Session Replay
What is Session Replay?
Session ReplayA UX-analytics technique that records the DOM, clicks, scrolls, and keystrokes of a real user session so it can be replayed and analysed later.
Session replay tools instrument a website to capture user interactions — mouse movements, clicks, scrolls, form inputs, and DOM mutations — and reconstruct full playback of the visit. Vendors such as FullStory, Hotjar, LogRocket, and Microsoft Clarity use it to debug bugs and study UX. The same capability can leak personal data: poorly masked recordings may include passwords, payment details, health data, or session tokens, which is why GDPR, ePrivacy, CCPA, and HIPAA classify it as high-risk processing requiring consent and masking. Defences include strict allow-listing of fields, server-side scrubbing, redaction of all input fields by default, consent management, and contractual data-protection terms with the vendor.
● Examples
- 01
FullStory replay showing the exact form values a user typed during a checkout error.
- 02
A misconfigured Hotjar tag accidentally capturing credit-card numbers from an unmasked input.
● Frequently asked questions
What is Session Replay?
A UX-analytics technique that records the DOM, clicks, scrolls, and keystrokes of a real user session so it can be replayed and analysed later. It belongs to the Identity & Access category of cybersecurity.
What does Session Replay mean?
A UX-analytics technique that records the DOM, clicks, scrolls, and keystrokes of a real user session so it can be replayed and analysed later.
How does Session Replay work?
Session replay tools instrument a website to capture user interactions — mouse movements, clicks, scrolls, form inputs, and DOM mutations — and reconstruct full playback of the visit. Vendors such as FullStory, Hotjar, LogRocket, and Microsoft Clarity use it to debug bugs and study UX. The same capability can leak personal data: poorly masked recordings may include passwords, payment details, health data, or session tokens, which is why GDPR, ePrivacy, CCPA, and HIPAA classify it as high-risk processing requiring consent and masking. Defences include strict allow-listing of fields, server-side scrubbing, redaction of all input fields by default, consent management, and contractual data-protection terms with the vendor.
How do you defend against Session Replay?
Defences for Session Replay typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Session Replay?
Common alternative names include: Session recording, User session replay.
● Related terms
- privacy№ 241
Cross-Site Tracking
The practice of linking a user's activity across multiple unrelated websites to build a long-lived behavioural profile.
- privacy№ 1166
Tracking Pixel
A tiny, often 1x1 transparent image or beacon embedded in a web page or email to silently record opens, visits, and other user events.
- compliance№ 440
GDPR
The European Union's General Data Protection Regulation governing the processing of personal data of individuals in the EU and EEA.
- privacy№ 280
Data Minimization
A privacy principle requiring organizations to collect, process, and retain only the personal data that is strictly necessary for a defined, lawful purpose.