Unlock 2025 Benchmark data → Access insights to stay ahead in the digital experience race.

Get the Report
skip to content
Loading...
    • Why Product Analytics And what can it do for you?
    • How Heap Works A video guide
    • How Heap Compares Heap vs. competitors
    • Product Analytics + Digital Experience Analytics A deeper dive
    • The Future of Insights A comic book guide
    Watch a Demo
  • Data Insights

    • Journeys Visual maps of all user flows
    • Sense AI Analytics for everyone
    • Web Analytics Integrate key web metrics
    • Session Replay Complete context with a single click
    • Heatmaps Visualize user behavior instantly
    • Heap Illuminate Data science that pinpoints unknown friction

    Data Analysis

    • Segments User cohorts for actionable insights
    • Dashboards Share insights on critical metrics
    • Charts Analyze everything about your users
    • Playbooks Plug-and-play templates and analyses

    Data Foundation

    • Capture Automatic event tracking and apis
    • Mobile Track and analyze your users across devices
    • Enrichment Add context to your data
    • Integrations Connect bi-directionally to other tools

    Data Management

    • Governance Keep data clean and trusted
    • Security & Privacy Security and compliance made simple
    • Infrastructure How we build for scale
    • Heap Connect Send Heap data directly to your warehouse
  • Solutions

    • Funnel Optimization Improve conversion in user flows
    • Product Adoption Maximize adoption across your site
    • User Behavior Understand what your users do
    • Product Led Growth Manage PLG with data

    Industries

    • SaaS Easily improve acquisition, retention, and expansion
    • Retail and eComm Increase purchases and order value
    • Healthcare Build better digital patient experiences
    • Financial Services Raise share of wallet and LTV

    Heap For Teams

    • Product Teams Optimize product activation, conversion and retention
    • Marketing Teams Optimize acquisition performance and costs
    • Data Teams Optimize behavioral data without code
  • Pricing
  • Support

    • Heap University Video Tutorials
    • Help Center How to use Heap
    • Heap Plays Tactical how-to guides
    • Professional Services

    Resources

    • Down the Funnel Our complete blog and content library
    • Webinars & Events Events and webinar recordings
    • Press News from and about Heap
    • Careers Join us

    Ecosystem

    • Customer Community Join the conversation
    • Partners Technology and Solutions Partners
    • Developers
    • Customers Stories from over 9,000 successful companies
  • Free TrialRequest Demo
  • Log In
  • Free Trial
  • Request Demo
  • Log In

All Blogs

Protecting user privacy when using Session Replay

Vijay Umapathy
June 8, 20234 min read
  • Facebook
  • Twitter
  • LinkedIn

If you're in the business of building digital experiences, you probably know that there has been a spate of litigation around Session Replay. As a Session Replay vendor, we have been paying close attention to this litigation, and we think it’s important that you understand what’s happening and our respective roles in protecting user privacy while also getting the insights you need to delight your customers.

Before we dive in, I’d like to make it clear that I am not an attorney and the following is not legal advice – rather, it’s advice from one product leader to many others on how to be thoughtful about user privacy preferences while also understanding your customer journey so you can make those experiences more seamless and delightful. It is also worth noting that the legal landscape is rapidly evolving, and the thoughts in this document reflect our understanding of that landscape as of June 2023. 

What’s going on with Session Replay tools and lawsuits?

Recent litigation against session replay providers stems from allegations that these technologies are effectively engaged in "wiretapping." Session replay software creates a “watchable” reconstruction of users' activities on a website, including mouse movements, keystrokes, and clicks, enabling businesses to improve user experience, analyze user interactions, and diagnose issues. 

Plaintiffs in these cases argue that such practices violate privacy rights because they may record these behaviors without explicit user consent and potentially capture sensitive information such as names, addresses, and other personally identifiable information (PII).

When originally written, "wiretapping" meant someone physically connecting to (“tapping into”) a phone wire and listening to other people's phone calls without them knowing. In this context, end users are likening the recording of their activities on a business’s website or mobile app as analogous to “wiretapping” their digital communication with the business without the end user’s consent.

This discussion has ramped up in recent months because some states have changed their policy around consent to be “two party states” (sometimes also called “active consent”) – that is, both the business and the end user must consent before any tracking can occur (i.e., consumer consent can be a defense to wiretapping claims). Businesses that are using analytics tools have control over whether they load these tools on their websites, but usually, they need to make user interface updates to make end-user consent more visible and explicit. 

What you can do to benefit from analytics

As a business, you don’t need to choose between understanding your customer journey and protecting your end users’ privacy – you can have both. Here are some practices we’ve seen customers use to do this:

1. Configure your session replay tool to mask sensitive or personally identifying information. Session replay tools typically include settings to control where data is captured and what data is captured. For example, Heap includes the ability to block or allow session replay capture on specific pages, block/allow text capture for specific elements on a page, or “mask” all text (see picture), which replaces that text with asterisks before it leaves the end user’s device (this builds extra trust because it’s verifiable by end users). It’s important when setting up a session replay tool to make a plan for what information to mask, and make sure you test your session replay settings in a development environment before rolling out any changes to production.

Session Replay View

2. Show a disclosure in your privacy policy regarding the use of cookies, analytics, and session replay.  As examples, we have seen privacy policies do some or all of the following:

  • Specify the types of event or session information session replay technology collects, like page views, how much time is spent on a page, clicks, mouse movements, text entered, etc.  

  • Are detailed enough so that users are sufficiently informed about how session replay technology works to provide consent. 

  • Transparently disclose the purposes for which session replay technology is being used on the site. While these can vary among companies, they often include uses like analytics, personalization, and improvement of user experiences.  

  • Tell users that session data may be shared with third parties.  In regards to session replay vendors, if you execute appropriate data processing terms, the policy can also state that the session data is only used at your direction and for your purposes. 

3. Show a clearly visible persistent opt-in banner, splash page, or pop-up to notify individuals about your use of cookies, analytics, and session replay. This helps your end-users get immediately notified about session replay or other analytics tools when they land on your site.  It also potentially enables you to collect users’ affirmative, express consent, and/or let users manage their privacy preferences. The banner can also provide links to privacy policies with further disclosures about session replay so users can learn more before using your website.  

Cookie Popup

4. Offer users a way to provide privacy preferences, including for session replay technology like Heap.  For example, if you use a cookie or tag manager, you may be able to give your users controls to opt-in or opt-out of the analytics tool loading and collecting user data.  Special shout out to OneTrust, who does a great job of creating a consent interface that provides clear, granular controls for end users to customize their privacy preferences without leaving the business’s website.

Privacy Popup

As a leader in digital experience analytics and providers of both product analytics and session replay, Heap is committed to making sure that our customers can deeply understand and improve their customer journey and feel safe about protecting end user privacy while doing so. 

The law here is evolving but affirmative consent and utilizing data privacy tools are best practices. We hope these tips can help you as builders of digital businesses better understand the protections in place for end users and use tools like session replay to confidently iterate on and improve your digital journeys. As a reminder, please consult with your own legal counsel to ensure compliance with applicable laws. 

Vijay Umapathy, Senior Director of Product Management at Heap

Was this helpful?
PreviousNext

Related Stories

See All

  • Creative visualization of AI CoPilot capability
    article

    Heap announces new generative AI CoPilot

    Heap, the leader in product analytics, unveils AI CoPilot’s open beta today.

  • Heap.io
    article

    What’s Next in Experience Analytics?

    What does the future of analytics hold, and what does it mean for you?

  • Heap.io
    article

    Building a Retention Strategy, Part 2: Connecting Activities to Revenue with a Metrics Tree

    If you read one post from this series, it should be this one.

Better insights. Faster.

Request Demo
  • Platform
  • Capture
  • Enrichment
  • Integrations
  • Governance
  • Security & Privacy
  • Infrastructure
  • Heap Illuminate
  • Segments
  • Charts
  • Dashboards
  • Playbooks
  • Use Cases
  • Funnel Optimization
  • Product Adoption
  • User Behavior
  • Product Led Growth
  • Customer 360
  • SaaS
  • Retail and eComm
  • Financial Services
  • Why Heap
  • Why Product Analytics
  • How Heap Works
  • How Heap Compares
  • ROI Calculator
  • The Future of Insights
  • Resources
  • Blog
  • Content Library
  • Events
  • Topics
  • Heap University
  • Community
  • Professional Services
  • Company
  • About
  • Partners
  • Press
  • Careers
  • Customers
  • DEI
  • Support
  • Request Demo
  • Help Center
  • Contact Us
  • Pricing
  • Social
    • Twitter
    • Facebook
    • LinkedIn
    • YouTube

© 2025 Heap Inc. All Rights Reserved.

  • Legal
  • Privacy Policy
  • Status
  • Trust