How Marketo’s New Form Prefill Security Impacts Your Business?

Marketo just introduced new security form changes around its form prefill feature. What does this mean to your organization? What are the changes? Are there any gotchas?

Here’s what you need to know but as always, this is our disclaimer: there are always exceptions to what I am describing below. You’ll need to test for your specific use case.

Marketo Form Prefill is Awesome, Right?

Most Marketo customers who leverage Marketo forms use form prefill. The feature allows your audience members to fill out a form and have that data (along with any hidden data values) remembered for future form fills. Form prefill can also work if a person clicks on a trackable link from your marketing messages.

When the person returns to fill out a second form, that data is prefilled to save the person time filling it in again. For those of you using progressive profiling, the audience member sees those followup questions you didn’t want to ask the first time around.

Marketo’s form prefill improves the user experience while making it easier for companies to learn more about their users over several visits.

What’s the Marketo Form Prefill Security Issue You Might Ask?

The Marketo form prefill security issue happens when that computer is shared…maybe the computer resides in a shared workplace, hotel, or business center. After someone fills out a Marketo form, the next person who sees that form would see the prefilled information from the previous person. This is a known behavior that has gone on since before the Jonas Brothers were belting out tunes on the Disney Channel.

With the new changes, this security problem goes away. Any return visits to the page through normal course of navigation will no longer show that prefill information.  So when that sketchy traveler at the hotel computer tries to grab your data from a form you just filled out, it won’t be prefilled.

What Do the Changes Mean?

But wait – what if you love prefill functionality and don’t want it to go away?

Don’t worry, as long as someone clicks on a Marketo trackable link, prefill information will still work on the page that the link leads to (it only works on the page you land on). In other words, 95% of use cases will see the functionality work the same exact way you’d expect.

For example, if you are sending emails through Marketo, those links are trackable by default meaning form prefill will work the same way it always has. One exception is if the person navigates away from the page and returns–information will no longer be prefilled.

For the most part, changes only impact form submissions via normal browsing. Here’s a great grid of expected behavior from Marketo itself.

SOURCE: Marketo. As published in Marketo Community by Roxann McGlumphy.

Uses Cases You Should Plan Around

The new Marketo form prefill capabilities improve security but also impact the way form prefill has always worked. Here are a couple of examples:

  • Preference Centers – If a person navigates to your preference center from your website, that person’s preferences will NOT be prefilled, even if that person had previously filled out a form. That means that if John Smith navigates his way to your preference center from a link at the bottom of your page, the preference center page will present blank or default information–not exactly a personalized experience.

  • Advanced Forms – If you are doing advanced things with forms, you might want to do some testing. For example, we have a few clients that leverage forms on successive pages where one form requires data from the previous form (e.g. interactive calculator or course selector). Be aware and test. If the form is not working properly, you can most likely add some javascript to solve the issue.

The Forwarded Email Issues Still Exist — Kind Of

The one default security item that still exists revolves around emails that are forwarded.

Like a doctor’s prescription, trackable Marketo emails are only intended for the person receiving them. The email’s tracking links are personalized to the individual.

If the intended recipient fills out a form after clicking on an email and then forwards the email to someone else, that second recipient will see the intended recipient’s data.

Let’s say John wants to attend a party after receiving an email promoting an event. John fills out the registration form and then forwards the email to his buddy Sarah. When Sarah visits the registration page through a link on the email intended for John, she’ll most likely see John’s info.

Exception–A Slight Enhancement with New Functionality:

If the forwarded recipient’s browser is already cookied, that conflict is recognized and the information will not prefill.

On another note, a side-effect of the above scenario is inaccurate Marketo processing. Sarah’s clicks and form submission may track back to John’s record (And yes, this can cause a mess with scoring, etc). This is a post for another day.

The Verdict

You’ll have to decide the tradeoff for yourself.

On one hand, the Marketo form fill changes improve security in very specific circumstances. On the other hand, the way the form prefill behaves in certain instances is not always desirable. However, some javascript will usually do the trick.

Where Do You Go for More Resources?

If you need help, Digital Pi is offering a free form health check. Just shoot us a note and we’ll get you set you up. If you need some custom code, our developers can get that created for you.

Also, there is a great article in the community that will answer a lot of your questions. And make sure to read the comments section which is on fire with over 100+ comments.

What did I miss? Any use cases you are having challenges with? Please comment below.

Your marketing technology experts.

At Digital Pi, we use technology to connect revenue to marketing efforts. We fuse marketing strategies, processes, data and applications to make marketing technology solutions work for clients' businesses.

Learn More
Share this resource

Cookies help us keep the site running smoothly and inform some of our advertising, but if you’d like to make adjustments, you can visit our Cookie Notice page for more information.