Session replay — recording clicks, scrolls, keystrokes and screen state to reconstruct a user’s session — has moved from a growth-team convenience to a regulatory focus point. France’s CNIL is consulting on a draft recommendation that would set binding requirements for session replay tools: mandatory prior consent before recording starts, a structured masking and sampling framework for sensitive fields, defined retention limits, and the ability to delete an individual user’s recorded sessions on request. In the US, session replay is increasingly being litigated under wiretapping-style statutes, with the argument that recording clicks and keystrokes without clear disclosure is a form of interception.
The gap most teams have isn’t whether they use session replay — it’s whether they can prove, on demand, that consent was obtained before recording started, that sensitive fields were actually masked rather than assumed to be masked, and that a deletion request can be fulfilled for one specific user’s sessions without a manual data-hunt. Session replay tools ship with masking and consent features, but a feature existing in the product and a feature being correctly configured on your actual pages are two different things, and the second one only gets tested when a regulator or a user asks.
Data Points to Track
- Consent-to-recording lag: the time between a user’s session starting and consent being granted, to confirm recording genuinely doesn’t begin before consent, not just that a consent banner rendered
- Masked-field coverage: an audit list of every input field flagged as sensitive (payment details, passwords, health or personal data specific to your product) cross-checked against what the replay tool is actually masking, re-verified after every frontend change
- Recording opt-out rate: the share of sessions where a user actively declines replay recording, tracked over time and by region, since opt-out rates inform both compliance posture and how representative your replay sample actually is
- Retention age of stored recordings: how long individual session recordings persist against your configured retention policy, flagged when recordings exceed the declared limit
- Deletion request fulfilment time: from request received to confirmed removal of all recordings tied to that user, across every storage location the replay tool writes to
Setup Steps
- Verify recording start time against consent timestamp in a live test, not just a configuration review — load the page as a user who hasn’t consented and confirm no session data is being captured or transmitted.
- Build and maintain a sensitive-field inventory across every form and screen in the product, and re-audit it whenever a new field is added, since new inputs default to unmasked unless someone explicitly flags them.
- Configure retention limits directly in the replay tool rather than relying on a policy document alone, and set an automated check that flags any recording older than the declared limit.
- Build a deletion-request runbook that covers every system storing replay data (the vendor’s platform, any data warehouse exports, backups), and time-test it end to end before you need it under a real request.
- Segment your analytics to flag replay-derived data separately from other behavioural data sources, so a future audit or DSAR doesn’t require reverse-engineering which insights came from recorded sessions.
Actionable Insights
Consent-to-recording lag is the single number worth watching most closely — any recording captured before consent is granted is the exact failure mode regulators are targeting, and it’s usually a configuration bug rather than a deliberate choice. Masked-field coverage should be treated as a living checklist tied to your release process, not a one-time setup task, because the most common real-world failure is a new form field shipping without being added to the masking rules. Teams that can answer “show me everything you have on this specific user’s recorded sessions, and prove it’s now deleted” quickly are the ones treating replay data with the same rigour as any other personal data store — everyone else is exposed the first time someone actually asks.
Related Resources
Need help tracking this in your app?
Our team sets up analytics pipelines for mobile and web teams every day. Talk to us and get your first events flowing in under an hour.
Talk to an expert