[fivea]

> How you can tell if the data you're collecting is PII?

No. How can you tell, as a user of any random website, that the script your browser is running as part of that page you've opened isn't shipping PII collected from your usage.

[capableweb]

Eeh, not sure that question is relevant to the points of anything described in this comment-chain. For context, here it is again:

> > > > I’ve needed to send off an HTTP request with some data to log when a user does something like navigate to a different page or submit a form.

> > > No need for that. Stop hoarding data!

> > What's wrong with doing something like this? If it contains PII, then I agree, [...]

> How can you tell?

The context is from the perspective of the application developers who wants to log some data (unclear what exactly, hence my comment differentiates between PII or not) when user is leaving. The comment I'm replying to states "stop hoarding data!" but I'm pretty clear that's referring to hoarding PII, not any data. As you're the developer setting up this "send off an HTTP request with some data", it's clear to you if it's PII or not.

Obviously, as a user with JavaScript turned on, visiting a random website, have little to no control over what data exactly is collected and sent. That's basically the point of the web today, where application developers can write arbitrary JS applications that gets executed in the browser sandbox, and hence why it's so popular in the first place.

[mattlondon]

You can tell by not entering any PII into the site in the first place.

IP is technically PII in some places. Personally I am not worried if a criminal gets "my" IP in the same way that I am not worried if they have my phone number. I would be worried if they had my name address age bank account info etc, but then I don't give that out freely

[fivea]

> You can tell by not entering any PII into the site in the first place.

That's not the definition of PII. At best, that covers a small subset of PII.

PII means any information that can be used to identify you, either directly or indirectly.

When you access a website combined with which link you opened or which search keywords you used can be used to infer who you are.

How do you tell if a script is not shipping that info to an undisclosed third-party?

[ryandrake]

If you are not worried that a criminal (or anyone) gets your phone number, post it here in reply to this post.

That's kind of my very coarse litmus test for PII: If I'm not willing to post it publicly in a rando internet forum, it's probably PII. There are exceptions obviously, and the inverse is not true: I may be willing to publicly post certain PII.