As a company that recently launched its session replay feature, we know that the ethical dilemma surrounding session replay isn’t simple.

Just imagine you’re quietly doing your CRM job and suddenly realizing that someone else is watching your every mouse movement, click, and keystroke. No wonder session recording gives people the creeps!

So where’s the line between spying on every user visit and simply collecting data?

Spoiler: There isn’t really a dilemma. It all comes down to:

• Personally identifiable information (PII)
• Third-party vendors
• How data is treated (and by whom)
• Informed consent

Let’s explore the issues first.

Uncovering the ethical issues of session recording tools

The core issue with session replays is how individual it is.

It’s not like analyzing behavioral data on a spreadsheet or graphic image. Instead, the fact that YOU are being watched as you go about your work is what makes it ethically shady.

What’s worse is that watching replays is pretty much normalized, with over 48,240 companies already using session recording software right now.

All of this leads to four reasonable privacy concerns:

1. Invasion of user privacy by capturing personally identifiable information (PII)

One issue with session recording technology is that it is too good at what it does and thus has no limits to what it can track.

The first concern you’d have in mind if you were recorded is: Can they see my passwords? Credit card information? Location? Email addresses? Confidential company data?

The unfortunate answer to this question is: Yes, it is possible.

This makes it easy for not only bad actors but also clueless employees to fall into this unethical practice that could easily ruin user trust if spotted.

2. Unauthorized sharing of sensitive data with third-party tools

Companies tend to buy third-party software for session replays because it’s the option with the most cost-effectiveness.

But even if your users trust you with their behavioral data, they won’t trust the third-party services you’re using.

Sure, you might properly secure the session recording data, but what if the software you use suffers a security breach? What if there’s a data leak, and all that personal data ends up in the hands of cyber criminals?

Your customer’s data usually passes through a third-party vendor, and you can’t control how they’ll handle the data. Thus, it is inherently risky to record sessions if you don’t choose the right session replay tool for you.

3. Lack of transparency about data collection practices

Another issue with recording sessions is that most users have no idea that they’re being recorded.

Sure, you may disclose it in your privacy policy, but no one really goes through it all.

Now think about the second-order effects of normalizing session recording, especially in B2B. What if your user’s data isn’t leaked through your third-party tool of choice but through a tool in your tech stack that you didn’t even know was recording your data?

4. Excessive and undue collection of customer data

As we mentioned, session recording technology is too good at tracking customer interactions.

And as a result, it goes against the principles of data protection because it processes more personal details than needed.

This is more of a problem than a solution. Do you really need to know your users’ addresses, their teammates’ emails, or the revenue metrics of their company in the last quarter? Why does a session recording tool allow you to access this in the first place?

Do session replay benefits outweigh its negatives?

As you see, session replays are more than questionable in the realm of ethics.

But are they really that bad?

Session recording software does give you the ability to fix bugs, spot UX issues, and find opportunities for improving your product on the spot.

For instance:

• They give a qualitative perspective to events that would otherwise be only quantitative. Instead of looking at a list of behavioral data that might mean something or not, you can actually watch the problem happen as it’s occurring.
• They remove the need to guess the cause of a bug because you can easily watch the series of actions that trigger it, and share it with your devs to fix it.

• They eliminate the need to figure out and make hypotheses about why users are dropping off during onboarding—just watch the sessions yourself.

The fact is clear: session recordings are beneficial for both companies and end users.

And despite this, I don’t think these benefits outweigh the negative side of having to literally spy on users without their knowledge.

However…

There is a middle way

Now, the purpose of this article is not to fearmonger you to avoid session replay software.

On the contrary, we want you to use session replay software ethically while getting its full benefits.

This is possible if you follow these best practices:

Use trusted session replay tools that prioritize user privacy

Just like installing a trust-worthy antivirus, you must also hire a session replay tool that respects user privacy and is transparent about it (ditch any obscure or relatively suspicious alternative).

For this, search for third-party tools with sound security policies and those that comply with laws and regulations. For instance, Userpilot is a product analytics tool that is compliant with HIPAA, GDPR, and SOC 2 Type II standards—making our session replay software pretty much safe from privacy issues.

Once you get a trustworthy tool, you’ve won half the battle.

Try Userpilot for Session Replay Software that Upholds Ethical Standards

Get a Demo

• 14 Day Trial
• No Credit Card Required

Mask personally identifiable information

As I claimed earlier, the main issue with session replays is how individualized it is. They’re not looking at a table with a bunch of numbers. They’re watching YOU.

Thankfully, there’s a simple solution to this. Most session replay tools allow you to redact both personal and sensitive data so users are not exposed, basically keeping their recordings anonymous.

It separates what matters to us (the user behavior) from the identity of the person.

Userpilot, for instance, automatically masks passwords, payment information, and hidden inputs. Plus, you can easily mask more data if you need to; all you need to do is go to the privacy section in the settings and add the CSS selector for the element you want to censor.

And before you start recording, we strongly recommend auditing your platform to ensure all appropriate elements and forms are masked.

Not doing so puts your users at risk of getting their data filtered through an unmasked form in your app.

Be transparent about session recording practices

Now, it doesn’t matter how ethically and safely you collect session recordings, your users deserve to know.

Transparency is key for user trust, so don’t dare to hide this disclosure behind legal jargon in your privacy policies that no one reads.

Instead, we highly recommend informing users (in a UX-friendly way) that their sessions are recorded, why you’re doing it, and how their data will be treated (ideally, it should be kept anonymous).

You must communicate:

• What type of data is being recorded (clicks, text fields, deleted text, etc.)
• For how long you’ll retain their sessions
• Whether it’s going to be anonymous or not
• The purpose of recording sessions

Also, make sure this information is available so users can read it, understand it, and agree with it. For instance, you can include it on your site like cookies notifications or on the signup page of your app similar to email newsletter opt-ins.

Get the informed consent of your users (without deceiving them)

Informed consent is a must. Users should always have the ability to opt-in or opt-out of session recordings whenever they want. More than that, you should give users the option to choose what data they agree to share.

Again, this isn’t about sneaking it into your privacy policies. It must be explicit, like adding the opt-in option during signup or showing users how they can opt-out.

Heck, you can even add a pulsing red dot to indicate to a user that they’re being recorded anonymously.

If you only care about spotting bugs, finding friction, and analyzing pages with high drop-offs, then it shouldn’t make any difference whether the user knows they’re being recorded or not.

Create robust internal security policies and practices

Once the session replays are safe and accepted with (properly) informed consent, the rest of the job is to follow best practices to keep the data safe.

For this, you must implement a robust security policy that protects the session’s data internally. It can involve:

1. Limiting access to session data to authorized personnel only: This would prevent anyone without authority from accessing the data.
2. Training employees on ethical/legal standards: The leadership of your company must set the standards for the rest to follow, including clear policies that explicitly indicate how to handle any violation of the rules.
3. Conduct regular security audits: With the help of your legal team, you should review and update your security policies based on changes in regulations, technology, and data treatment inside your company.

So, are session replay tools ethical?

As we learned here, the ethical dilemma of session replay isn’t really a dilemma; it’s 100% possible to get the benefits of recording users without falling into unethical practices.

It’s easy to be unaware of it if you’re not careful. Now that you know, it shouldn’t be hard to use your customers’ data responsibly.

As a company that sells session replay software, we have the responsibility of managing data in a safe way. That’s why our product is compliant with HIPAA, GDPR, and SOC 2 type II.

So if you want to watch user sessions without creeping into personal data, book a Userpilot demo, and we’ll get you started.

Try Userpilot for Session Replay Software that Upholds Ethical Standards

Get a Demo

• 14 Day Trial
• No Credit Card Required