Session Replays and GDPR: How to stay compliant.

TL:DR

  • GDPR compliance is crucial for any digital company to take seriously 🔒
  • Most session replay products collect GDPR-sensitive information, so explicit consent from users (in your T&C) is important 🛎️
  • Fullview Replays is one of the few session replay products based in Europe 🌍
  • All data is stored on servers in the EU 💼
  • We help our customers remain GDPR-compliant by providing a data processing agreement to all European customers 📝
  • We maintain the highest standards when it comes to data security and encryption 🔑
  • Your users' data and recorded replays can ONLY be seen and accessed by people in your organization 🙈

GDPR has implications for every digital company, but especially ones considering recording user sessions to improve UX, marketing or customer support.

Before we dive into why GDPR compliance is so important to adhere to when you implement a session replays solution, let's summarize what GDPR is.

What is GDPR?

Quick disclaimer: this isn't legal advice. If you are concerned about GDPR compliance, please speak to a lawyer who specializes in GDPR and compliance law.

GDPR is a legal framework that the European Union put into effect in 2018 to make it easier for European citizens and residents to gain control over the data that is collected about them and opt-out of this collection.

If you've surfed the web lately, you've probably noticed that cookie banners now contain mechanisms you can use to opt out of marketing, analytics and tracking cookies. That is GDPR.

To put it simply, GDPR makes it harder for companies to track your movements around the web and collect data about you that you do not explicitly give them permission to collect.

However, not all data falls under the purvey of GDPR. Only personal data, which is any data that relates to an individual and can be used to directly or indirectly identify them, is covered. This includes names, email addresses, gender, address and the like.

If you record any of this data, you will need to ensure that you are GDPR compliant.

What are session replays?

Session replays are video-like recordings of user sessions within an app or on a website. They give customer support agents, marketers, UX designers, product teams and developers valuable information about how actual users are navigating a digital product and using it.

Sometimes the data they collect is aggregated and anonymized and sometimes it is tied to identifiable users of your app (like in the case of Fullview Replays).

They collect GDPR-sensitive information and involve tracking cookies, so they require explicit consent on the part of your customers.

GDPR and session replays

Since many session replay tools require GDPR-sensitive information such as IP addresses to be collected, you need to pay special attention to whether or not your session replays vendor is compliant and, in turn, can help ensure you are compliant.

Since Fullview offers a session replay product that doesn't anonymize data, we get this question a lot: will I still be GDPR compliant if I use Fullview? 

The answer is yes!

Fullview is one of the few session replay vendors on the market that is based in Europe without a US parent company, meaning we adhere to rigorous standards when it comes to GDPR compliance and data protection.

Here's just some of what we do to ensure our users remain GDPR compliant if they choose to use us as their session replay provider: 

  • All user data is stored on servers in the EU (in Germany)
  • GDPR-sensitive information like email addresses, phone numbers and payment information are automatically blurred out during a session recording.
  • We offer a Data Processing Agreement to all European customers.
  • All of Fullview’s data is securely stored with Amazon Web Services which is fully automated and monitored by continuous functional tests to detect any sort of downtime.
  • All user data is stored using Amazon Cognito. Data within Amazon Cognito is encrypted at rest in accordance with industry standards.
  • Our SSL connection encryption maintains an A+ grade from Amazon Web Services.
  • For backup purposes Amazon has a dedicated service called AWS Backup. See more info here.
Author

Shifa Rahaman

Content Marketing Manager

Contributor

Fullview is based in Europe and fully GDPR compliant.

Learn more -->