CNIL Examines Data Protection Issues Around Session Replay Tools

The consultation's goal is to develop practical recommendations for stakeholders on session replay tools, CNIL said. Replay tools are used to reconstruct a user's full browsing path on a website or mobile application. They give publishers of a site or app the opportunity to record all user interactions, including mouse movements, tactile interactions, clicks and page scrolling. The data is then used to reconstruct the user's actions, in video form, to give a detailed view of the user's experience on the website or app.

These tools analyze users' navigation paths so that publishers can, for instance, detect and correct bugs or optimize the ergonomics of a website or app, CNIL said. But the tools also provide new opportunities for tracking and analyzing users' behaviors and could lead to high risks concerning people's privacy rights on the internet.

Among other things, CNIL said, the tools help collect a large amount of navigation data, including sensitive personal data, without users' awareness, and to deduce information about users' habits, beliefs and interests.

As such, the tools involve complex data processing and pose key challenges to the General Data Protection Regulation, the watchdog said. It decided to consult stakeholders to better understand the legal, technical and ethical issues involved. Recommendations for providers of session replay tools and mobile website and app publishers are expected in the second half of 2025, it said.