" secureform Archives - LuxSci

Posts Tagged ‘secureform’

Is a “Click Here to Agree” User Agreement Checkbox Legally Binding?

Tuesday, November 16th, 2021

A website order form or registration form comes complete with terms and conditions. What is the best way to have the user see and agree with these terms? Ultimately, the user’s agreement needs to be legally binding to protect the business if there is an issue. Is it good enough to have the user check an agreement checkbox? Do you have to do more? Do you have to be sure that the user reads the terms?

user agreement checkbox

These questions come up all the time and are a cause for concern. Just because other websites do it “one way” does not necessarily make that way right or best for you. This article will tackle how the different choices you make in getting user agreements translate (or don’t translate) into binding contractual relationships.*

* This material is legal in nature and taken from discussions with our own legal counsel and from the American Bar Association. However, we are not lawyers and this should not be considered “legal advise.” Please consult your own lawyers to confirm how your choices apply to your particular situation and needs. 

1. The “BrowseWrap Agreement”: Don’t do this!

Some websites include a textual statement similar to: “Using this site signifies your acceptance of our terms and conditions” or “By submitting this form, you accept our terms of use.” A link to the terms is usually (but not always) located near this statement. The website user does not have to do anything to signify reading and accepting the terms. In most cases, the user may not even be aware of this statement and may not know about the terms thrust upon them through the use of the site.

This kind of “just by using it, you agree” format is known as a “browsewrap agreement.” Courts have held that these user agreements are not usually* binding on users and have little value in protecting the website and its owners. Do not use a browsewrap agreement if you want any meaningful contract with your site user.

* An exception seems to be, for example, if the case where a user is behaving in a way that implies that they are aware of the terms and are trying to get around them.

2. The “ClickWrap Agreement”: User Agreement Checkbox

Users commonly encounter checkboxes that must be checked to signify the acceptance of the terms, the agreement, etc. The agreement will be presented on the page (e.g., in a scrolling box) or a link to it right near the check box. The user is not permitted to continue until that box has been checked, indicating that the user agrees.

This is called a “clickwrap agreement.” The agreement is wrapped up in the deliberate action of clicking to signify acceptance of the terms or contract.

Courts generally uphold clickwrap agreements as legally binding. They can be used for order forms, contracts, and other agreements.

What makes a User Agreement Checkbox binding?

The most significant thing that makes a clickwrap agreement binding is that the user must intentionally agree (i.e., by checking the agreement box and any other actions, like submitting an order). It does not matter if the user has read or understands the terms as long as the user agrees. Why? The user can read the agreement, ask questions, gain clarification, and NOT agree if they do not understand or do not agree. By actually agreeing, the user is waiving the “I didn’t read it” or “I don’t understand it” complaints.

Clickwrap requirements:

  1. The terms must be on the page near the user agreement checkbox so the user can read them. Or, there must be a clear link to the terms near the checkbox.
  2. The user must not be able to proceed with any actions (e.g., ordering, registering) until the agreement checkbox is checked.

Several things strengthen the degree to which a clickwrap agreement is binding:

  1. If a link to the terms is used, it should be prominent and clear. The text near the box should clearly state that the user agrees to the terms.
  2. Make sure the terms are obvious and readable. I.e., use large type size, clear text, etc.
  3. Including the terms in an [scrolling] area above the agreement checkbox is better than a link.
  4. Ensure your site records and saves the fact that the agreement checkbox was checked (or not)! Include all contextual information such as the date, time, internet IP address, etc.
  5. Make sure that your terms agreement is a valid and standard legal document. Have your lawyer review it.

PDF DocuSign- Next Level User Agreement Checkbox

So far, we have been discussing “checking a checkbox” to agree. If you have used DocuSign or similar technologies, the process is more elaborate:

  1. Enter your name (and initials) and “assume a signature.” This is just your name rendered in some interesting font.
  2. Click on specific boxes to “Sign” your agreement as you read the PDF. This pastes in your assumed signature.

This has all of the hallmarks of a very good clickwrap:

  1. The user signs within the document — so there is no doubt that it was read or viewed.
  2. The signer intentionally clicks to agree to each signature area.
  3. You are not “done” until you have signed all areas (i.e., you can not proceed until you have explicitly agreed)

DocuSign is essentially “clickwrap” made easily and correctly for a PDF. However, it does not add binding power beyond what you can get with regular clickwrap.

Beyond Clickwrap- Ink Signatures

What can improve on clickwrap? You can improve on clickwrap by:

  1. Intention: Making the user do more to confirm than check a box. This shows more intention.
  2. Identity: Find ways to more strongly associate the act of signing with who is performing that act. There is less and less of an argument that “it wasn’t me.”

One way to go beyond clickwrap is to use LuxSci’s “Ink Signatures” and Secure Form service for collecting your web form data. Ink Signatures add a box (or multiple boxes) to your web form where users can sign their name with a mouse, stylus, or finger.

How can using Secure Form + Ink Signatures make document agreements more binding?

  1. The user does more work than checking a box by signing their name. This shows more intention and can make the contract more binding.
  2. The signature can be a required field so that the user cannot proceed without signing.
  3. Identity verification can be done through the signature images as the user signs their name.
  4. Secure Form automatically records the date and time the form was submitted and the internet IP address of the user who signed the form.
  5. Secure Form’s GeoLocation feature records the latitude, longitude, and approximate physical address of the user who signed the form when they signed it.

Item 1 speaks to intention. Items 3 through 5 improve the binding of identity to the agreement. This takes clickwrap to the next level and improves the legal enforceability of your terms and conditions.

What type of user agreement process is best for your forms? That depends on the terms and the degree to which enforceably binding agreements with your end-users are needed. Consult with a lawyer if you are unsure.

Creating Secure Websites and Forms: What You Need to Know

Tuesday, October 26th, 2021

Creating a website with “secure” components requires more than slapping together some web pages and adding an SSL Certificate. All a certificate does is create a thin veneer of security. It does not go very far to protect whatever sensitive data necessitated security in the first place. Naive attempts at security can ultimately make the data less secure and more likely to be compromised by creating an appetizing target for the unscrupulous.

So, what do you do beyond paying big bucks to hire a developer with significant security expertise? Start with this article. Its purpose is to shed light on many of the most significant factors in creating secure websites and forms and what you can do to address them. At a minimum, reading this article will help you intelligently discuss your website security with the developers you ultimately hire.

creating secure website forms

Read the rest of this post »

Connect your Secure Forms to your Secure Marketing

Wednesday, November 11th, 2020

From a marketing and engagement perspective, an extremely common and revenue-driving workflow is to have the contact information of the people who fill out your online forms automatically added to your marketing database. This integration saves time by not requiring manual data entry steps and speeds up your marketing automation processes.

Secure Form to Secure Email Marketing Integration

This automated connection is now available for your LuxSci Secure Forms. After a license upgrade, they can now be automatically integrated with your LuxSci Secure Marketing platform. This integration enables new contacts to be automatically created in your Secure Marketing instance from selected Secure Form posts. You can then leverage Secure Marketing to send automated drip campaigns to these contacts, group mailings, and more.

Read the rest of this post »

Are you encouraging insecurity via your website forms?

Friday, April 15th, 2016

Many websites have “contact us” pages and include web forms for receiving requests from existing or potential customers. This includes “new patient intake” forms on healthcare providers’ websites. However, if you aren’t using a secure form solution, your web forms may suffer from several serious problems:

  • Spam – Getting unwanted form submissions from bots.
  • Privacy – Often, sensitive data is submitted insecurely through these forms.
  • Archival – You may need an archived record and backup of all submissions.
  • Notices – You may need to be alerted of form submissions, even if you are not online.

Proactive privacy vs. neglect of privacy

When web forms transmit or store data insecurely or otherwise do not treat the data submitted with the level of protection it deserves, you are putting the users of your forms at risk.

The typical argument is that “it is up to the user of the forms to decide if they want to submit sensitive information.” Many insecure forms even have disclaimers requesting people not to submit sensitive information if they have concerns and then ask lots of sensitive questions. Especially without a disclaimer, but even with one, the form is actively soliciting people to submit their information insecurely and requesting them to take risks with their private data. This is not good.

In areas such as healthcare, where these forms are often collecting sensitive health data (protected health information – PHI), the fact that an organization solicits the submission of PHI through insecure, non-HIPAA-compliant means is far from a “best practice.” Why does this happen?

  1. Securing forms is trivial and inexpensive. As the bar is so low for collecting data in a compliant way, it could be considered neglectful to not bother with security and privacy and continue to solicit data insecurely.
  2. People can insecurely send you their own personal PHI any time … when it is done of their own accord. However, when you provide them with a recommended communication channel, and when that channel is not secure, you need to get informed consent from them before you accept the data through that channel. Informed consent means:
    1. Training them in the risks involved.
    2. Getting their explicit sign-off indicating their acceptance of these risks.
    3. Capturing and saving those signed consent forms.

Getting signed consent must be done appropriately, and it imposes a barrier in front of your forms. There is no reason to go through all the work to set up informed consent when it is simpler to secure the forms themselves.

You can block form spam, ensure content security and privacy, archive form submissions, and even get text message notices of new submissions to your phone using LuxSci Secure Form. And it takes only a couple of minutes to integrate a secure form into any existing website at any web hosting provider.

How does Secure Form Integrate with a Website Form?

Secure Form is straightforward to set up and integrate. You configure the Secure Form account with what you want to happen to your form data. Then you change one line of your web form (where the form posts go) and copy and paste a line of JavaScript into that page. Setup takes about 5 minutes.

How Does Secure Form deal with Spam, Encryption, Archival, and Notices?

Secure Form blocks web robot spam by determining if a real person is connecting to your form and blocking submissions from anything that is not. Your users do not have to enter any security codes or image (Captcha) codes — the system checks that they are using a modern web browser with cookies enabled and JavaScript working. Most web bots do not support one or both of these standard technologies; all modern browsers do.

Secure Form enables privacy and security by allowing you to ensure that the form data is encrypted from the end-user to your email inbox. It enables the automatic use of secure email delivery, secure FTP uploads, secure online document storage, and more. You can use any or all of these data capture methods.

Secure Form enables archival by saving copies of all form posts in an online document storage area, uploading copies to your FTP site, or saving copies in a database that you can access as needed.

Secure Form enables notices by allowing you to have text messages sent to up to 5 different mobile devices when each form post is submitted. This is in addition to the form data being emailed to where it needs to go. You and your staff can be informed in real-time of new posts, no matter where you are.

LuxSci Secure Form is the swiss army knife of web and PDF form processing tools, integrating quickly with existing websites and providing form security even if your website is not already secured with TLS.

Embedding Secure Forms into WordPress using an iframe

Monday, March 14th, 2016

WordPress is incredibly popular website management and blogging platform. Customers frequently inquire about the best way to add forms to their WordPress pages and posts. Not just any forms- they want to integrate complex forms that can be HIPAA-compliant and which can submit data securely through Secure Form.

There are numerous options here. The two most popular are GravityForms and embedding forms with an iframe. GravityForms is popular and very cool, but not free. Also, as GravityForms is complex and wants to manage all of your form data itself (insecurely), integration with Secure Form is limited:

  • Multiple forms on the same page can be tricky
  • Ink Signatures can not be captured
  • File uploads can not be captured

Another alternative, which is free as it is included with your Secure Form service, is to:

  1. Build your form with Secure Form Form Builder
  2. Embed this form into your WordPress page or post using an iframe

What is an “iframe?” It is a tool that allows you to embed one web page within another web page. When you build a form with FormBuilder — that form is automatically saved and hosted securely for you, and you are provided with the website address (URL) for that form. You need to “insert” that hosted form into your WordPress page/post, and you are all set. All FormBuilder features are also supported: Ink Signatures, file uploads, geolocation, etc.

Read the rest of this post »