The feature is called session replay, and it is sold as a usability tool. Products like Hotjar, FullStory, Microsoft Clarity, LogRocket, Smartlook, and Yandex Metrica let site owners replay individual visits to find broken checkout flows and confusing layouts. That is a legitimate engineering need. The privacy problem is in how the recording works, what it captures by accident, and where the data lands.
What the script actually captures
A session replay script does not record video. It hooks into the browser's DOM and event APIs and logs a stream of structured events: the initial page structure, every mutation to it, plus mouse coordinates, clicks, scroll positions, and input events, all timestamped. The vendor's dashboard replays that event stream against the page structure, producing something that looks exactly like a screen recording.
Because the capture happens inside the page, it sees things ordinary analytics never could:
- Keystrokes as you type them, not just the final submitted form. Several products capture input on every keypress by default for some field types, which means text you typed and thought better of can still be in the recording.
- Content the page displayed to you, which on a pharmacy, bank, or medical portal includes your prescriptions, balances, and diagnoses, because the script records the DOM the site rendered for your logged-in session.
- Hesitation and behavior: how long you hovered over a price, what you almost clicked. This is behavioral data with no submit button.
The redaction that fails in practice
Every replay vendor offers masking: password fields are excluded by default, and site owners can tag other elements to be redacted before events leave the browser. The design assumes the site owner correctly labels every sensitive element on every page, forever, including pages added after the analytics integration was set up.
Researchers at Princeton's Center for Information Technology Policy tested that assumption in their 2017 "No Boundaries" study. They found session replay scripts running on hundreds of the world's most-visited sites, and documented recordings that captured passwords caught by autofill in the wrong field, credit card numbers, health conditions on pharmacy pages, and names and birthdates, all flowing to replay vendors despite the masking features. The failure mode was rarely malice. It was a default-on capture pipeline combined with redaction that had to be configured perfectly to work at all.
Redaction-by-configuration inverts the safe design. A privacy-sound recorder would capture nothing until an element is explicitly marked safe. Session replay captures everything until an element is explicitly marked sensitive, so every labeling mistake becomes a leak, and the site owner usually never knows.
The legal system noticed eventually. Since 2022, US plaintiffs have filed waves of class actions arguing that session replay without consent violates state wiretapping statutes, most prominently the California Invasion of Privacy Act, on the theory that the replay vendor is a third party listening in on a communication between you and the website. Courts have split on the details, but the volume of litigation has pushed some sites to gate replay scripts behind consent banners in the US as well as the EU, where GDPR consent requirements already applied.
Who ends up holding the recording
When a site uses a third-party replay service, your session data leaves the site's infrastructure and lands with the vendor. That changes the risk model in three ways.
First, access: the recordings are typically viewable by the site's product and support staff, and are processed by the vendor. Second, aggregation: a large replay vendor holds behavioral recordings from thousands of sites, and a free product, such as Microsoft Clarity, is being paid for somehow; in Clarity's case the terms permit Microsoft to use the collected data to improve its own products and services. Third, breach surface: a session recording is a dense artifact. One compromised replay account can expose what users typed across an entire site, which is a different order of loss than leaked page-view counts.
Session replay also composes badly with other tracking. The same page often carries fingerprinting scripts and identity graphs from ad tech, and replay vendors attach the recording to whatever user identifier the site provides. A recording of anonymous-looking behavior becomes a recording of you the moment the site passes your account ID into the analytics call, which is a standard, documented integration step.
How to keep your sessions out of the archive
| Defense | What it does against replay |
|---|---|
| Content blocker (uBlock Origin) | Blocks the replay script from loading at all on most sites; the standard filter lists cover the major vendors |
| Browser tracking protection | Firefox strict mode and Brave block several replay vendors as known trackers; coverage varies |
| Rejecting the consent banner | Works where the site actually gates replay behind consent; many sites outside the EU do not |
| Not typing sensitive text into forms you don't submit | Removes the worst leak class; assume anything typed into a page may have been transmitted |
The last row deserves emphasis because it is counterintuitive. Most people model a web form as private until they press submit. On a page running keystroke-level replay, transmission starts at the first keypress. Drafting a sensitive message in a random website's contact form, then deleting it, may still have shipped the draft to an analytics vendor. If you want drafting privacy, compose in a local editor, or in a service that is end-to-end encrypted and states what its clients send home.
Session replay is a good case study in how surveillance accumulates without anyone deciding to surveil. Each site added a usability tool. Each vendor built a reasonable product. The sum is an ecosystem where typing into a web page routinely means being recorded by a company you cannot name, under a redaction scheme that fails on configuration mistakes. Knowing the mechanism is most of the defense: block the scripts, and treat every third-party form as transmitting while you type.