Hello everybody,

I have a PHP form that sends an email address. I'd like it to also send the location from which the form is being filled in. I imagine this could be done with a hidden field that collects the IP address, right?

Are there issues regarding data protection that should be taken into account. This would be an international form hosted in the United Kingdom, would the site need to make it known that the users location is also being recorded?

Any help with this would be much appriciated.

Thanks,
Laurence

There's a big difference between the two possible meanings of "location":
1. The IP address the user is submitting from.
2. The information about the IP address including geographic location.

Either way you'll need the IP address, but the second will be more involved. There are several discussions here on DD about locating the country from an IP and several services available. Try searching the forums. For a specific service (free and paid versions available) look into MaxMind GeoIP.


It's a little hard to imagine what your form/php looks like (post some code if you can), but assuming a standard setup, this is not hard to do.

You don't need a hidden field if you are using PHP to send the form. PHP already has the IP address available in the variable $_SERVER['REMOTE_ADDR']. Just add that into the email message however you'd like. Of course if for some reason you really want to add it to the form then you can echo that value into the value of a hidden field, but then the user could potential fake it, etc., and you may as well just do it after submitting. The only case where I can see this being useful is if you are submitting to an external form-mailer site, where you'd then forward the IP also, but some of those actually give you the IP anyway. And if you have PHP, I'd recommend doing it yourself rather than using a form mailer on another site-- it's just cleaner and more professional, so since you have PHP why not do it the best way?


As for the legal complications, I understand your concerns, but I don't think it's a problem.
The IP is sent as part of the request for a webpage. Otherwise the server wouldn't know where to send the data back.
So EVERY webpage on the internet will at least temporarily store the IP address.

As for information gathering, that's a bit more of a concern, but if you are not trying to attach users to IPs (for example, credit card information, or date of birth) and just using the IPs to track individuals, then I don't think this is much of a problem.

Of course many websites have a disclaimer noting this and other things like "we will put cookies on your computer", but just like the cookies, that's a lot of concern over nothing: that's like saying "warning: this website will transfer text to your screen".

With the warning you're certainly safer if someone does have a legal response, but if you are just using the IP for minimal identification purposes, then I don't think it's a problem.

By going to a website users inherently consent to being connected to the server; thus they inherently consent to sending the IP address.

HOWEVER, there are lots of issues with privacy, so if you plan to sell and/or otherwise distribute the IP and data, that should (must?) be clearly stated in your terms of service. If you are selling the information to a marketing agency (for example), this is not implied by visiting your site and should be made clear.
If it's just for your personal use this shouldn't apply.


Another way to think of this is that I don't believe there are any legal consequences to keeping logs (IP address + activity + time), there may be for other things such as later organizing the data. If you are just getting the IP address with the other data sent and then not doing anything greater to it, that's probably fine. If you are creating a 'profile' for each user based on the IP address and not telling them about it and using it to track ads to serve them or something, then that's probably less ok (though I'm not really sure if there's any legal reason you can't do this, but it's bordering on it...).

People are weird about "personal" information... For example, this urgent and outraged warning has been circulating on FB:
ATTENTION EVERYONE---There's a site called Spokeo.com that's a new online phone book w/personal information: everything from pics you've posted on FB or web, your approx credit score, home value, income, age, etc. Yes, the site does have personal info about you. Some is publicly available (in the traditional sense), but most of it is stuff that you, yourself, has posted online, not stopping to think that you're making it publicly available.

It's like running up and down your street naked and then being upset because your neighbor makes a comment about your speedo-tan.

Thanks very much for the replies.

Those for whom I would make this form had considered organizing this information and selling it on.


HOWEVER, there are lots of issues with privacy, so if you plan to sell and/or otherwise distribute the IP and data, that should (must?) be clearly stated in your terms of service.

How does one clearly state this? Is it enough to have a 'Terms of Service' link at the bottom of every page linking to an explanation of how the data is being used? I guess it would be more considerate to have a link clearly involved in the form as well.

Thanks again,
Laurence

Stating it in your TOS is fine, as long as its clear. Putting a link on your form can help people feel more at ease, too.

Sorry about my "rant" above, too. :)

hey, thanks for all the advise. oh and no worries about the 'rant'. I'm with you on all that :)

Best wishes! Laurence

hey, thanks for all the advise...

no prob, dog

(I had to say it)

... :)