Security & Privacy Laws for Contact forms

Many of our clients have contact forms on their sites. Most forms just ask for name, phone number and email address.

However some contact forms ask for the address and sometimes even date of birth. A confirmation email is sent to the person filling in the form with all these details. My concern is one of privacy and security. Is there a law that says we need to have the contact form secure, using an SSL certificate, and what level of SSL certificate should it be? If there is no law then is this good practice anyway? Is it wise to send a confirmation email with the information they filled in? Most people I think would find that helpful, but as email is so insecure, I was wondering about the security implications of this. I’d be grateful for any ideas with this one.

You should never email sensitive information, why? because as you have stated, email in itself is not secure, not only that but people make mistakes… say they accidently enter their email address incorrectly, that could potentially mean someone else will be getting access to their confidential information. If you do intend on offering data through email you must ensure that the person entering the email address owns that address (verification). To not do this could constitute a serious violation of privacy and data protection laws which in the UK (at least) could lead you into some SERIOUS hot water (it’s one of the reasons why payment merchants like PayPal are so popular - as their responsible for maintaining the credit card details so you aren’t liable for breaches). In summary… don’t send confidential stuff by email (oh and as others have said, try to keep forms as small as possible - it’s a well established fact that asking too much from users will cause them either to fake the information or refuse to fill it in at all) - Asking for a phone number for example isn’t relevant unless you need to prove their location or call them back. :slight_smile:

In the U.S. there is no Federal privacy law per se except for The Children’s Online Privacy Protection Act (COPPA) which pertains to web site users under the age of 13. There are other laws which have a privacy component like HIPPA and The Gramm-Leach-Bliley Act.

Some states have passed their own privacy laws. The most significant of these is the California Online Privacy Protection Act. This law requires operators of commercial web sites or online services that collect personal information on California residents to conspicuously post a privacy policy on the site and to comply with its policy. The privacy policy must, among other things, identify the categories of personally identifiable information collected about site visitors and the categories of third parties with whom the operator may share the information.

As California is a significant portion of the U.S. market, it was the California Online Privacy Protection Act which provided the driving force prompting firms to provide privacy policies. However, the FTC is now prosecuting firms who have data breeches.

As far as emailing sensitive data to users, I suggest you let them check their profiles under their log-in rather than emailing the info.

That’s a good question, in the UK it would probably be covered by the Data Protection Act - http://www.ico.gov.uk/what_we_cover/data_protection/your_legal_obligations.aspx

I’ve always been of the opinion that email contact forms should only ask for the minimum of information required to process the communication, ie name/email address/message. Any other fields should be optional unless they are specifically required and the question cannot be answered without that information.

Confirmation emails containing a copy of the sent email can be useful if they will benefit the sender. Particularly useful for things like support requests.

Running forms over SSL isn’t normally necessary unless sending sensitive infomation, ie if you specifically require a persons full name and DOB.

Thanks- that is a really helpful link. Most of our websites are targeting UK visitors, but we do have international ones too.

I completely agree with this- I always try and get my clients to understand that it’s important to only ask what is necessary. Sometimes they don’t understand though! Some contact forms are more like application forms. One I built does require date of birth because it’s for a competition where there is a maximum age. I suppose in this case an SSL is important because it is sensitive information.

I agree that it is useful, but I did have one person say that this is not secure and would be annoyed if their information was sent to them by email.

As I said above, some contact forms require this information (only a handful), so I suppose in these cases an SSL is important.

That’s really interesting. I suppose that is why the likes of Facebook (a U.S. company) has a minimum age of 13. I don’t think other countries, such as the UK, have the same kind of law. I wonder how this would affect the likes of me, since I am based in the UK and our server is in the UK?

Interesting again. Although most visitors from our websites won’t be from California it would be quite interesting to find out more about what is required here because it’s probably good practice anyway. I need to read up more on privacy policies. Does the California law just require a human readable privacy policy or do they require a machine readable one also? They can be complicated to set up.

I like this idea, but I don’t think this would be practical for simple forms just asking for name, phone, email etc because they wouldn’t have a login. I suppose I could send them a unique url in the body of the email which would send them to a page with their details. It wouldn’t be password protected, but it would be a unique url that only they would know.