Thousands of websites collect data that users input into forms prior to submitting the form. Email addresses and passwords are popular for unsolicited collection, as discovered by researchers from the KU Leuven, Radboud University and University of Lausanne have discovered.

The research shows that many websites collect unsolicited data filled into forms by users. The data is collected prior to submitting a form through a submit button. About 1,844 websites collected an e-mail address from an EU user in this way. No fewer than 2,950 websites collected the e-mail address of users from the United States.

Another 52 websites collected password data without users’ knowledge or consent. The websites used third party technology, including tools from Russian web giant Yandex. Data collection is mainly performed by integrated marketing and analytics services, often from other suppliers.

Behaviour of key loggers

According to the researchers, unsolicited data collection shows similarities with the behaviour of keyloggers. These are malware programmes that collect everything typed. Some websites recorded every keystroke, but most collected all data from a form field when the user moved to the next field.

There are regional differences. Researchers note that EU GDPR legislation is likely to make websites and third-party services more vigilant about what information is collected.

Meta Pixel and TikTok Pixel

Since publishing their study, the researchers have uncovered even more cases of unsolicited data collection. Meta Pixel and TikTok Pixel were two of the most notable culprits. These invisible marketing trackers are placed by websites to follow users’ surfing behaviour and offer ads accordingly.

The trackers leaked data to Meta on 8,438 websites in the United States. For the EU this was 7,379. TikTok Pixel received data from 154 websites in the US and 147 in the EU. Both companies have yet to respond to the researchers’ findings.