Is ‘session replay software’ a privacy threat or just improving your web experience?

Photo (c) Naeblys - Getty Images

Privacy experts have mixed views but agree consumers should be aware they are being tracked

A growing number of websites visited by millions of consumers daily are employing something called “session replay software” that allows the company to record everything the user does on the site.

It’s been compared to the website operator “looking over the user's shoulder” while the user is on the website. It sounds invasive but privacy experts have mixed views about whether it poses a threat. 

Patricia Thaine, CEO of Private AI, a company that redacts and replaces personally identifiable information (PII), says the technology has been around for years but is only now getting attention.

“At the moment, there is no explicit law against the use of session replay technology, which is why we are seeing consumer lawsuits,” Thaine told ConsumerAffairs. “As people become more concerned with data privacy, they’ll begin to question any collection of their information, even potentially including personal information, without clear-cut consent.”

Paul Bischoff, a privacy advocate with Comparitech, a technology research firm, says websites that use this technology say that they only use the data to help them improve users’ online experience.

"In the past, session replay was mainly used for troubleshooting and diagnostics. It's useful for finding chokepoints where users are getting stuck or confused,” he told us. “But some apps and sites have adopted it for analytics and marketing purposes."

Consumers should be informed

“While this is likely fully legal, my moral compass tells me that online vendors should inform their potential customers about the use of replay tools, even if it's only in the small print of their privacy policy," said Chris Hauk, a consumer privacy champion at Pixel Privacy, an online privacy protection firm.

In fact, California and Florida, along with 11 other states, have all-party consent laws that require all parties to a conversation or interaction to consent to be recorded. Pennsylvania arguably contains the strictest statute because it expressly requires prior consent before any recording of a user’s interactions. 

Cause for concern?

As this practice is adopted by more websites, Ian Cohen, CEO and founder of LOKKER, a provider of data privacy and compliance solutions for the enterprise, says consumers should be aware their online activity is being monitored and, in some cases, recorded.

“Consumers should be concerned, but there isn’t a lot they can do about it,” Cohen told ConsumerAffairs. “For one, they won’t know these tools are operating ‘behind the scenes’ of their site visit. Two, even if the company disclosed that they are using these tools, consumers wouldn’t likely be able to opt-out and still use the site.”

Does this practice pose a danger to web users? Cohen says it does, but not really from the website using the data to tweak the user experience. Rather, he says the danger may come from possible data breaches that could expose web users to “significant harm,” including identity theft and financial fraud.

Take an Identity Theft Quiz. Get matched with an Authorized Partner.