I just watched Wes Bos' Learn Redux course, which was sponsored by Sentry - and he had a little video showing their service. By default it logs the user's IP (or at least did when he recorded) on all events - any client-side error, any messages the developer raises to Sentry from the client side code, any feedback form powered by Sentry the developer uses. I'm sure you can turn it off, but I imagine that kind of thing is all over some companies.
My new favorite thing is libraries that track every mouse move you make, every scroll action, every key you type, etc., including things you pasted into a textbox by mistake, and send it back over a websocket or something to a third-party service so that the website's UX people later can see how real people interact with their website and optimize it. Google for "website mouse tracking" or "website session replay" to see a bunch of startups that do this (many of whom have ads at the top).
I am incredibly excited for the GDPR to make these products too much of a regulatory burden to be worth considering.
