HighlightsUsers' email addresses are exfiltrated to tracking, marketing and analytics domains before form submission and before giving consent on 1,844 websites when visited from the EU and 2,950 when visited from the US.We found incidental password collection on 52 websites by third-party session replay scripts. (These issues were fixed thanks to our disclosures).In a follow-up investigation, we found that Meta (formerly, Facebook) and TikTok collect hashed personal information from web forms even when the user does not submit the form and does not give consent.