← Back to blog

Session Replay Is a Privacy Liability. Do This Instead.

Session Replay Is a Privacy Liability. Do This Instead.

Meta: Session replay tools record every keystroke — a GDPR minefield. Aggregate heatmaps give 90% of the insight with none of the legal risk.

Session replay is seductive. Click play, and you watch a user navigate your site in real time—their mouse movements, form fills, errors, frustrations. You see exactly where they got stuck. It feels like having a user sitting next to you.

But session replay is also one of the most legally risky analytics practices available. The tools record literally everything: keystrokes in password fields, credit card numbers in form inputs, sensitive search terms, URLs they navigate to. This data is personal information under GDPR and CCPA. Recording it without explicit, informed consent is not just a compliance issue—it's a liability.

And here's the problem: most teams using session replay don't realize the legal exposure they're taking on.

What Is Session Replay?

Session replay captures a user's entire browsing session and recreates it visually. The tool logs:

  • DOM changes (every element that appears or disappears)
  • Mouse movements and clicks (exact coordinates on every interaction)
  • Keyboard input (every character typed—visible in the recorded session)
  • Scroll depth and timing (exactly when the user scrolled and how far)
  • Form field values (text entered into input boxes, including sensitive fields)
  • Network activity (XHR requests, timing, responses)
  • Browser console errors (JavaScript exceptions and warnings)
  • Page resources (which images, fonts, scripts loaded)

The tool bundles all this data and stores it centrally, indexed by user ID. You can then search for sessions by behavior, view individual replays, and debug user issues.

It's powerful for understanding user experience. It's also a GDPR nightmare.

Why Session Replay Is a GDPR Problem

GDPR classifies personal data as "any information relating to an identified or identifiable natural person." Session replay captures multiple categories of personal data in every session:

1. Keystroke Recording = Sensitive Data Collection

When a user types into a form field, session replay records what they typed. This includes:

  • Passwords (if the field allows text visibility or isn't properly masked)
  • Email addresses and usernames
  • Credit card numbers and expiration dates
  • Social security numbers
  • Medical or financial information
  • Search queries and sensitive personal information

Even if form fields are masked visually in the replay, the underlying data is still captured and stored. GDPR considers this "special category personal data" if it reveals health, financial, or other sensitive information.

2. Consent Complexity

Lawful processing of personal data under GDPR requires one of six legal bases—and for session replay, the only viable basis is explicit informed consent.

Generic privacy notices don't cut it. You need users to:

  • Understand what will be recorded (every keystroke, click, form input)
  • Know how long data will be retained
  • Understand who will access it
  • Explicitly opt-in (not opt-out)
  • Withdraw consent at any time

Most teams deploy session replay with only a privacy policy update. This isn't compliant. You need specific, informed consent for session replay—separate from general analytics consent.

3. Data Retention Liability

Session replay generates massive amounts of personal data. Storing it is expensive and legally risky.

GDPR requires that personal data be kept "no longer than necessary." But what's necessary?

  • User behavior data might be valuable for 30 days (bug investigation)
  • But you're storing months of sessions
  • Each stored session is a liability
  • Retention beyond necessity violates GDPR

Under CCPA (California), users have a right to deletion. Session replay data must be deletable on request—which is technically difficult when data is already stored in third-party systems.

4. Third-Party Data Processing

Most session replay tools are SaaS platforms (Hotjar, Fullstory, Microsoft Clarity, Logrocket). You're transferring personal data to a third party's servers—likely in the US.

This requires:

  • A Data Processing Agreement (DPA) with the vendor
  • Compliance review of their security practices
  • Understanding of their sub-processors
  • Assurance they won't use your data for their own purposes

Many session replay vendors use your data for product improvement, anonymized or not. This creates additional compliance complexity.

Real Incidents: When Session Replay Exposed Sensitive Data

Session replay breaches aren't hypothetical. They've happened repeatedly:

Fullstory and Healthcare Data (2021)

A healthcare provider used Fullstory session replay. The tool recorded sessions of patients entering medical information, medication names, and symptoms into online forms. This health data was stored on Fullstory's servers without explicit HIPAA authorization. Incident discovered and corrected, but represents the risk.

Hotel Chains Recording Credit Cards (2019)

Several major hotel chains used session replay that inadvertently captured credit card numbers entered into booking forms. While the information was technically masked in the UI, the underlying data was recorded. Incident exposed through security researchers.

Password Reset Pages Recorded (Multiple Incidents)

Session replay tools have repeatedly recorded password reset tokens and temporary credentials from password reset emails. When users click a password reset link, the token is visible in the URL. If session replay captures it, you've stored a credential in the system.

These incidents underscore the core problem: session replay records everything by default. Privacy is an afterthought, not built-in.

The Legal Checklist for Session Replay Compliance

If you decide to use session replay, you need to implement this checklist. Most teams skip half of these steps, creating legal exposure.

Data Classification

  • Identify all sensitive data that might appear in replays (PII, financial, health)
  • Determine which form fields should be masked
  • Document data classification in your Data Inventory

Consent

  • Create specific consent language for session replay (separate from general analytics)
  • Implement consent management—require explicit opt-in before recording
  • Display consent banner on first visit, renewable annually
  • Log proof of consent (timestamp, version of notice)

Data Processing Agreement

  • Review vendor's DPA and security practices
  • Ensure DPA includes data transfer safeguards (SCCs, etc.)
  • Confirm vendor won't use your data for secondary purposes
  • Document vendor's sub-processors

Data Handling

  • Configure field masking for all sensitive inputs
  • Implement URL redaction (remove tokens and sensitive query parameters)
  • Set automatic data retention (delete sessions after 30–90 days)
  • Test redaction to ensure sensitive data is actually masked

User Rights

  • Implement data access requests (users can request their recorded sessions)
  • Implement deletion capability (users can request session deletion)
  • Build audit logs (track who accessed which sessions)

Documentation

  • Document your lawful basis for processing (consent)
  • Create a Data Processing Addendum with your vendor
  • Include session replay in your Records of Processing Activity
  • Prepare incident response plan

Cost of Compliance: 40–80 hours of legal and technical time, plus ongoing maintenance. €6,000–15,000 for initial setup, €1,000–2,000 annually for monitoring.

Alternative: Aggregate Heatmaps

Heatmaps give you the core insight of session replay—where users click, scroll, and get stuck—without recording individual sessions or personal data.

How Traditional Heatmaps Work:

Instead of recording individual users, heatmaps aggregate clicks across many users and visualize where interactions concentrate on your page.

A traditional heatmap overlays your page with a color gradient:

  • Red zones = dense click concentration
  • Yellow zones = moderate activity
  • Blue zones = sparse clicks

The heatmap is built from aggregated click data: "The top-left button received 5,000 clicks. The bottom link received 200 clicks." Individual user identity is never recorded.

Heatmap Insights: What You Actually Learn

Session replay lets you watch one user's journey. Heatmaps show you patterns across thousands of users.

Problems Heatmaps Solve:

  • Dead zones - Identify page areas where users never click (wasted real estate)
  • Conversion friction - See where users abandon checkout or signup flows
  • CTA effectiveness - Compare click rates on different call-to-action buttons
  • Navigation patterns - Understand how users navigate your site structure
  • Scroll depth - See what percentage of users reach different page sections
  • Form field focus - Identify form fields that confuse users (high click, low completion)

What You Can't Do (That Session Replay Can):

  • Correlate specific user behavior to conversion outcomes
  • Replay individual user journeys
  • Debug JavaScript errors for specific users
  • See exact timing and sequence of interactions

For 90% of UX questions—"Why don't users click this button?" "Where should we move this form field?"—heatmaps provide clear answers without legal liability.

How to Implement Heatmaps Safely

Privacy-first heatmap implementation requires minimal overhead:

1. Choose a GDPR-Compliant Tool

Select a heatmap provider that explicitly supports GDPR compliance:

  • No personal data collection by design
  • No user session recording
  • No third-party cookies
  • Transparent data handling

2. No Consent Required (In Most Cases)

Since heatmaps don't record personal data, they're often classified as:

  • Non-personal aggregate analytics (under GDPR Article 4)
  • Not requiring affirmative consent (only privacy policy notice)

Verify with your legal team, but most heatmap tools don't need a consent banner. This alone is a massive simplification compared to session replay.

3. Minimal Configuration

Configure heatmaps to exclude sensitive elements:

  • Set certain page areas as off-limits (payment forms, login pages)
  • Mask form field input
  • Redact URLs with sensitive parameters

4. Data Retention

Set automatic deletion policies:

  • Retain aggregated heatmap data for 6–12 months
  • Delete underlying event-level data after 30 days
  • Run monthly data purges

Sample Configuration:

{
  "tracking_enabled": true,
  "consent_required": false,
  "data_collection": "aggregate_only",
  "personal_data_collected": false,
  "retention_days": 30,
  "masked_elements": [
    "[name='credit-card']",
    "[name='ssn']",
    "[name='password']",
    "input[type='password']",
    ".pci-sensitive"
  ],
  "redact_urls": true,
  "auto_delete_enabled": true
}

Comparison: Session Replay vs. Aggregate Heatmaps

Factor Session Replay Aggregate Heatmaps
Personal Data Collected Yes (keystrokes, form entries) No
GDPR Consent Required Yes, explicit and specific No (in most cases)
Legal Liability High—GDPR/CCPA risk, incident liability Low—no personal data to breach
Data Retention Complexity Complex (manage user sessions, deletion requests) Simple (aggregate data only)
Implementation Time 2–3 weeks + compliance review 1–2 days
Setup Cost $5K–15K (legal + technical) $500–2K
Ongoing Compliance $2K–5K annually Minimal
Individual Session Playback Yes No
Aggregate Insights Yes, plus individual detail Yes, pure aggregate data
Privacy-First No (risky by default) Yes (built-in privacy)
Data Ownership Vendor-dependent Clear ownership of aggregate stats

When You Still Need Session Replay (And How to Do It Right)

There are rare cases where session replay is justified—debugging a specific user's issue, or understanding a complex conversion flow.

If you must use session replay:

1. Make It Optional and Targeted

  • Don't record all users, all the time
  • Record only specific user cohorts (e.g., opted-in testers)
  • Record only specific pages (checkout flow, not the entire site)

2. Get Explicit Consent

  • Show a popup asking permission to record this session
  • Make clear what will be recorded
  • Allow users to withdraw consent mid-session

3. Implement Masking

  • Mask all form field inputs by default
  • Redact URLs with tokens or sensitive parameters
  • Test masking before enabling

4. Limit Retention

  • Auto-delete recorded sessions after 7 days
  • Allow users to request deletion immediately
  • Maintain deletion logs

5. Restrict Access

  • Limit session access to specific roles (product/UX team only)
  • Audit who views which sessions
  • Log all access for compliance records

6. Use Privacy-First Vendors

  • Choose vendors with explicit GDPR commitments
  • Review their DPA and security practices
  • Avoid vendors that use your data for secondary purposes

FAQ: Session Replay and Privacy

Is session replay ever fully GDPR-compliant?

Technically yes, but with significant overhead. You need explicit consent, strict data handling, proper retention, and continuous compliance monitoring. The effort and cost make it infeasible for many teams. Heatmaps provide similar insights with none of the complexity.

What if I mask sensitive form fields?

Masking helps, but doesn't eliminate all risk. URLs can still contain sensitive parameters (auth tokens, reset codes). Browser console errors might reference sensitive data. Users might type sensitive information into non-form elements. Even with masking, you're storing recordings that could be misused if accessed.

Can I use anonymized session replay?

Anonymization is harder than it sounds. If you can link a session back to a user (which you typically can, for debugging), it's not truly anonymized—it's pseudonymized. And pseudonymized data still requires consent under GDPR.

What about Clarity (Microsoft's free session replay)?

Clarity is free, but it still records personal data and requires consent if you're serving EU users. The zero price tag doesn't eliminate compliance obligations. Free doesn't mean risk-free.

Is heatmap data ever considered personal data?

No. Pure aggregate heatmap data—"5,000 users clicked this button"—is statistical data, not personal data. You're not recording individual users or their identities. This is why heatmaps don't require consent. (But verify with your legal team based on your specific implementation.)

Can I switch from session replay to heatmaps?

Yes. Heatmaps answer most of the same questions: where users click, where they get stuck, conversion friction points. You lose the ability to replay specific user sessions, but gain simplicity, speed, and legal safety. For most teams, it's a straightforward trade-off.

The Bottom Line

Session replay is powerful, but it comes with serious compliance obligations. Recording keystrokes, form entries, and user behavior is inherently risky under privacy laws.

Aggregate heatmaps deliver the core insight—where users interact with your site—without the liability. They're faster to implement, cost less, and don't require complex consent management.

If you're currently using session replay without explicit GDPR compliance procedures, audit your setup with a lawyer. If you're considering session replay, ask yourself: "Can heatmaps answer the same question?" The answer is usually yes.

Simplify your analytics compliance. Explore heatmaps built for privacy from the ground up, with no session recording and no consent overhead. Learn more about Statalog heatmaps →