I am building my portfolio website and added a contact section. In the API call to the backend, I am logging potential API failures to Firebase Analytics. Is it ethical to include the request data (content of the contact form) in log data?

Might run into GDPR issues. Also, take care to sanitise the input as potential attack vector - the current Log4j affair is a cautionary tale how user controlled data can wreak havoc in the backend.

Analytics shouldn't contain PII* data, if it does it counts as logging.

Check with your local laws and the GDPR / CCPA.

But in essence, never store more then you need, and never store it any longer then you need it.

* https://en.wikipedia.org/wiki/...

I agree about not storing in GA.

But regarding GDPR, since its a contact form, anyone that fills it out gives you permission to store and process that data for the purpose of the form.

You can also store it temporarily in a log but not long term since the logging is not the purpose of the form, but logging is usually a requirement for the running of a site and that gives you the right to log necessary data for at least some minimum time.

For more information search for “Legal grounds gdpr” for a list of valid reasons to store and process data.

And remember that explicit consent is a last resort :). If any of the others work they are easier and better.

Take my advice.

Just setup a mailto link with a filtered inbox(think Gmail and forward to your real account).

You will save yourself about 2 days of effort and it will be a bit more secure.

@sariel

Contact forms are indeed overrated, especially in these cases.

I always prefer personally to send an e-mail directly so I can keep track of it in own inbox.