Protecting user privacy when using Session Replay
If you're in the business of building digital experiences, you probably know that there has been a spate of litigation around Session Replay. As a Session Replay vendor, we have been paying close attention to this litigation, and we think it’s important that you understand what’s happening and our respective roles in protecting user privacy while also getting the insights you need to delight your customers.
Before we dive in, I’d like to make it clear that I am not an attorney and the following is not legal advice – rather, it’s advice from one product leader to many others on how to be thoughtful about user privacy preferences while also understanding your customer journey so you can make those experiences more seamless and delightful. It is also worth noting that the legal landscape is rapidly evolving, and the thoughts in this document reflect our understanding of that landscape as of June 2023.
What’s going on with Session Replay tools and lawsuits?
Recent litigation against session replay providers stems from allegations that these technologies are effectively engaged in "wiretapping." Session replay software creates a “watchable” reconstruction of users' activities on a website, including mouse movements, keystrokes, and clicks, enabling businesses to improve user experience, analyze user interactions, and diagnose issues.
Plaintiffs in these cases argue that such practices violate privacy rights because they may record these behaviors without explicit user consent and potentially capture sensitive information such as names, addresses, and other personally identifiable information (PII).
When originally written, "wiretapping" meant someone physically connecting to (“tapping into”) a phone wire and listening to other people's phone calls without them knowing. In this context, end users are likening the recording of their activities on a business’s website or mobile app as analogous to “wiretapping” their digital communication with the business without the end user’s consent.
This discussion has ramped up in recent months because some states have changed their policy around consent to be “two party states” (sometimes also called “active consent”) – that is, both the business and the end user must consent before any tracking can occur (i.e., consumer consent can be a defense to wiretapping claims). Businesses that are using analytics tools have control over whether they load these tools on their websites, but usually, they need to make user interface updates to make end-user consent more visible and explicit.
What you can do to benefit from analytics
As a business, you don’t need to choose between understanding your customer journey and protecting your end users’ privacy – you can have both. Here are some practices we’ve seen customers use to do this:
1. Configure your session replay tool to mask sensitive or personally identifying information. Session replay tools typically include settings to control where data is captured and what data is captured. For example, Heap includes the ability to block or allow session replay capture on specific pages, block/allow text capture for specific elements on a page, or “mask” all text (see picture), which replaces that text with asterisks before it leaves the end user’s device (this builds extra trust because it’s verifiable by end users). It’s important when setting up a session replay tool to make a plan for what information to mask, and make sure you test your session replay settings in a development environment before rolling out any changes to production.
2. Show a disclosure in your privacy policy regarding the use of cookies, analytics, and session replay. As examples, we have seen privacy policies do some or all of the following:
Specify the types of event or session information session replay technology collects, like page views, how much time is spent on a page, clicks, mouse movements, text entered, etc.
Are detailed enough so that users are sufficiently informed about how session replay technology works to provide consent.
Transparently disclose the purposes for which session replay technology is being used on the site. While these can vary among companies, they often include uses like analytics, personalization, and improvement of user experiences.
Tell users that session data may be shared with third parties. In regards to session replay vendors, if you execute appropriate data processing terms, the policy can also state that the session data is only used at your direction and for your purposes.
3. Show a clearly visible persistent opt-in banner, splash page, or pop-up to notify individuals about your use of cookies, analytics, and session replay. This helps your end-users get immediately notified about session replay or other analytics tools when they land on your site. It also potentially enables you to collect users’ affirmative, express consent, and/or let users manage their privacy preferences. The banner can also provide links to privacy policies with further disclosures about session replay so users can learn more before using your website.
4. Offer users a way to provide privacy preferences, including for session replay technology like Heap. For example, if you use a cookie or tag manager, you may be able to give your users controls to opt-in or opt-out of the analytics tool loading and collecting user data. Special shout out to OneTrust, who does a great job of creating a consent interface that provides clear, granular controls for end users to customize their privacy preferences without leaving the business’s website.
As a leader in digital experience analytics and providers of both product analytics and session replay, Heap is committed to making sure that our customers can deeply understand and improve their customer journey and feel safe about protecting end user privacy while doing so.
The law here is evolving but affirmative consent and utilizing data privacy tools are best practices. We hope these tips can help you as builders of digital businesses better understand the protections in place for end users and use tools like session replay to confidently iterate on and improve your digital journeys. As a reminder, please consult with your own legal counsel to ensure compliance with applicable laws.