Why Session Replay Is Uniquely Risky

Most tracking technologies capture aggregated or coarse-grained signals. Session replay captures an almost verbatim reconstruction of individual user behavior, including input values, cursor movement, scroll progress, and page-level DOM state. That raises the legal stakes in several specific ways.

US State Wiretap Laws

Several US states — notably California, Florida, Pennsylvania, Massachusetts, and Illinois — have two-party consent wiretap statutes that plaintiffs' firms have aggressively applied to session replay. The theory: if your site records a visitor's interaction session without affirmative consent, and a third-party vendor processes that recording, the vendor has intercepted the communication between the user and the publisher. The California Invasion of Privacy Act (CIPA) has been the most productive statute for plaintiffs in 2024 and 2025, with settlements ranging from the low six figures to tens of millions across the larger targets.

GDPR and ePrivacy

Under European law, session replay is almost always a processing activity that requires opt-in consent. The recordings regularly contain personal data: IP addresses, typed input, cursor paths that can reveal health or financial concerns, and metadata that joins to a first-party account identifier. The UK ICO, the Italian Garante, and France's CNIL have all issued guidance that session replay requires prior opt-in, and the Norwegian Datatilsynet fined a large publisher in 2023 specifically for running Hotjar without a consent mechanism.

Sensitive Data Leakage

Session replay tools, by default, capture everything the user types or interacts with — including passwords, credit card numbers, social security numbers, medical details, and any copy-pasted sensitive content. Vendors offer redaction features, but those features are off by default or require explicit opt-in configuration. A misconfigured replay integration can silently ship PHI or PCI data to a third-party processor, triggering HIPAA, PCI DSS, and GDPR special-category violations simultaneously.

The Consent Architecture You Actually Need

A defensible 2026 session replay deployment has three stacked controls: prior consent, privacy-preserving recording configuration, and downstream data minimization.

Layer 1 — Prior Consent Before Any Recording

For EU, UK, and EEA traffic, the replay vendor must not be initialized before affirmative consent. That means the initialization script should be loaded inside a CMP-gated slot, keyed to a purpose such as IAB TCF Purpose 8 (Measure content performance) or Purpose 10 (Develop and improve products), depending on your purpose breakdown. For US traffic in two-party consent states, the same gating logic applies — the script should only initialize when the user has affirmatively consented, ideally through the same CMP flow, with an explicit disclosure that the page records your session for UX analysis.

Layer 2 — Suppress Rather Than Capture by Default

Every modern session replay vendor supports DOM-level suppression. The approach you want is deny by default, allow by annotation — mask every text input and every element unless you have explicitly marked it as safe. The specific attribute names differ by vendor (data-hj-suppress for Hotjar, data-clarity-mask for Clarity, data-fs-privacy="mask" for FullStory), but the pattern is identical. Form fields, account areas, payment UI, and any place where sensitive data could appear must be covered.

Layer 3 — IP Anonymization and Retention

Every major replay vendor supports IP anonymization, a configurable retention window, and geographic data residency options. Set the retention to the shortest period that supports your UX workflow, typically 30 to 90 days, and turn on IP anonymization if the vendor supports it. For EU traffic, pick an EU data residency option where offered.

Vendor-Specific Configuration

Different replay platforms have different default postures. The ones below are the most common in 2026 deployments, with the settings that change the compliance picture materially.

Hotjar

Hotjar ships with text suppression disabled by default in most integrations. Enable the site-wide Suppress text content setting, then use the data-hj-allow attribute to whitelist specific elements you want captured. Turn on IP anonymization in the site settings. Enable Consent Mode and wire it to your CMP so recording only starts after explicit consent for analytics. Hotjar supports Google Consent Mode v2 integration natively.

Microsoft Clarity

Clarity is free, which is why many small publishers reach for it without a proper compliance review. By default, Clarity masks passwords and credit-card-like fields, but not much else. Configure data-clarity-mask on all personal data fields. Enable Mask All Text in the project settings when possible. Clarity's EU data residency option is in the Clarity project settings — turn it on if you serve EU traffic. Use the clarity('consent') JavaScript API to gate replay recording through your CMP.

FullStory

FullStory has the most granular privacy configuration of the major vendors. Use Excluded Elements, Excluded Pages, Element Blocking, and the data-fs-privacy="mask" attribute in combination. FullStory's Private by Default setting should be enabled for EU traffic. Wire the FS.consent() API call to your CMP's consent state.

Mouseflow, LogRocket, Smartlook

The smaller vendors generally offer similar controls under different naming. The consistent pattern: disable default capture, whitelist what you need, turn on IP anonymization, configure retention, and never initialize the SDK before consent. Do not assume any vendor is compliant by default — they are built for product teams, not privacy teams.

What About the Google Consent Mode Question?

Google Consent Mode v2 maps to session replay indirectly. The closest signals are analytics_storage and, if the replay is used for ads optimization, ad_user_data. When analytics_storage is denied, replay recording should be suppressed or, at minimum, reduced to a statistically sampled, aggregated mode if the vendor offers one. Most session replay vendors have not yet built full Consent Mode v2 integration, so a correctly wired CMP is still doing most of the work.

Common Failures Attracting Class Actions

• Replay runs before the banner appears — the script fires on page load, captures the first few seconds, and only stops after the CMP resolves. This is the single most common violation, and CIPA plaintiffs have built dozens of cases around it
• Default text capture is on — the replay sends back form-field values, search queries, and chat messages unredacted
• No consent for authenticated users — a user logs in, and replay continues silently even though the user never affirmed analytics consent
• No disclosure in the privacy policy — the replay vendor is not named, the purpose of processing is not explained, and no opt-out path is documented
• GPC is ignored — a Global Privacy Control signal should suppress replay for US residents of opt-out states, but most default integrations do not honor it
• Retention exceeds documented purpose — a vendor default of 12 months is left in place when the UX team only needs 30 days, widening the breach exposure with no benefit

Sensitive Vertical Considerations

Some industries face categorical risk with session replay that cannot be fully mitigated through configuration.

Healthcare

Under HIPAA, running session replay on any page that could display protected health information requires a Business Associate Agreement with the vendor, explicit authorization from the user, and strict data minimization. Most publishers treat this category as off-limits for standard session replay entirely.

Finance

Banks, insurers, and fintech platforms face both PCI DSS exposure on payment pages and heightened FTC attention on consumer finance tracking. Session replay should be excluded from any authenticated money-movement page.

Children's Content

COPPA requires verifiable parental consent for any tracking of users under 13. Session replay on a children's site without that consent is a categorical COPPA violation.

Audit Checklist for 2026

• Replay SDK is gated behind an affirmative-consent CMP signal; initialization is deferred until after consent is recorded
• Text masking is enabled globally, with whitelisted elements only
• Form inputs, payment fields, authenticated account areas, and chat widgets are fully excluded
• IP anonymization is enabled at the vendor level
• Retention is set to the minimum period that supports the UX need
• EU data residency option is enabled for EU traffic where the vendor supports it
• The vendor is named in the privacy policy with lawful basis, purpose, and retention stated
• A Data Processing Agreement is signed and filed, with Schrems II transfer assessment where applicable
• GPC and applicable US state opt-outs suppress replay initialization
• Authenticated sessions inherit the same consent gating as anonymous sessions
• Sensitive vertical pages (health, finance, children's content) are categorically excluded from capture

The Pragmatic 2026 Posture

Session replay gives UX teams an unusually clear view of how users actually experience a site, and it is not a tool anyone wants to give up. The answer is not to remove it. The answer is to build consent, masking, and retention into the deployment from day one, and to document the configuration so that a regulator or plaintiff's counsel cannot later characterize the use as covert interception. Publishers who treat session replay as a regular UX tool without the compliance plumbing will continue to feed the class-action pipeline through 2026. Publishers who invest in the plumbing will keep the benefits of the tool with a defensible legal posture to match.