value of every input, and fill them when de form is submited.

Collapse
kp profile image
KP

i dont get it. How would this monitor that the website is spying and making ajax requests?

Thread Thread
nirlanka profile image
Nir Lanka ニル • Edited

I didn't research yet. My initial thoughts were either:

  • monitor inputs and check if requests are sent with that data (not sure about extension permissions allow this)
  • or just blindly replace some critical input fields (name, email, etc), record the inputs and put them back into the form before submit. (credit to arerbac-ad for coming up with the idea)

I'm not 100% sure we can do this, but we wanted to try out some ideas and see. Do you think these ideas won't work for technical reasons?

Thread Thread
kp profile image
KP

I get it now. The original answer wasn't as clear.
There will be some technical challenges to doing this, but I'd be interested in following your progress if you share a link to your repo (or better yet, a demo)!

Thread Thread
nirlanka profile image
Nir Lanka ニル

That sounds wonderful! Thanks for your support. I will try and start the basic implementation, so we can have a look and consider our options or improve. I have only limited experience building Chrome extensions, but I'm sure if we put our heads together we can build a feasible solution somehow.

Thread Thread
nirlanka profile image
Nir Lanka ニル

I was just browsing around, and thought this extension had some characteristics we could look into (monitoring request body etc). Need to check thoroughly.
chrome.google.com/webstore/detail/...

Collapse
nirlanka profile image
Nir Lanka ニル

I'll tell you once I've started on this hopefully this weekend πŸ™‚πŸ»

Collapse
nirlanka profile image
Nir Lanka ニル

Hey, that's a clever idea! Thats very good. Will look into it. πŸ˜ŠπŸ‘πŸ»

Collapse
nirlanka profile image
Nir Lanka ニル

Im considering the implications of handling autocomplete and input validations.

Collapse
heshiebee profile image
Heshie Brody Author

Great idea! Let me know if you need any help, would love to collaborate.

Collapse
nirlanka profile image
Nir Lanka ニル

Thanks! Let's do it. I'll try and setup a Chrome extension codebase. Will try and start it this weekend. Will link it here. I'll add the base implementation and we can work together on it. Does that sound like a good plan?

Thread Thread
heshiebee profile image
Heshie Brody Author

I'm committed to a project until the end of June.
Will try to add as much as I can until then.
Please dm me so we can exchange contact info.

Collapse
blindfish3 profile image
Ben Calder

Not cool, and the saddest part is that there are developers out there willing to facilitate this unethical behaviour. I would rather quit my job...

Collapse
djsullenbarger profile image
David Sullenbarger

That's an awesome idea until you have kids.

Collapse
blindfish3 profile image
Ben Calder

No. That's a cop-out. I have kids; and I want to make the world a better place for them. If everyone makes a stand against this kind of crap then employers will stop expecting developers to screw over their fellow humans for the sake of a quick buck.

Fortunately my current employers also have appropriate ethical standards. If yours don't then start looking for another job; or better still raise you concerns with them. Case in point: I totally respect the Facebook employees making a stand over Zuckerberg's lame response to Trump's incitement to violence towards protesters in the US.

Thread Thread
djsullenbarger profile image
David Sullenbarger

Then you'll agree to pay my mortgage (or rent), fill up my fridge, keep my lights on and keep my kids in their private schools (my choice, and I do not care if anyone disagrees).

Agreed, if everyone takes a stand, but that's not happening over something this trivial .. and I really like my life the way it is. This is not the hill I would even consider dying on; you can have it.

Thread Thread
dtobias profile image
Dom

Your point would be valid if he wasn't a developer drowning in job opportunities (unless he's a very bad one maybe.. but even then)

Thread Thread
blindfish3 profile image
Ben Calder

I guess there has to be some balance though: there presumably are developers out there for whom job security is not guaranteed; or too great a risk (as TH Jones II reasonably suggests). But in that case I'm not sure I would consider an employer who engages in shady/illegal practices as a safe long-term bet and would still be looking to move on.

As for David - he clearly enjoys his privilege. I don't disagree that in the grand scheme of things this is a comparatively trivial example; but the question is: where do you draw the line?

Thread Thread
djsullenbarger profile image
David Sullenbarger • Edited

Very very far from here. And don't think I missed the brush you're trying to paint me with by using the word 'privilege'. FFS, I'm a 48 year old liberal ... it's just that the world isn't as black and white (i.e. simple) as I used to think it was.

Gosh darn, now I know how it feels to be on the receiving end of shiat like this.

Thread Thread
blindfish3 profile image
Ben Calder • Edited

Sorry if I've offended; but let's be clear: most full-time employed developers are in a privileged position - myself most definitely included. IMO we should therefore take some responsibility for the world we are helping to create. If we're not willing to push back over something this 'trivial' then where does it end?

In Europe what this company did would be considered illegal. To me that's a clear line I won't cross. In fact that makes it an easy decision to make and an easy stand to take; however complex the world happens to be. Maybe it's not what you intended; but your response gave the distinct impression that your material comforts were well worth the price of breaking this 'trivial' law.

Thread Thread
djsullenbarger profile image
David Sullenbarger

"but your response gave the distinct impression that your material comforts were well worth the price of breaking this 'trivial' law."

No, my point was it's not 'illegal' (loaded term) here and I already bitch about the cops (as a white guy and have for years), selfish policies (basically: 'conservative' ideals) and privacy (believe it or not) ... but I also know (my peers) don't know too much about GDPR and as soon as I mention it's a "Euro" thing 1/2 of them would tune me out (not sure I blame them) and the other 1/2 would probably roll their eyes

I do enjoy honest debates and I do not consider your privacy (or mine) trivial in any way whatsoever and I think the current state of affairs is disgusting (on both sides of the pond). To me, it seems like the problem I run into is that I have a very measured, pragmatic approach to things (it comes with age so they say) ... and don't think it's quite time for a lot of very important things (yet, sadly) so people think I'm arguing against an idea ... I'm usually not. People (rightfully) want to fix everything that broken right now .. and in my experience that's just not the way things work in the real world.

Let's fix the obvious problems with criminal law first. Not addressing this first (and by itself) is offensive to me and trivializes real suffering . You can have my freakin privacy if it'll keep people alive (which should be a false dichotomy in a free society) and out of jail (unless you are actually dangerous to society)

Thread Thread
blindfish3 profile image
Ben Calder

I guess we're looking at things from somewhat different cultural perspectives. The impression I have of the US is that things are really weighted against you: on face value it all looks so appealing - if you happen to be on the right side of the social divide. But if there really is no safety net and you fall on hard times you're essentially a slave to whatever system those with power have set up.

To put my original comment in context: I was able to give up both a toxic work environment and (IMO) a toxic country (the UK); move to another country with no contacts - and where I don't speak the language - and find gainful employment all in the space of 6 months. I appreciate that not everyone has that luxury; but that's precisely my point: those of us who do should use that leverage to effect meaningful change. So if an employer did put me in a position that went against my personal ethics (let alone the law) and resisted all my attempts to push back I really would have no hesitation to quit.

Thread Thread
djsullenbarger profile image
David Sullenbarger • Edited

"..I have of the US is that things are really weighted against you"

Heh, it's funny how much things change. When I lived 'abroad' in the late 80's and early 90's I was distressed to learn how much everyone else in the world seemed to be paying attention to everything we did and said (looking for a 'sign', it seemed) ... actually, a lot of the people who lived in the 'shiat hole' countries seemed to have the impression we were mere minutes from swooping in and saving them from something or another.

It was an unrealistically high opinion that was obviously going to to swing to the other extreme at some point (which it has) ...

Every place has good and bad parts my friend and I prefer being here ... or down in Australia. Not real fond of European culture .. it felt inscrutably "class" based (to an outsider at least) and I can't think of many things that bother me more (though I do enjoy hanging with Slavs ... )

Collapse
ferricoxide profile image
Thomas H Jones II

Ideals are great and all, but, until there's a meaningful social safety-net that affords me the luxury of taking a stand any time an employer decides to do something shady, best many of us can do is go into active job-search mode and walk at the first opportunity.

Unfortunately, in the US, if you have any chronic health conditions (or responsible for someone who does), you're kind of constrained.

Collapse
djsullenbarger profile image
David Sullenbarger

"but, until there's a meaningful social safety-net that affords me the luxury of taking a stand any time an employer decides to do something shady"

a.m.e.n.

I get sooooo tired of hearing "just quit" like that's even remotely possible these days (for 98.9% of us)

Thread Thread
ferricoxide profile image
Thomas H Jones II

When I was still in my 20s, single with no mortgage or pets, it was doable. Now, with a wife with chronic health conditions, mortgage and pets, my ability to take a stand on principle requires a lot more deliberation.

At best, a given thing can make me decide, "time to shake my professional network to see who's hiring" or otherwise refresh my resume and jobsite-presences, but that's hair-trigger as I can currently be.

On the plus side of COVID-19 and its potential lasting-effects, I don't necessarily automatically have to give up my work-from-home just to take a new position.

Collapse
lifelongthinker profile image
Sebastian

Absolutely! Great response and kudos to you.

Unfortunately, there are enough developers who just don't care. They do as they are told.

In Germany, executing given orders that are apparently illegal can subject you to legal prosecution. And rightly so.

Collapse
trasherdk profile image
TrasherDK

Substitute developers with soldiers and think Nuremberg trials

Collapse
uehondor profile image
Uyi Ehondor • Edited

Reading the T&C at aeroflowbreastpumps.com/terms-and-..., it includes this line β€œBy signing and submitting this form, I consent to receive phone calls, emails ...” which to me suggests you shouldn’t have received an email until you hit the submit button.

So it appears they’re in violation of their own T&C.

Collapse
heshiebee profile image
Heshie Brody Author

Exactly! I did not find anywhere on their site mentioning this behavior.

Collapse
lifelongthinker profile image
Sebastian

Good catch. Their reading is probably: "by signing (= filling in) as well as by submitting". In any way, it's just another violation of the principles of transparency and informed consent.

Collapse
pozda profile image
Ivan Pozderac • Edited

Yo, what about GDPR or similar laws? In the Europe this is not legal.
When GDPR started, I was thinking, oh not another cookie notification, but then I realized that it is kinda cool to ask people if they actually want to give away they details, not just take them. It is civilized thing to do.

I am not so familiar with US laws about privacy and spam but as I remember they can't send you anything until you submit your email, right?

We should stop this next level black-hat data scraping/stealing shenanigans!

Collapse
fnuttens profile image
Florent Nuttens • Edited

As a wise man once said:

You were so preoccupied with whether or not you could that you didn't stop to think if you should.

Seriously, I think their place in dark patterns's hall of shame is well deserved πŸ™„

Collapse
bradsmithsc profile image
Brad Smith

I recall a demo where a visitor while entering the 3rd 4th and 5th chr of their ZIP code (US), the corresponding address information would filter down then autofill the city and state fields.

The fields were asynchronous and could be tied to any data point. That was the point of the demo. The user never had to submit the data.

Collapse
lifelongthinker profile image
Sebastian

Don't forget that privacy laws vary tremendously between countries. Sure, wether a U.S.-based (?) company cares about the laws in other countries is a different matter. If they plan to do business there, then they should care about it. This thing would be illegal throughout Europe.

Collapse
code_regina profile image
Code_Regina

Very interesting post. The state of privacy seems to only be getting worse as companies are getting very desperate to squeeze more and more data out of each and everyone of us. Thank you for posting the behind the scene code to this.

Collapse
nek_70 profile image
Maxime Veber

Let me scare you just a little more. I had same story with PayPal. Didn't click anywhere to pay on PayPal. But the payment has been processed anyway. (and the merchant recorded the order & everything)

Luckily PayPal agreed to refund... But well, it feels bad.

Note: this probably happened because I agree to pay in one click with PayPal. My problem is that... I didn't make ANY click (on paypal).

Collapse
ardunster profile image
Anna R Dunster

I had a PayPal issue in which I purchased an item through vendor A, who uses 3rd party transaction service B. A while later I made another purchase from vendor A, and my PayPal transaction went through without ever asking me for what funding source I wanted to use, and did not use my current default but used the source my first transaction had been through, with no confirmation step or anything. Not exactly the same but not cool.

Collapse
stanwmusic profile image
Stan Williams

That is scary. I was afraid to ever agree to pay in one click with PayPal an this makes me think I was right

Collapse
lifelongthinker profile image
Sebastian

Such behavior deserves the biggest πŸ’©-storm in history, really.

You are absolutely right, this is the worst a company can do to potential customers. It is definitely illegal under European privacy laws.

Thank you so much for sharing. Let's hope our dislikes will be heard!

Collapse
lifelongthinker profile image
Sebastian

By the way, congratulations on becoming parents 😁😁😁

Collapse
heshiebee profile image
sqlrob profile image
Robert Myers

You closed the page without submitting. Where's the consent? There isn't any.

Thread Thread
lifelongthinker profile image
Sebastian

Of course it was violated, for the reasons I stated above.

There is a "Submit" button. So the user rightfully assumes that nothing is submitted before you hit that button. And that's the way forms are implemented and have been implemented in the vast majority of cases.

Of course there are always technological ways to go around things. But blaming the user here (don't type your information if you want to keep it secret) is exactly why GDPR has been invented. It makes consent explicit and data collection transparent to all parties involved.

Thread Thread
lifelongthinker profile image
Sebastian

And don't forget that the said solution sends much more than "just" an e-mail address. But nevertheless, even just an e-mail address is a blatant violation.

Your argumentation makes me think you have never bothered
to read, let alone understand, the GDPR. (No offense.)

Collapse
kovidr profile image
Kovid Rathee

This is horrible! Given how much people care about privacy, I am sure thousands of companies are doing this. Good that you shared this story with us. As @sebastian said, we should hope our dislikes are heard.

Collapse
eddy_harrington profile image
Eddy Harrington • Edited

Timely but relevant: I noticed this week that the NAACP does this on their donation form:

NAACP donation form post abandonment

And the email I received after abandoning:

Abandonment email

How does everyone feel when the tactic is used in this scenario for an organization that relies on donations?

Collapse
heshiebee profile image
Heshie Brody Author

Wow, I keep on hearing more of these.
We need to adopt something like the GDPR here in the US.

Collapse
maskedman99 profile image
Rohit Prasad • Edited

There's google tags manager that's 10 times creepier than this, It can log every interaction you have with html tags. Say you visited a shopping website and you hovered over an image of a particular product, this data gets recorded in the database.

There's an extension called NoScript that prevents running of scripts unless you white-flag it. This blocks all scripts from running, initially this will break many sites that you visit.You can then select from the extension which all necessary scripts needs to be run. NoScript then remembers this setting when you visit the website next time. NoScript is installed by default on the Tor browser. Here's a look at my setting for Dev in NoScript
dev-to-uploads.s3.amazonaws.com/i/...

Link to extension for Firefox addons.mozilla.org/en-US/firefox/a...

Collapse
nataliedeweerd profile image
𝐍𝐚𝐭𝐚π₯𝐒𝐞 𝐝𝐞 π–πžπžπ«π

This is why we have GDPR in Europe... it prevents company's doing sneaky shit like this.

Collapse
rogerthat35 profile image
Amy Rogers

The exact same thing happened to me just a few days ago. Funny thing is, it didn't make me want to buy the product any more... just creeped me out. Great article, it was interesting to see how it works behind the scenes.

Collapse
ronakjethwa profile image
Ronak Jethwa

It all depends on a type of marketing. Companies are allowed to send transactional marketing campaigns even if you are not subscribed to their newsletters. If you are a member of that product, you can't hide away from it.

Marketers often try to cross the boundaries by targeting their users with transactional campaigns, just to bring the user back to the site. By any means, I agree that this is a big concern and should be avoided by any means.

Collapse
brunooliveira profile image
Bruno Oliveira

yikes on bikes .

Collapse
habereder profile image
Raphael Habereder

If this was done anywhere in the EU, we could bring the mighty GDPR hammer down on those fools.

This reads like a digital form of stalking and should be prosecuted.

Thank you for the heads up!

Collapse
stephanie profile image
Stephanie Handsteiner

They don't even need to have an address in the EU themselves, if someone in Europe can use that site as intended, they're subject to GDPR.

IANAL but I'm pretty sure this is against GDPR as it's silently tracing your every move on this website.

Collapse
habereder profile image
Raphael Habereder • Edited

I would think so too, but jurisdiction would be terrible to handle across the big pond. How and where would you even try to prosecute them?
It would be very interesting to get a lawyers opinion on this topic.

Thread Thread
djsullenbarger profile image
David Sullenbarger

the answer would probably "in absentia" unless the defendant has compelling business interests in one (or more) of the EU countries. all they can do is ask them to come to court - this isn't criminal so there's not going to be an extradition.

Collapse
greenroommate profile image
Haris Secic • Edited

Well... I think in Germany you have a law that actually backs up "reserving and order". So my friend had an order from a company in Germany it might be even eBay Germany. After putting stuff in "cart" and then not doing anything, not ordering but also not clearing the "cart", he left the page, and after couple of days got some kind of fine which he had to pay because you apparently must clear the order in some time unless you actually want to buy....

Hope someone from Germany can see the comment to back it up with correct version of what is this law.

P.S. similar thing happened to me where I received email that I didn't finish my order (Swedish site). However this was saving my order in case my browser crashed or something and orders expire in like 24h or so. So basically they didn't ask me but it's a useful feature. They did however put in email something like "do you have problems with ordering? call us / email us /...". I did have an issue with order on another web shop and thought hmm it would be good if these guys had that tracker :D

Collapse
ferricoxide profile image
Thomas H Jones II

Your real world example is basically what goes on at several chains of malls (Simon properties was a pioneer in this). There, though, they track the emanations from your cellphone. Lesson: either don't shop at such malls or, if you do, put your phone on airplane mode or in an empty potatochip bag.

Minority Report wasn't that far off on some things.

Collapse
mikaleb profile image
Mikaleb

Not cool and if you see what's possible with apps like Shopify it's even worse, you can see who abandonned their cart and there is built-in (and optional) apps to automatically send a mail to them every X days / minutes for X days.

Collapse
fearqueer profile image
fearqueer

Had a similar experience a while ago. My partner and I were halfway through filling out some form on a banking website to get pre-approved for a home loan, but found a different place and abandoned the form and closed the tab. The next day we got notified that this company ran even the incomplete information we'd typed and we each had a new inquiry on our credit reports. We never hit submit or made any indication of consent at all. Really freaked me out, and I'm incredibly cautious about filling any forms out now.

Collapse
gabriela profile image
Gabi

I shared this post on twitter as well as tagging them. I think publicly ask for modifications can be of effect. This is definitely not ok.

Collapse
khrisl33t profile image
kHRISl33t

How would a dev implement such a thing? I would quit my job right away if my boss said this is what I have to implement.

By the way congrats! :)

Collapse
heshiebee profile image
Collapse
arvindamirtaa profile image
Arvind Nedumaran

Does this mean what I think it means?

Collapse
arvindamirtaa profile image
Arvind Nedumaran

"I'm not accusing them if this is legal since this is way out of my realm and they probably have a legal team to back this kind of stuff but it's still not ok. It's not right." - It probably is.

I wonder if filling different emails before without submit could be illegal (We surely can't prosecute typos right?).

Collapse
djsullenbarger profile image
David Sullenbarger

in the USA that's a civil law, not a criminal one and there's a huge difference between the two (and most of us don't understand this distinction)

Collapse
nombrekeff profile image
Keff

Crazy, imagine all the sites that do similar stuff under the hood... Scary...

Collapse
gayanhewa profile image
Gayan Hewa

This is a common pattern used in abandonend cart retargetting.

Collapse
cameronjonesweb profile image
Cameron Jones • Edited

Abandoned cart usually uses cookies or user accounts, not scraping your email off half submitted forms

Collapse
vladimirc profile image
Vladimir C

I often see ads on Facebook and YouTube after having conversations about something, without googling/searching on the Internet. And that is much creepier than what experienced you. For example, recently I had a talk with a guy that just mentioned a company he's working in. Next days I see an ad on Facebook from that company. I didn't have any intention to search it at all. Such things repeat pretty often and noticed by many other people as well including my friends.
Both Google and Facebook say that they aren't eavesdropping us and this is a coincidence. I tend to believe them and can't explain why that's happening again and again.
Yes, I've heard about frequency illusion (Baader–Meinhof phenomenon), but still creepy.

Collapse
sonnk profile image
Nguyen Kim Son

I try to use a different email (alias) per website so I can know who's selling my data and disable the email alias right away. Unfortunately a lot of websites don't respect GDPR so in the meantime, it's better to protect ourselves.

Collapse
leofofeo profile image
Leo Rubiano

What's hilarious about how they're doing it is you could just as easily collect the email address in real time as the user is typing it even without a submission and send it off to back-end storage through something as simple as an ajax request. The way they're doing it now is probably 10x more expensive. Unethical and an egregious violation of privacy and probably the law either way, but leave it to these fuckers to find the most bureaucratic way to gouge your browsing.

Collapse
kaykaycodes profile image
Shanakay Hall

"If your going to take my email address then at least let me know before I type anything."...my thoughts exactly. This is very unsettling to know that thing type of thing is happening. It should be illegal.

Collapse
elyngved profile image
Erik Lyngved

This happened to me once with a form to get a moving quote. I put in my phone number but did not hit submit. The next day they started calling me and thankfully they stopped when I told them I'd report them for violating spam laws. Like you, I'm not sure if it's technically illegal, but it's definitely shady and just not cool.

Collapse
highcenburg profile image
Vicente G. Reyes

One site who practices this is Shaw Academy. The same tactic, even if you abandon the form in the part where they ask for your credit card, you get spammed with texts/emails everyday. You can't cancel on their site and have to call them to cancel/delete your account.

Collapse
gayanhewa profile image
Gayan Hewa

Yes, it's not very ethical in terms of what it does. But, I have come across a few places too where they have done this during the checkout step. Especially when the checkout is split into different steps.

Collapse
okbrown profile image
Orlando Brown

Such a great read guys!!!

I find these practices to come from humble beginnings at first, but then they lead on to more creepy practices as the need for more data/insights are required to drive more revenue.

I'm in meetings all the time as a dev on how to drive more engagement, which in turn is what drives conversion.

We want to know as much as possible about our customers to better match and recommend things they care about.

But there is a fundamental line one as developers we should not cross. When we develop systems that circumvents consent.

I'm not surprised we haven't made a developers oath process that we all subscribe and unionize too. Or something more simple like the Agile manifesto, where we all sign into and ensure that any agent or company must acknowledge that we are ethical Devs.

People power will always win.

Collapse
moopet profile image
Ben Sinclair

I've definitely worked with agencies who do this in the past, even way back as far as ten years ago.

Some went as far as recording what you typed, so they could play it back and watch you change your mind. Watch you backspace over your original "screw you" comment and replace it with something polite. While that's fine for things like focus groups, who know they're in a test environment, for real people it should be right off the cards.

Collapse
manuelricci profile image
Manuel Ricci

Basically that's what a Data Broker does. I've read about them in Hannah Fry's book "Hello World: How to be human in the age of the machine". GDPR and similar laws have born to limit those actions. I'm not quite familiar with US regulations, but that's creepy AF

Collapse
cirphrank profile image
🎧CirphrankπŸ‘£

You're right, this doesn't sit well. Good ethics that support trustworthiness should never be lost in salesmanship.

Congrats on the new family member.

Collapse
heshiebee profile image
Collapse
dansimiyu profile image
dan-simiyu

A great concept but not sure if it is safe to implement

Collapse
velasco profile image
Francisco Velasco

Well, in Europe given the GDPR, this company will have problems with this business model as a user must consent before his/hers data is used.

Collapse
michaelrschmidt profile image
sometimes called schmidty

I can spam my enemies with this! Woohoo!

Collapse
jmojico profile image
Julian Mojico

The worst thing is..... anyone can trigger sending emails to any email address despite they own it or not.
Also, If they do not have a captcha in the form, their email provider will be banned soon.

Collapse
gdledsan profile image
Mundo

Thisbis a well known marketing strategy, but they jave tincollect only the information relevant for this to work, and collecting any personal information requieres consent.

Hence, report them.

Collapse
thoughtsunificator profile image
thoughtsunificator

Wow this sounds like a nightmare I would have on those rough nights.

I feel like the web is the only place where paranoia would not actually hurt.

Thanks for sharing this! Crazy.

Collapse
gizemcandemir profile image
Gizem Candemir

That's definitely not ok!!

Collapse
jenc profile image
jen chan

Woof, that's happened on the rare occasion with shopping carts for me and I would think about how and why 😩

Collapse
iakovosvo profile image
iakovosvo

Great post. Thanks for sharing this.

Collapse
q2apro profile image
q2apro

Jail time, my friends.

Collapse
fabasoad profile image
Yevhen Fabizhevskyi

Damn. It's flagrantly! Thanks for sharing.

Collapse
djsullenbarger profile image
David Sullenbarger

Or, you know, we could stop pretending it's not going to get worse and make our own GDPR. I'd like to treat privacy like the 1st amendment (i.e. you cannot sign it away, period).

Collapse
fcpauldiaz profile image
Pablo DΓ­az MΓ‘rquez

That is the default behavior of every Shopify website