Session replay β playing back a visitor's journey like a film β is the most vivid tool in the analytics toolbox. It is also the one that raises the most GDPR questions, rightly so: badly configured, it can record passwords, card numbers or health information. Here is how to use it lawfully.
Quick Answer: is session replay legal?
Yes, under three conditions:
- Masking at collection β no form input may be transmitted in clear text; masking happens in the browser, before sending.
- Anonymisation β IP truncated at collection, no persistent identifier following the visitor across sessions.
- EU hosting β recordings must not land on servers subject to the US Cloud Act.
A tool meeting all three and setting no consent-requiring tracker can run without a banner, in the same frame as consent-exempt audience measurement. A tool that doesn't requires consent β and will only see the sessions of the 50β70% of visitors who accept.
Note: France's CNIL opened a consultation in 2025, then published a draft recommendation dedicated to session replay in early 2026 β the framework is tightening, along the lines above.

What GDPR says about session recording
The GDPR never mentions session replay by name. Three questions determine whether a recording is compliant:
- Is personal data collected? Form inputs, IP addresses, identifiers β if so, the GDPR applies in full: legal basis, transparency, minimisation.
- Are consent-requiring trackers set? Identification cookies, fingerprinting: that is ePrivacy territory (PECR in the UK, article 82 of the French Data Protection Act).
- Is the purpose legitimate and proportionate? Understanding journey friction is; profiling individuals is not.
The topic is now explicitly on regulators' desks: France's CNIL β Europe's most vocal authority on trackers β opened a consultation on session recording and replay tools in April 2025, followed in early 2026 by a draft recommendation dedicated to session replay. Its direction confirms the reading above: these tools rely on trackers, consent applies by default, and any exemption presupposes robust anonymisation, systematic input masking and a purpose strictly limited to improving the service. In other words: the requirements described in this guide are becoming the expected standard.
Regulators' positions on consent-exempt audience measurement remain the reference for the tracker side: anonymisation, no cross-referencing, limited purpose.
The three classic risks (and how to neutralise them)
1. Capturing sensitive inputs
Risk number one. A naive replay records everything the user types β passwords and card numbers included. The countermeasure is masking at collection: input fields are replaced with generic characters in the browser, before anything is transmitted. What is never collected can neither leak nor be requested.
Check with your vendor: is input masking on by default (not an opt-in box)? Can whole page areas be masked (amounts, displayed medical data)?
2. Indirectly identifying the visitor
Even without forms, a session can identify someone: full IP + journey + timing is sometimes enough. Countermeasures: IP anonymisation at collection, no persistent cross-session identifier, no matching with a CRM.
3. Transfers outside the EU
Many popular replay tools are American: recordings β potentially personal data β end up on servers subject to the Cloud Act. The problem is the same as with Google Analytics: the current EU-US framework is legally fragile. EU hosting eliminates the question.
Consent or not: the deciding factor
Two architectures exist on the market:
| Architecture | Consent | Consequence |
|---|---|---|
| Replay with cookies/identifiers, data in clear text | Required | You lose the sessions of the 30β50% of visitors who refuse β often the ones you need most (the frustrated ones who leave fast) |
| Replay anonymised by design: masking at collection, no consent-requiring tracker | Not required | 100% of sessions observable, within the same frame as exempt audience measurement |
This point is routinely missed: consent-gated replay suffers a massive selection bias. Visitors who refuse banners and visitors who abandon your funnel overlap heavily. You only record the sessions of the already convinced.
Market overview: three families of tools
Your tool choice determines your legal position before any configuration:
| Family | Typical examples | GDPR position |
|---|---|---|
| Full American suites | Hotjar, FullStory, LogRocket | Consent required (cookies + personal data), transfers outside the EU to audit case by case |
| Free tools from the giants | Microsoft Clarity | Free, but data on US infrastructure and purposes crossed with an advertising ecosystem |
| Privacy-first European tools | Mirage and a few EU vendors | Masking and anonymisation by design, EU hosting, usable without consent |
The giants' "free" follows the same logic as Google Analytics: you pay in data. For a European site, the third family removes the legal file instead of documenting it.
Case study: the form that lost 60% of its visitors
A scenario we see regularly β here a four-field quote request form:
- The funnel shows 60% abandonment between arriving on the form and submitting β abnormal for four fields.
- Ten replays reveal the pattern: at the "company registration number" field, visitors leave the page⦠to look up their number. Half never return.
- The fix: make the field optional and move it to a post-submission screen. Validated by A/B test: β34% abandonment.
Note what the replay never needed to know: who these visitors were, or what they typed. Behaviour alone β masked, anonymous β contained the whole diagnosis.
How many sessions should you watch?
Replay is not consumed as a feed: it is used as a targeted investigation. The frugal method:
- Always start from an aggregated signal (a leaking funnel step, an anomalous heatmap zone, a high-bounce page) β never from the raw session stream.
- Watch 5 to 10 sessions from the affected segment. If a pattern exists, it almost always shows within the first five; past ten with no pattern, the hypothesis is probably wrong.
- Filter by behaviour: sessions with form abandonment, long sessions without conversion, mobile-only. Ten relevant sessions beat a hundred random ones.
This is also why the tight quotas of per-recording-billed tools (150 sessions/month on some plans) hurt so much: investigation needs the right segment, not a random sample.
In practice with Mirage β Session replay applies masking at collection by default: no input is ever transmitted in clear text, IPs are anonymised, no third-party cookie is set, and recordings stay in France (Scaleway). You see 100% of journeys, including those of visitors who would have refused a banner. Free 30-day trial.
Session replay compliance checklist
- Default masking of all input fields, browser-side
- Ability to exclude displayed elements (amounts, sensitive data)
- IP anonymised at collection, no persistent identifier
- EU hosting, no transfers outside the EU
- Purpose documented in your record of processing: UX improvement
- Limited, justified retention (weeks to a few months)
- Mentioned in your privacy policy
- No replay β identity matching (CRM, support) without a dedicated legal basis
What compliant replay still teaches you
Masking takes nothing away from the practical value. The questions replay answers are behavioural:
- Where do visitors hesitate? Back-and-forths, long pauses, erratic scrolling.
- Which elements attract dead clicks? Those images everyone believes are clickable.
- Where do forms lose people? The exact field where the session stops β without seeing the input, you see the abandonment.
- What do converting sessions do that others don't? Crossed with your conversion funnels, this is the foundation of CRO.
Pair it with heatmaps for the aggregated view: replay explains the individual, the heatmap confirms the collective.
FAQ
Does session replay require consent?
It depends on how the tool is built. If recording relies on cookies or persistent identifiers, or captures personal data, consent is required under ePrivacy rules. A tool that anonymises at collection, masks sensitive fields and sets no consent-requiring tracker can operate without a banner, like consent-exempt audience measurement.
Can form inputs be recorded?
Never in plain text. Best practice is default masking of every input field (email, password, card number, free text) in the browser, before anything is sent to a server. What is never collected can never leak.
Is session replay still useful when data is masked?
Yes. Replay's value is behavioural: journeys, hesitations, dead clicks, form abandonment. Those signals stay perfectly readable with masked content β you see that a field blocks the user without seeing what they typed.
What is the difference between session replay and a heatmap?
Replay plays back one individual session from start to finish; a heatmap aggregates clicks and scrolling from hundreds of sessions on one page. Replay answers "what happened to this visitor?", the heatmap answers "what does the majority do on this page?". They complement each other.