9 min

Are Partial Form Submissions Legal? A Guide to GDPR and CAN-SPAM

We recently introduced one of our most requested feature of all times: partial submissions. It took us a long time to implement this feature, even though it was clear that many of our customers wanted it. Personally, I understand the hesitation—I'm not a fan of receiving emails when I haven't explicitly hit the submit button either. We also hesitated because we weren't sure of the legal and privacy implications.

This article seeks to clarify the legal implications of partial submissions. I am not a lawyer, and these are personal opinions.

So, what are partial submissions?

Partial submissions allow us to save the information that users enter in forms, even if they do not complete the entire submission. This means that if a user starts filling out a form but leaves before clicking submit, their information is saved and available to the form admins. If the user comes back to fill the form within a few days, this 'partial' response is turned into a 'completed' response.

Partial submissions (in technical and legal terms) are similar to how e-commerce platforms handle abandoned cart emails—re-engaging users when they leave in the middle of a purchase. Remember when you entered your email and address on the checkout page of an online store, but decided not to proceed because of high shipping, and received an email from Shopify the next day?

Abandoned Shopify cart and follow up email
Abandoned cart and follow up email

Here are a few examples of how partial submissions can be useful:

  1. Event Registrations: Imagine a user starts filling out a registration form for a conference but leaves midway. Partial submissions allow you to retain the details they’ve already provided so that you can remind them to complete the registration.
  2. Demo Request: A potential customer might begin filling out a demo request form but gets interrupted. By saving the partial submission, you can reach out to them and offer assistance.
  3. Survey Forms: Users might start a survey but not finish it owing to time concerns. Their partial feedback is saved and can be used for survey analytics.

Let's talk more about the legal implications, especially privacy laws like GDPR and email regulations like CAN-SPAM.


GDPR

GDPR (General Data Protection Regulation) is one of the strictest privacy regulations globally. GDPR, along with ePrivacy Directive, is the reason you see the cookie consent dialogs on websites. It emphasizes user consent and transparency when collecting and processing personal data. There are specific scenarios where you can collect information under GDPR:

  1. Explicit Consent: When users have actively given permission, like clicking a checkbox or hitting a submit button.
  2. Contractual Necessity: When processing is needed to fulfill a contract with the user.
  3. Legal Obligation: When data processing is required by law.
  4. Legitimate Interest: When the data processing is necessary for your legitimate business interests, provided it doesn’t override the rights and freedoms of the user.

A regular form submission usually falls under explicit consent, as users are clearly taking action to provide their data by clicking submit. However, this doesn't happen in the case of partial submissions.

To be GDPR-compliant, we still need a reason for collecting data.

Legitimate Interest

One can rely on Legitimate Interest as the lawful basis for processing these partial submissions—this is usually the case that e-commerce platforms make. Legitimate Interest allows you to collect and process data if it is necessary for a purpose that is in both your interest and the user's interest—as long as it doesn’t override the individual's rights and freedoms.

For example, if a user starts filling out a registration form for an event, retaining that partial data can help remind them to complete their registration, which benefits both the user (who was interested in attending) and the organizer (who wants attendees to complete sign-ups).

Article 6 of GDPR deals with, "Lawfulness of processing". Specifically, Article 6 (1) (f) states:

"[...] is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."

This is what people often call a three-part test:

  1. Purpose: Is there a valid reason to collect partial submissions? Yes, we are assisting the user in completing their event registration.
  2. Necessity: Is storing partial submissions necessary to achieve that purpose? Yes, storing partial data is necessary. Without retaining the data, it would be impossible to determine which submissions were abandoned.
  3. Balancing Interests: Does our interest outweigh the user's privacy expectations? Users may reasonably expect their partially filled information to be retained to help complete the form—specially if this was a multi-step form and they hit the "Next" button.

Using this three-part test will help assess the viability of relying on legitimate interest for GDPR compliance, but it’s still crucial to evaluate your specific situation and consult legal experts where necessary.


CAN-SPAM

The CAN-SPAM Act of 2003 applies primarily to marketing emails, which are messages that promote products or services. Transactional emails are mostly exempt from the regulations of CAN-SPAM.

What's the difference?

Marketing emails are those that advertise or promote a product or service, such as promotional offers, newsletters, or special discounts aimed at encouraging purchases.

On the other hand, transactional emails are primarily focused on providing information related to an action initiated by the user. Transactional emails might include password resets, purchase receipts, or reminders to complete an action that the user has started.

In the context of partial submissions, reminder emails can be treated as transactional rather than marketing-oriented. This means the email is focused on helping users complete something they intended to do, like finishing a form they started.


Improving compliance

As you can see, compliance depends on how you end up using the data from partial submissions. There are a lot of grey areas. Here are some guidelines from us:

  1. Email Lists: Do not automatically add users emails to marketing lists, since we don't have explicit consent.
  2. Avoid Cross-Marketing: Do not include promotional material in reminder emails. Keep the focus on helping users complete the action they initially intended.
  3. Allow Users to Opt-Out: Include a clear and easy option for users to opt-out of receiving these follow-up emails.
  4. Update Your Privacy Policy: Make sure your privacy policy includes information about collecting partial submissions, how this data is used, and how users can opt-out.
  5. Disclosure: Add a welcome page to your form, and include a link to your privacy policy, or add a simple statement like, "We save your progress automatically to help you complete the form later," to help set expectations.
  6. Non-Personal Fields: You can configure your forms to collect only non-personal fields, such as multiple choice or rating fields. This allows you to gather useful survey data while avoiding the collection of personal information, making it easier to address privacy concerns.


Other Laws

There are several other laws around the world that regulate how user data is collected and managed. Here are a few key ones to be aware of:

  1. CCPA: The California Consumer Privacy Act applies to businesses that collect personal data from California residents.
  2. ePrivacy Directive: The ePrivacy Directive, also known as the "Cookie Law," applies to electronic communications within the European Union.
  3. CASL: The Canadian Anti-Spam Legislation (CASL) applies to commercial emails and electronic messages sent to Canadian residents. The Canadian Anti-Spam Legislation (CASL) applies to commercial emails and electronic messages sent to Canadian residents.


Conclusion

Partial submissions can be incredibly valuable, giving you another chance to connect with users who may have lost interest or faced an obstacle while completing your form. At the same time, navigating the privacy and compliance landscape requires careful thought and deliberate action.

By relying on a legitimate interest basis (backed by a well-executed three-part test), treating follow-up emails as transactional, ensuring transparency, and respecting users' rights to opt-out, we believe that partial submissions can be leveraged effectively and ethically.

This is a legal minefield, but I hope this articles makes things less daunting.


Nishant Agrawal avatar
Nishant Agrawal
, Product & Engineering

Nish is the founder of Formcrafts, and a developer at heart. He heads product development, and writes blog posts on Fridays.

Formcrafts is a form builder that helps you create amazing forms.

This article was published on and last updated on

Previous post The Missing Guide to Salesforce's Web-to-Lead Forms Jun 28, 2024