Clicktics

Is Website Session Recording Legal / GDPR? How to Stay Compliant?

Session recording is legal in both the EU and the US — but only if you do it right. This detailed guide explains what GDPR, ePrivacy, CCPA, and US wiretapping laws (including the CIPA session-replay lawsuit wave) actually require, and gives you a practical compliance checklist.

TG
Tomás García
Author
July 14, 2026 9 min read 8 views
Is Website Session Recording Legal / GDPR? How to Stay Compliant?

Yes — website session recording is legal in both the European Union and the United States, but only when it's done correctly. Session recording (also called session replay) captures how real visitors interact with your site, and because those recordings can contain personal data, they fall squarely under privacy and data-protection law. Get the consent, masking, and disclosure right and you're compliant. Get them wrong and you're exposed to regulator fines in the EU and a fast-growing wave of class-action lawsuits in the US.

This guide breaks down exactly what the law requires in 2026 — GDPR and ePrivacy in the EU and UK, and the patchwork of wiretapping and privacy statutes in the US — then gives you a practical checklist to stay on the right side of both.

Note: this article is general information, not legal advice. Privacy law is fact-specific and changes often — consult a qualified privacy lawyer for your situation.

Why session recording raises legal questions

A session recording can capture far more than anonymous clicks. Depending on how it's configured, it may record what a visitor typed, the pages they viewed, their approximate location, device details, and — if masking isn't set up — data entered into forms. Much of that is personal data (EU) or personal information (US). The moment you record identifiable information about a person, data-protection law applies. The legal question is never "can I record?" but "have I met the conditions that make recording lawful?"

Session recording under EU & UK law (GDPR + ePrivacy)

Two laws work together in Europe: the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), which governs personal data, and the ePrivacy Directive (2002/58/EC), the "cookie law" that governs storing or accessing information on a user's device. The UK mirrors both through the UK GDPR, the Data Protection Act 2018, and PECR.

You almost always need prior consent

Session recording scripts typically set cookies or write to local storage, and Article 5(3) of the ePrivacy Directive requires prior, informed consent before storing or accessing non-essential information on a device. Analytics and session replay are not "strictly necessary," so consent is the standard requirement. The Court of Justice of the EU confirmed in Planet49 (Case C-673/17, October 2019) that pre-ticked boxes don't count: consent must be a clear, affirmative action. In practice, your recording script should not fire until the visitor has actively opted in via your consent banner.

Consent must meet the GDPR standard

Under GDPR Article 4(11) and Article 7, valid consent is freely given, specific, informed, and unambiguous, and it must be as easy to withdraw as to give. A banner that says "by using this site you agree" or that bundles recording in with everything else does not qualify.

Core GDPR principles you must honor

  • Lawfulness, fairness & transparency — tell people, in your privacy policy, that you record sessions and why.
  • Purpose limitation — use recordings only for the purpose you disclosed (e.g. improving UX), not for something new.
  • Data minimization — capture only what you need; mask everything else.
  • Storage limitation — set a retention period and delete recordings when it expires.
  • Integrity & confidentiality — store recordings securely.

Special category data is off-limits

Article 9 of GDPR restricts "special category" data — health, ethnicity, religion, sexual orientation, and similar. Your recording tool should never capture it. That means excluding or masking any field or page where sensitive data appears.

Data-subject rights, DPAs, and DPIAs

Visitors have the right to access their data and to have it erased. You must be able to find and delete an individual's recordings on request. Because your recording vendor processes personal data on your behalf, GDPR Article 28 requires a Data Processing Agreement (DPA) with them. And where recording amounts to "systematic monitoring" at scale, Article 35 may require a Data Protection Impact Assessment (DPIA) before you start.

The cost of getting it wrong

GDPR penalties reach up to €20 million or 4% of global annual turnover, whichever is higher. European regulators (the CNIL in France, the Garante in Italy, and others) have issued numerous fines over cookie-consent and tracking failures — the same consent rules that govern session recording.

Session recording under US law

The US has no single federal privacy law. Instead, session recording sits at the intersection of decades-old wiretapping statutes and a growing set of state privacy laws — and in 2026 the wiretapping angle is where the real risk lives.

The CIPA "wiretapping" lawsuit wave

Since 2022, plaintiffs' firms have filed hundreds of class-action lawsuits arguing that session-replay and chat tools amount to illegal wiretapping. The leading theory uses the California Invasion of Privacy Act (CIPA, Cal. Penal Code § 631), which prohibits intercepting electronic communications without all-party consent. Plaintiffs claim that recording a visitor's interactions in real time — often via a third-party tool — is an unlawful "interception." A newer wave of 2024 filings leans on CIPA § 638.51, the "pen register / trap and trace" provision. Even when defendants ultimately win, defending these suits is expensive, which is exactly why disclosure and consent matter in the US too.

All-party consent states

Roughly a dozen US states require all-party (two-party) consent to record a communication — including California, Florida, Illinois, Massachusetts, Pennsylvania, and Washington. In these states, recording a visitor's session without adequate notice and consent is the core allegation behind the CIPA-style suits. The safest approach is to treat all-party-consent rules as your baseline nationwide.

CCPA / CPRA and the state privacy laws

California's CCPA, as amended by the CPRA, treats browsing and interaction data as personal information. It requires a "notice at collection," a privacy policy that discloses what you collect, and the ability for consumers to opt out of the "sale" or "sharing" of their data — and it requires businesses to honor the Global Privacy Control (GPC) browser signal. By 2026, roughly twenty US states have comprehensive privacy laws (Virginia's VCDPA, Colorado's CPA, Connecticut, Utah, Texas, Oregon, and more), most with similar notice-and-opt-out obligations that reach session data.

The FTC and unfair practices

Finally, Section 5 of the FTC Act prohibits "unfair or deceptive" practices. Recording sessions in a way that contradicts your own privacy policy — or capturing sensitive data you promised not to — can draw FTC scrutiny on top of state-law exposure.

How companies get session recording wrong

Most compliance failures come down to the same handful of mistakes:

  • Firing the recording script before the visitor consents (or with no consent mechanism at all).
  • Failing to mask passwords, payment details, and other sensitive inputs, so they end up in recordings.
  • Never mentioning session recording in the privacy policy.
  • Ignoring browser signals like Do Not Track and Global Privacy Control.
  • Keeping recordings forever instead of setting a retention limit.
  • Using a vendor with no DPA and no clear data-handling terms.

How to stay compliant: a practical checklist

The same core practices keep you compliant on both sides of the Atlantic:

  • Get consent first. In the EU/UK, don't load the recording script until the visitor opts in through a compliant consent banner. In all-party-consent US states, disclose recording clearly and obtain consent.
  • Mask sensitive data by default. Ensure passwords, payment fields, and any personal or special-category data are never captured. Configure field- and page-level exclusions.
  • Update your privacy policy. State plainly that you use session recording, what it captures, why, how long you keep it, and who processes it.
  • Honor DNT and GPC. Respect Do Not Track and Global Privacy Control signals — the latter is legally required under California law.
  • Set a retention period. Automatically delete recordings after a defined window (many teams choose 30–90 days).
  • Sign a DPA with your vendor. GDPR Article 28 requires it, and it clarifies responsibilities everywhere.
  • Enable data-subject requests. Be able to locate and delete an individual's recordings on request.
  • Run a DPIA where needed. For large-scale or systematic monitoring under GDPR, document your risk assessment before you begin.
  • Mind data transfers. If EU personal data leaves the EU, rely on a valid transfer mechanism (adequacy, the EU-US Data Privacy Framework, or SCCs), or keep data in the EU.
  • Avoid third-party cookies where you can — privacy-first tooling reduces both legal exposure and consent friction.

How Clicktics is built for compliant session recording

Compliance is far easier when your tool is privacy-first out of the box. Clicktics is designed so the technical safeguards above are defaults, not afterthoughts:

  • Input masking on by default — passwords, payment fields, and sensitive inputs are masked before anything is stored.
  • No third-party cookies — Clicktics recognizes returning visitors without dropping cross-site trackers, which reduces consent friction.
  • Respects consent and Do-Not-Track — recording can be gated behind your consent banner and honors DNT/GPC signals.
  • Retention controls and one-click deletion — set how long recordings live, and delete an individual's data on request.
  • A DPA is available, and the SDK is self-hostable with EU data-residency options for teams that need data to stay in-region.

These features make it much easier to meet GDPR, ePrivacy, and US requirements — but no tool makes you automatically compliant. You still own consent, disclosure, and policy. Always confirm your setup with your own legal counsel.

Frequently asked questions

Is session recording legal under GDPR?

Yes, if you meet GDPR and ePrivacy requirements: obtain prior consent before the script runs, mask sensitive data, disclose recording in your privacy policy, limit retention, honor data-subject rights, and sign a DPA with your vendor. Recording without consent or without masking personal data is where GDPR problems arise.

Do I need consent to record website sessions?

In the EU and UK, yes — the ePrivacy Directive requires prior consent for non-essential scripts like session replay. In the US, roughly a dozen "all-party consent" states (including California) effectively require disclosure and consent, and failing to get it is the basis of the current wave of CIPA session-replay lawsuits.

Are session-replay tools being sued in the US?

Yes. Since 2022, hundreds of class actions have alleged that session-replay and chat tools violate the California Invasion of Privacy Act (CIPA) by "wiretapping" visitors without consent, with newer suits citing CIPA's pen-register provision. Clear disclosure and consent are the main defenses.

What data should never be captured in a session recording?

Passwords, full payment-card details, government IDs, and any GDPR "special category" data (health, ethnicity, religion, sexual orientation, etc.). A good tool masks these automatically so they never reach your recordings.

How long can I keep session recordings?

Only as long as you need them for the disclosed purpose (GDPR's storage-limitation principle). There's no fixed legal maximum, but many teams set an automatic 30–90 day retention window and delete recordings after that.

Record responsibly — and turn insight into growth

Session recording is completely legal when consent, masking, disclosure, and retention are handled properly. Clicktics gives you privacy-first session replay, heatmaps, funnels, and live chat with masking on by default, no third-party cookies, consent and Do-Not-Track support, retention controls, and a DPA — so you can understand your visitors without cutting corners on compliance.

Start your free trial → or talk to us about your privacy and compliance requirements.

TG
Written by

Tomás García

Tomás García writes for the Clicktics blog about session replay, analytics engineering, and building privacy-first products that agencies love. Reach the team at [email protected].

Comments (0)

0/5000 · Comments are moderated and will appear after approval.

We never share your email. Be kind.

No comments yet — be the first to share your thoughts.

Ready to see your visitors in action?

Add our ~24KB snippet, watch your first replay in five minutes, and join 12,000+ teams using Clicktics.