" secureform Archives - LuxSci

Posts Tagged ‘secureform’

Is a “Click Here to Agree” User Agreement Checkbox Legally Binding?

Tuesday, November 16th, 2021

Your website order form or registration form comes complete with terms and conditions.  What is the best way to have the user see and agree with these terms? Ultimately, you want the user’s agreement to be legally binding so that if there should ever be an issue, you are protected. Is it good enough to have the user check an agreement checkbox? Do you have to do more? Do you have to be sure that the user actually reads the terms?

user agreement checkbox

These questions come up all of the time and rightly are a cause for concern. Just because other web sites do it “one way” does not necessarily make that way right for you or best for you. In this article, we will tackle the how the different choices you make in getting user agreement translate (or don’t translate) into binding contractual relationships.*

* This material is legal in nature and taken from discussions with our own legal counsel and from the American Bar Association. However, we are not lawyers and this should not be considered “legal advise.” Please consult your own lawyers to confirm how your choices apply to your particular situation and needs. 

1. The “BrowseWrap Agreement”: Don’t do this!

Some websites simply include a textual statement to the effect of “Using this site signifies your acceptance to our terms and conditions” or “By submitting this form, you accept our terms of use.” Near to these statements is usually (but not always) a link to these “terms.” The website user does not have to intentionally do anything to signify reading and accepting the terms. In most cases, the user may not even be aware of this statement and may not know about the terms thrust upon him/her through use of the site.

This kind of “just by using it you agree” format is known as a “browsewrap agreement.” Courts have held that these types of user agreements are not usually* binding on users and have little value in protecting the website and its owners. Do not use a browsewrap agreement if you want any kind of meaningful contract with the user if your site.

* An exception seems to be, for example, if the case where a user is behaving in a way that implies that s/he is aware of the terms and is trying to get around them.

2. The “ClickWrap Agreement”: User Agreement Checkbox

What you see more commonly is a checkbox that must be checked to signify that you accept the terms, the agreement, etc. The agreement will be either presented right there in the page (e.g. in a scrolling box) or there will be a link to it right near the check box. The user is not permitted to continue until that box has been checked indicating that the user agrees.

This is called a “clickwrap agreement.” The agreement is wrapped up in the deliberate action of clicking to signify acceptance of the terms or contract.

Courts generally uphold clickwrap agreements as legally binding. You can use them for order forms, contracts, and other types of agreements.

What makes a User Agreement Checkbox binding?

The most significant thing that makes a clickwrap agreement binding is that the user must intentionally agree (i.e. by checking the agreement box in addition to any other actions, like submitting an order). It does not actually matter if the user has read or understands the terms as long as the user agrees. Why? The user has the opportunity to read the agreement, ask questions, gain clarification, and to NOT agree if s/he does not understand or in fact just does not agree. By actually agreeing, the user is waiving the “I didn’t read it” or “I don’t understand it” complaints.

Clickwrap requirements:

  1. The terms must be on the page near the user agreement checkbox, so the user can read it. Or, there must be a clear link to the terms near the checkbox.
  2. The user must not be able to proceed with any actions (e.g. ordering, registering) until the agreement checkbox is checked.

There are a number of things that strengthen the degree to which a clickwrap agreement is binding:

  1. If a link to the terms is used, it should be prominent and clear. The text near the box should state clearly that the user is agreeing to the terms present in that link.
  2. Make sure the terms very clear and readable. I.e. use a large type size, clear text, etc.
  3. Better than a link, include the terms in a [scrolling] area above the agreement checkbox.
  4. Make sure your site actually records and saves the fact that the agreement checkbox was checked (or not)! Include all of the contextual information such as the date, time, Internet IP address, etc.
  5. Make sure that your terms agreement is a valid and normal legal document. Have your lawyer review it.

PDF DocuSign- Next Level User Agreement Checkbox

So far, we have been discussing “checking a checkbox” to agree. If you have used DocuSign or similar technologies, the process is more elaborate:

  1. You enter your name (and initials) and “assume a signature.” This is just your name rendered is some interesting font.
  2. As you read the PDF, you click on specific boxes to “Sign” your agreement. This pastes in your assumed signature.

This has all of the hallmarks of very good clickwrap:

  1. The user signs within the document — so there is no doubt that it was read or viewed.
  2. The signer intentionally clicks to agree to each signature area.
  3. You are not “done” until you have signed all areas (i.e. you can not proceed until you have explicitly agreed)

PDF DocuSign is essentially “clickwrap” made easy and done correctly for a PDF. However, it does not really add binding power beyond what you can get with regular clickwrap.

Beyond Clickwrap- Ink Signatures

What can improve on clickwrap? You can improve on clickwrap by:

  1. Intention: Making the user do more to confirm than just check a box. This shows more intention.
  2. Identity: Find ways to more strongly associate the act of signing with who is performing that act. This way there is less and less of an argument that “it wasn’t me.”

One way to go beyond clickwrap is to use LuxSci’s “Ink Signatures” and SecureForm service for collecting your web form data. Ink Signatures add a box (or multiple boxes) to your web form in which your user can sign their name with a mouse, stylus, or finger.

How can using SecureForm + Ink Signatures make document agreements more binding?

  1. By signing your name, you are doing more work than checking a box. This shows more intention and can make the contract more binding.
  2. The signature can be a required field so that the user cannot proceed without signing.
  3. As the user is signing his/her own name, there can be some identity verification though the signature images.
  4. SecureForm automatically records the date and time the form was submitted, as well as the Internet IP address of the user who signed the form.
  5. SecureForm’s GeoLocation feature records the latitude, longitude, and approximate physical address of the user who signed the form when he/she signed the form.

Item 1 speaks to intention. Items 3 through 5 improve the binding of identity to the agreement. This takes clickwrap to the next level and improves the legal enforceability of your terms and conditions.

What type of user agreement process is best for your forms? That depends on the importance of your terms and the degree to which you need to have enforceably binding agreements with your end users. Consult with a lawyer if you are unsure.

Creating Secure Websites and Forms: What You Need to Know

Tuesday, October 26th, 2021

Creating a website that has “secure” components requires more than slapping together some web pages and adding an SSL Certificate. All a certificate does is create a thin veneer of security. It does not go very far to protect whatever sensitive data necessitated security in the first place. In fact, naive attempts at security can ultimately make the data less secure and more likely to be compromised by creating an appetizing target for the unscrupulous.

So, beyond paying big bucks to hire a developer with significant security expertise, what do you do? Start with this article. Its purpose is to shed light on many of the most significant factors in creating secure websites and forms and what you can do to address them. At a minimum, reading this article will help you intelligently discuss your website security with the developers that you ultimately hire.

creating secure website forms

Read the rest of this post »

Connect your Secure Forms to your Secure Marketing

Wednesday, November 11th, 2020

An extremely common and revenue-driving workflow, from a marketing and engagement perspective, is to have the contact information of the people who fill out your online forms automatically added to your marketing database. Such an integration saves time, by not requiring manual data entry steps, and speeds your marketing automation processes along.

Secure Form to Secure Email Marketing Integration

This automated connection is now available for your LuxSci Secure Forms; after a license upgrade, they can now be automatically integrated with your LuxSci Secure Marketing platform.  This integration enables new contacts to be automatically created in your Secure Marketing instance from selected Secure Form posts.  You can then leverage Secure Marketing to send automated drip campaigns to these contacts, send them group mailings, and more.

Read the rest of this post »

Are you encouraging insecurity via your web site forms?

Friday, April 15th, 2016

Many web sites have “contact us” pages and include web forms for receiving requests from existing or potential customers. This includes “new patient intake” forms on the web sites of healthcare providers. However, if your aren’t using a secure form solution your web forms may suffer from several serious problems:

  • Spam – Getting unwanted form submissions from bots.
  • Privacy – Often, sensitive data is submitted insecurely through these forms.
  • Archival – You may need an archived record and backup of all submissions.
  • Notices – You may need to be alerted of form submissions, even if you are not online.

Proactive privacy vs. neglect of privacy

When your web forms transmit data insecurely, store or send data insecurely, or otherwise to do not treat the data submitted with the level protection that it deserves, you are putting the users of your forms at risk.

The typical argument is that “it is up to the user of the forms to decide if they want to submit sensitive information.” In fact, many insecure forms even have disclaimers requesting people to not submit sensitive information if they have concerns … and then the forms go on to ask lots of sensitive questions. Especially without a disclaimer, but even with one, the form is actively soliciting people to submit their information insecurely and requesting them to take risks with their private data. This is not good.

In areas such as healthcare, where these forms are often collecting sensitive health data (protected health information – PHI), the fact that an organization solicits the submission of PHI through insecure, non-HIPAA-compliant means is far from a “best practice.” Why does this happen?

  1. Securing forms is trivial and inexpensive. As the bar is so low to collecting data in a compliant way, it could be considered neglectful to not bother with security and privacy and continue to solicit data insecurely.
  2. People can insecurely send you their own, personal PHI any time … when it is done of their own accord. However, when you provide them with a recommended communication channel, and when that channel is not secure, you need to get informed consent from them before you accept the data through that channel. Informed consent means:
    1. Training them in the risks involved.
    2. Getting their explicit sign off indicating their acceptance of these risks.
    3. Capturing and saving those signed consent forms.

Getting signed consent must be properly done and it imposes a barrier in front of your forms. There is really no reason to go though all of the work to setup informed consent when it is much simpler to just secure the forms themselves.

You can block form spam, ensure content security and privacy, archive form submissions, and even get text message notices of new submissions to your phone using LuxSci SecureForm. And it takes only a couple of minutes to integrate a secure form into any existing web site at any web hosting provider.

How does SecureForm Integrate with a Web Site Form?

SecureForm is very easy to set up and integrate. You configure SecureForm account with what you want to happen to your form data. Then you change one line of your web form (where the form posts go) and copy and paste a line of JavaScript into that page. Setup takes about 5 minutes.

How Does SecureForm deal with Spam, Encryption, Archival, and Notices?

SecureForm blocks web robot spam by determining if a real person is connecting to your form and blocking submissions from anything that is not.  Your users do not have to enter any security codes or image (Captcha) codes — the system simply checks that they are using a modern web browser with cookies enabled and JavaScript working. Most web bots do not support one or both of these standard technologies; all modern browsers do.

SecureForm enables privacy and security by allowing you to ensure that the form data is encrypted from the end user all the way to your email inbox. It enables automatic use of secure email delivery, secure FTP uploads, secure online document storage, and more. You can use any or all of these data capture methods.

SecureForm enables archival by allowing you to save copies of all form posts in an online document storage area, by uploading copies to your own FTP site, and/or by saving copies in a database that you can access as needed.

SecureForm enables notices by allowing you to have text messages sent to up to 5 different mobile devices when each form post is submitted. This is in addition to the form data being emailed to where it needs to go. You and you staff can be informed in real time of new posts, no matter where you are.

LuxSci SecureForm is the swiss army knife of web and PDF form processing tools, integrating quickly with any existing web sites and providing form security even if your web site is not already secured with TLS.

Embedding SecureForms into WordPress using an iframe

Monday, March 14th, 2016

WordPress is an incredibly popular Web site management and blogging platform.  Customers inquire of LuxSci frequently about the best way to add forms to their WordPress pages and posts.  Not just any forms — complex forms that can be HIPAA-compliant and which can submit data securely through SecureForm.

There are numerous options here.  The two most popular are GravityForms and embedding forms with an iframe.  GravityForms is popular and very cool, but not free.  Also as GravityForms is complex and really wants to manage all of your form data itself (insecurely), integration with SecureForm is limited:

  • Multiple forms on the same page can be tricky
  • Ink Signatures can not be captured
  • File uploads can not be captured

Another alternative, which is free as it is included with your SecureForm service, is to:

  1. Build your form with SecureForm FormBuilder
  2. Embed this form into your WordPress page or post using an iframe

What is an “iframe?”  it is a tool that allows you embed one Web page within another Web page.  When you build a form with FormBuilder — that form is automatically saved and hosted securely for you and you are provided with the Web site address (URL) for that form.  All you need to do is to “insert” that hosted form into your WordPress page/post and you are all set.  All FormBuilder features are then also supported: Ink Signatures, file uploads, geolocation, etc.

Read the rest of this post »

LUXSCI