Are session recording tools a risk to internet privacy?

Internet privacy and more specifically, the use of session recording tools have been a hot debate in recent months. While regulators and industry leaders concern themselves with how marketers will use the recorded sessions collected from these tools, there are also concerns regarding the social and criminal impact of storing personal, privacy-sensitive data without the visitor knowing.

The prospect of said privacy-sensitive data being exposed or falling into the wrong hands as well as the fact that visitors often aren’t aware that it is being stored in the first place begs a number of different questions. Are there legal risks involved for companies that use session recording tools on their websites? Are such tools presently in line with Privacy Laws? How are these laws changing and what will be the consequences for businesses in the future?

In this article, Mopinion takes a closer look at session recording tools and what lies ahead. We will address what differentiates these tools from other online marketing tools, such as where they excel and where they fall short. Having consulted several privacy experts, including Frank Wijnans, who used to be spokesperson of the Piratenpartij, member of the Pirate Parties International – PPI) and Arnoud Engelfriet (IT and Privacy Lawyer), we will also zoom in on the potential privacy risks and legal consequences of using such tools.

What are session recording and session replay tools?

Session recording and replay is essentially the ability to record, save and replay the interactions your visitors have on your website. A valuable session replay is one that will provide online marketers and UX designers with deep insights into the user experience of website visitors. This is done by recording visitors on the website as they click, scroll, type or navigate across different web pages.


Source: Hotjar

After analysing individual session recordings and identifying weak spots, users can optimise their website accordingly to increase conversions and sales as well as enhance the overall user experience. Some examples of such tools include Hotjar, Mouseflow, and Inspectlet.

For a full overview of visitor recording and session replay tools, click here.

Free White Paper: The future of Online Customer Feedback

Learn how you can leverage the power of online customer feedback to optimise websites and apps.

Download the paper

How do session recording tools compare with other online marketing tools?

When we compare session recording tools with other online marketing tools, privacy and profiling are what really set these tools apart. For example, tools such as online advertising know a lot about your online behaviour and you as a visitor. A good example of this are the advertisements on Facebook. However, the difference between advertising tools and session recording tools is that the advertiser (end-user) never sees personal or privacy-sensitive data, e.g. usernames or other private information.



With marketing tools such as web analytics, the data is based off of anonymous click behaviour, which means that the click cannot reveal any sensitive information about the person and – in many cases – they anonymise the IP addresses. The analytics tool simply shows that visitors clicked on something and measure online interactions such as sessions on web pages or identify where visitors exited the site. Same goes for many other User Experience (UX) tools that track mouse and click behaviour, such as heat mapping and A/B testing tools.

Other online marketing tools such as customer feedback are also different from session recording tools in that they are ‘user-initiated’. What this means is that the “opt-in” takes place when the visitor of the website or user of the mobile app decides to fill in a feedback form.

Pros and Cons of Session Recording Tools

So why do companies choose to work with session recording tools? Do the pros really outweigh the cons? The only way to find out is by looking at both sides. Let’s take a look below.

Pros:

• Shows actual online visitor interactions.
• Looks at visitor sessions on an individual level.
• Reveals where visitors are getting stuck in particular funnels (e.g. the shopping cart) or dropping off.
• Helps discover and reproduce bugs to enhance the user experience.
• Understand and improve onboarding processes. See specifically where users are failing in onboarding flows.
• Test and enhance new features or pages. For example, see how visitors react to a new landing page.

Cons:

• Lacks context. There is no explanation directly from the visitor regarding their activity. Visitor actions are left up to the business to interpret.
• Difficult to analyse large numbers of individual visitor sessions.
• Time consuming to watch individual recordings and not every recording will provide valuable insights.
• Introduces a privacy risk for personal visitor data.

Note: The last point above can be perceived as somewhat unsettling by both consumers and companies that use session recording. This is because many companies that use session recording tools are often exclusively responsible for providing the necessary controls to protect the data of their customers. So what are the risks involved?

Privacy risks of using session recording tools

Online visitors engage in various online processes every day. From filling in contact forms and consulting support services to placing online orders, their actions are being recorded every step of the way. That is, if the website has a session recording tool in place.

An important factor to recognise here is that during session recordings, elements such as text input and form selections are also being recorded. This is where the greatest amount of risk seems to lie because the information being typed in or selected may contain details about the visitor that are privacy-sensitive, e.g. personal data about the visitor, financial data or even medical data.

Medical data risks
Medical data, for example, is steadily becoming more vulnerable to data breaches. According to the Independent, medical records are more valuable to criminals than financial data, as the theft of such records often gives them time to plot out what they will do next – create false avatars to gain access to medical insurance or payments, or leverage personal information against someone. Unfortunately victims of such crimes will not typically detect anything until the plan is already in motion.



Financial data risks
These tools also present a major risk in terms of leaking financial data. Should financial details be compromised in any way, visitors could potentially be subject to identity theft. For example, criminals can use this information to take out loans, file fake tax returns or illegally rent an apartment.



In an offline scenario, the near equivalent to session recording tools would be having a camera in the room. For example, whilst having a meeting with your financial adviser, you provide him or her with details such as your social security number (or BSN), tax identification number and account number. This would all be recorded on camera and stored for later review.

Personal data risks
Keep in mind, however, that while medical and financial data are certainly the most vulnerable types of data as well as the most strict in terms of industry policies, there are other elements of session recording that might be undesirable to online visitors.

Imagine shopping on an online retail website knowing that every move you make is being recorded. The retail store can see how you’ve searched for particular items and which products you’ve placed in your basket. And not only that, they’ve added all of these actions to a profile made specifically for you the moment you signed up and logged in. It might seem quite invasive if these customers were aware that such recordings were taking place.



Perhaps one of the most recent and unsettling occurrences that has plagued many session replay tools – such as Mixpanel, and SessionCam – is the unintentional collection of password data from their customers. An example of this is the ‘Show Password’ feature that many of these companies’ clients have on their website. There have been cases where the feature confused the password redaction protections so that when the user clicked ‘Show Password’ and then took any other course of action on the page, the tool automatically recorded the password. Read more about how this works here.

Which steps should be taken to protect visitors’ data?

Frank Wijnans, Spokeperson of the Pirate Party (NL) shares his thoughts on the matter:

This debate [whether or not session recording tools are a risk to internet privacy] all boils down to one question – is this considered personal data? And I can give you a quick answer: yes, it is. Which means this information should therefore be treated with all of the necessary precautions.

Many marketers and analysts are very much focused on how much data they can collect, which unfortunately makes session recording tools highly susceptible to function creep. ‘These tools are therefore not what you would expect in terms of ‘carefully handling personal information’.

Function creep is the gradual widening of the use of a technology or system beyond the purpose for which it was originally intended – especially when this leads to potential invasion of privacy.

Wijnans continues, ‘It would be better if these tools would focus more on the data that you can use. Determining in advance what the possible results could mean would be good practice. However, with stored data – in this case, individual user recording sessions – trying to distil something meaningful is difficult and the results are unreliable.’

He states that his organisation believes that the collection of personal data should be permitted if it is needed for a clear and specific purpose and is collected with the knowledge of that person. This would mean that with session recording tools, the company conducting the recordings must decide in advance what they want to know and then ask the visitor for permission before collecting this data.

*The ‘Piratenpartij’ is part of Pirate Parties International (PPI), a political movement that focuses on four key: including civil rights, democratisation, transparency and a free society.

Interestingly enough, another well-known organisation seems to concur with the need for an opt-in…

ESOMAR, formerly known as the European Society for Opinion and Marketing Research is a membership organisation that works with large market research agencies such as Ipsos, Gfk,TNS Nipo/KAntar and Maritz. In 2015, the organisation came out with the ESOMAR/GRBN Guideline for Online Research. Under article 7.11 (Unacceptable Practices), the organisation forbade the following:

• Using keystroke loggers without obtaining the participant’s opt-in consent;
• If the participant’s browser is set to private mode, tracking behaviour without opt-in consent; and
• When the participant is on a site, which is set to secure linkage (i.e. SSL site), collecting personal data without opt-in consent.

In short, all member agencies of ESOMAR must obtain opt-in consent before tracking or obtaining any behavioural data from visitors.

A closer look at ‘profiling’

Arnoud Engelfriet, IT and Privacy Lawyer points out that session recording tools are indeed problematic without proper permission as they fall under profiling, which is a very complex legal subject.

It is both logical and understandable that companies would want to use session recording tools. Knowing how your website is used by your visitors is an important part of usability, conversion and overall improvement of your website. It is however a pity that these tools always try to the squeeze out as much information about a visitor as possible. With a close eye on privacy by design, certainly more thought could be put into it

– Engelfriet

Are masking features a solution?

There are some session recording tools that offer ‘masking’ features as a consolation for the potential exposure of privacy-sensitive data. To set this up, the business using the tool must adapt the front-end of the website (including the layout and HTML) across all fields where visitors can type in text or make form selections. By adding this extra HTML code, the business can decide which elements are tracked on their website.


Source: Hotjar

Unfortunately this is a task that requires the user to change the layout of every page where the visitor can leave information behind. Additionally, if the business makes use of any third party tools, such as chat, payment funnels, CRM or contact forms, these ‘masking’ tags may not always be applicable. Not to mention, these businesses are, according to session recording tool suppliers, the ones that bear the risk in the event that they fail to mask privacy-sensitive data.

The legal consequences now and in the future

Engelfriet: ‘Profiling and capturing this information is currently legal under the Privacy Act, as well as the General Data Protection Regulation – GDPR (in force from 25 May 2018), provided that you only collect what is necessary for your purpose and ensure as much protection to privacy for your visitors as possible.’

Note: while this article focuses mainly on how session recording tools will be affected, it’s important to recognise that these legal changes (GDPR) will also affect other areas as well, such HR & Recruitment. Read more about this here.

This means users must have a ‘clear case for their tool’. So rather than recording everything and seeing what kind of information it yields afterwards, users must know in advance which data they will collect and also be able to justify that they need that amount of data. Additionally, users will have to set up tools so that they are as privacy-friendly as possible, while indicating in their privacy statement that they are using session recording tools.



Engelfriet continues: ‘Permission is not strictly necessary if you meet the above requirements. However, you are obliged to offer an opt-out because people may legally object to this kind of profiling.’

While a simple opt-out obligation may be the case now in regards to obtaining permission to use session recording tools, new laws have been set that may change these permissions in the very near future. For example, it could result in a stricter opt-in, similar to the Cookie Law that may require users to obtain explicit permission from visitors via a prominent pop-up that states how they will use the data they want to collect. Alternatively, it could only require a reference in the Terms and Conditions or other disclaimer on the website. This has yet to be clarified.

Where do we go from here?

That’s the million dollar question. Given the the potential legal risks laid out in this article, is it wise to use session recording tools on your website? All we can say is businesses that choose to make use of session recording tools should be aware of the risks and ramifications. This includes carefully reading the Terms & Conditions of the session recording tool you intend to use and reviewing the local laws in your country or region. It also includes making scrupulous and carefully calculated decisions when it comes to which data you collect.