If you have a website then the chances are you have a form on there for people to contact you easily.
When was the last time that you checked they were secure and working?
Do you check anything else with your contact forms?
- Is it sending a message to the potential customer that filled the form in?
- If so, is it representing your brand properly, and showing as coming from you?
- Are you using an SSL certificate, reassuring customers that data is encrypted?
- Is the form data just sent in the email, or is it also stored on the server?
- Finally, and the reason for posting this: is it being copied to anyone else?
Why the Rant?
We just discovered a little hidden setting on a site we took over. This person who had setup the site ‘as a favour’ set it up in such a way that anytime someone completed the contact form, he also received a copy of their information. This had been added deliberately and intentionally on all the contact forms on the site, meaning that he had a copy of every single enquiry made through the site with names, email addresses, and potentially other sensitive information. Not much of a favour if we now report this to the ico under GDPR!
Customers fill in contact forms in good faith, expecting their data and privacy to be respected, but sadly there are people out there that have other ideas. We’ve also seen several sites where the contact form submissions are stored on the server database. Again, this data is then potentially available to anyone else with access to the site or the hosting account, which will likely include the reseller or hosting company you are using. We’re not against either practice per se – provided it is necessary and monitored. Storing the form data can be helpful for later processing in some circumstances, but shouldn’t be stored for longer than necessary, and should be stored securely.
If someone set up your site or contact forms for you, check to make sure the data is protected.
Talk to your host, designer or developer if you are unsure; or get in contact with us if using WordPress.