Form pre-fill legal concern

Not applicable

Form pre-fill legal concern

We had a legal concern raised to us by our legal team which I wanted to bring up here to see if anyone in the community has found a workaround or is also struggling with this.

The concern is with the ability to Prefill a form when a Contact visits our web pages and tries to download or access some content.  While this is convenient for the users, it also brings up a potential privacy issue for the Contacts. In a nutshell, there are certain data fields, that we maintain for those Contacts in Marketo, that could be exposed to someone else who is using the same email.

Here is the use case:

  1. 1. Person “A” submit form “1” which has email address, phone number, and other personal information -> lead "A" is created in Marketo.
  2. 2. Person “B” submit form “2” which only has the minimum fields in Marketo (email), using the email address of person “A”. Now Marketo thinks this person
    “B” is person “A” and associates the cookie with lead of person “A”.
  3. 3. Person “B” visit form “1” page, which has pre-fill turned on, revealing person “A”’s personal information that is exposed through the forms.

Even if the pre-filled values are hidden via the functionality in forms 2.0, the source code of the page still exposes this data, and thus poses a potential security threat for person "A".

Obviously form pre-fill is a very powerful feature for increasing conversion rates to content and down the funnel, so any ideas and/or workaround would be great so that we can leverage this key capability without any legal concerns.

Level 10 - Champion Alumni

Re: Form pre-fill legal concern

So the only time this could happen is:

  • public computer, in which case, that is the lead's fault.
  • lead forwards email to Lead B and Lead B gets associated with Lead A thanks to the tracking token.
  • Lead B uses Lead A's email address - cannot prevent this, or we have to assume Lead A knows about this or Lead B is doing something sketchy.
  • Lead B uses Lead A's email because they share an email address like In this case, no one is hurt.

If this is a real concern from your legal team, then you should turn pre-fill OFF on your forms and pages. There's a nice setting in Admin and Form editor to do this. There may be alternatives by using jquery/javascript, so do a forum search here as I recall someone else mentioned a related issue.

Additional questions you might ask are:

  • How often does this happen?
  • Would someone actually complain?
  • what personal info is at risk on the form?
  • what situations would you encounter as above?
  • is the pain of fixing this greater than the potential legal trouble?

I can't tell you what the right decision is, so I suggest you think through this more with your lawyer.

Level 10 - Community Moderator

Re: Form pre-fill legal concern

Pierre, this is a very valid concern (as I work in a highly regulated industry, we have had to review it as well) but as Josh says, only your legal team can give you firm guidance in this area.

Generally speaking, you're right to be as worried about values in hidden fields, JavaScript code, or cookies as you would be about text that is actually displayed to the user.  All these would fall under the same legal scrutiny, whatever that may be.  And from a security perspective, you must assume the most malicious behavior is already happening: people are entering other people's addresses in order to scrape whatever data they can, displayed or not.

We are very conservative with the fields we send to the client.  For example, we will not prefill a lead's annual income tier, even though we do keep that in our database.  We accept the consequence that we have to "play dumb" about demographic info.  C'est la vie!  You can look at the legal pressure as a reason to encourage people to sign up for a full-fledged, password-protected account on your site.  Then nobody can see or update private data without a password or existing session.

Level 10

Re: Form pre-fill legal concern

I've gotten this question a lot recently. Let me do my best to explain how this works:

-Form pre-fill by nature requires the unauthenticated transfer of lead data to the client in order to pre-fill various values on a form.

-It needs to be unauthenticated because leads do not "login" with secure credentials to visit one of your landing pages...they are simply known leads based on their cookie value. In Marketo, leads generally become known when they convert through an email or form, which has their email address (Marketo's unique identifier for leads). It is certainly possible for an attacker to enter fake email addresses on your forms to become known, then visit another landing page.

Note: we do have some form submission limits in place to avoid spam and brute force attacks.

-Once a lead becomes known to Marketo, their munchkin cookie value on their machine is linked to the known lead in the Marketo lead database.

-If a Marketo form has pre-fill enabled, when a known lead visits a Marketo-hosted page with that form, the values for the fields in the form are fetched from the Marketo lead db based on their cookie value.

The above is the way this workflow works and there is no alternative if you wish to have pre-fill on your forms. It's simply not possible technically unless you authenticate the lead somehow. Because of this, you may wish to disable pre-fill for certain form fields or disable it at the subscription-level entirely, which is fully supported in Marketo. Most customers don't wish to do this since things like First Name and Last Name are values that are generally accessible on the internet anyway (if you Google your email address, you'd be surprised what comes up). But, if you have a field that includes more private data, you should certainly disable pre-fill when placing that on a form. We don't recommend you store sensitive information (SS #, passwords, etc.) about leads in Marketo, as you really don't need things like that to execute effective marketing campaigns. Some customers may be more stringent, however, and wish to disable fields like phone number. We leave it up to our customers to determine how they wish to enable/disable pre-fill.

To control pre-fill, we provide the following options:

  1. Disable pre-fill for the entire subscription. Navigate to Admin > Integrations > Landing Pages and disable pre-fill.
  2. Disable pre-fill for a landing page. In the landing page editor, under Landing Page Actions, click "Edit Form Settings." Disable pre-fill.
  3. Disable pre-fill for specific fields in a form. In the form editor, click on a field and in the right-hand pane under "Form Pre-fill" set it to disabled.

Also, remember pre-fill will never work on an embedded form. So the above only applies to forms hosted on Marketo landing pages.