Session Replay Technology: A Data Protection Landmine
DISCLAIMER: same as on other blog posts. This isn't legal advice. This isn't even advice...
Session replay data is information about how you browse on a given website. It could include scrolling, touching, mouse movements, clicks, and anything you type. This includes what you type into a form, even if you don’t ever click “submit”. There are a number of third-party web-analytics providers who record session replay data – collecting data on every keystroke, cursor movement, and other minute interactions between users and websites using session replay scripts. These web-session recordings have in the past happened surreptitiously, with minimal if any disclosure to users, and likely no agreement from the users.
In 2017 researchers at Princeton University, surveyed installations of seven of the most popular session-replay script providers. They surveyed the 50,000 most-visited websites, and found that 482 used one or more of these seven session replay scripts, so approximately 1% of popular sites used one of the seven session replay script providers they examined. Clearly there could be many more scripts being employed, but that gives us an idea of the prevalence of the phenomenon of session-replay scripts.
Session replay scripts are often intended to serve broadly legitimate purposes. For example, to learn how users engage with a site, so that improvements can be made to the site’s User Interface and User Experience. In particular, the scripts can collect data that help identify confusing parts of a webpage. But these scripts also have profound data privacy and security implications. Most importantly, the tools fail to discriminate between the kinds of data that they collect. In the absence of adequate safeguards, they can expose a user’s sensitive data, including login credentials, credit card numbers, and health information. Additionally, they record the information even if the input is deleted before it is submitted – merely typing the text is sufficient to have those keystrokes recorded. And most importantly, they generally collect this data without the data subject’s knowledge, agreement or reasonable expectation.
In many cases, session replay scripts are deliberately used to collect evidence of site visits, for accountability purposes to demonstrate what a site user read, saw, clicked, and completed. Session replay scripts can be used to record and play back individual browsing sessions often associated with a given user or member who may be logged in or otherwise identified, including with online identifiers such as cookies and IP addresses, thus removing any anonymity from the equation.
“[T]ext typed into forms is collected before the user submits the form, and precise mouse movements are saved, all without any visual indication to the user,” writes Princeton University’s Steven Englehardt. “This data can't reasonably be expected to be kept anonymous. In fact, some companies allow publishers to explicitly link recordings to a user's real identity.”
In other words, session data can be combined with patently identifying data resulting in deeper, more sensitive data being collected and processed.
Another worry is that the information is collected without explicit consent from the user, or without so much as a soft opt-in (as with cookie notices) or even an option for an easy opt-out. This may, in turn, indicate the provider’s concerns that users might not agree to the practice – if they were made aware of it to begin with.
And this is where GDPR and other data protection regulatory trouble lies for tracking firms and website operators alike, both of which cannot demonstrate any lawful basis for processing such personal information.
Recent academic opinion from Alžbeta Krausová in the Masaryk University Journal of Law and Technology suggests that information gleaned from the usage of session replay scripts also has the potential of being viewed as “special categories of personal data” under GDPR Article 9, specifically as “biometric data”. GDPR defines biometrics as including both physiological biometric data and behavioral biometric data (Article 4(14)), and a user’s behavioral pattern in using a website may very well fall under this definition. Either way, session replay scripts are definitely collecting personal data of some variety and websites employing these scripts are required to only process such data in a way that is lawful.
Even in the United States, where the laws typically focus on regulating the use, rather than the collection, of Personally Identifiable Information, companies must be extremely careful with how they use, share or disclose any information that they collect through session replay scripts, at the risk of violating any of a host of laws, including – depending on the nature of the entity – HIPAA, TSR and CAN-SPAM. Without proper notification of the use of session replay scripts, website operators are also vulnerable to being deemed to be engaging in “unfair and deceptive practices” under the FTC Act Section 5.
Many companies providing session replay script technology, such as Clicktale and Glassbox, have taken specific steps to acknowledge and inform users about the use of the scripts, while most recently Apple felt strongly enough about the privacy implications involved in the use of session replay scripts that it told App developers to either remove the use of the session replay technology or properly disclose it to users.
In its guide to privacy professionals with regard to session replay scripts, the Future of Privacy Forum called for website owners to put in place a number of safeguards. These include: explicit disclosure that session replay scripts are being used, what information is being collected, as well as an opt-out choice. Also, sites should use both automated and manual redaction tools and carefully select which pages on a site are appropriate for session replay scripts to avoid collecting sensitive financial, behavioral or health data of users.
Ultimately, a careful analysis should be undertaken with a Data Protection Officer or Chief Privacy Officer before using session replay technology to ensure it is being done in a way that complies with the law.