Session replay technology tools that record real user interactions on a website are now found across industries to improve UX, spot bugs, and drive conversions. Yet, their ability to record every mouse movement, keystroke, and scroll has triggered a wave of privacy litigation, big-name class actions, and regulatory crackdowns. If you’re using session replay technology on your website you should immediately contact Captain Compliance for a free privacy audit and we can help you with the proper disclosures and software to allow users to opt-out and stop the tracking if they do not consent.
What Is Session Replay Technology?
Session replay tools capture detailed videos of user visits, including clicks, page views, form inputs, and navigation patterns. While popular among marketers and product teams, these technologies often operate silently, leaving visitors unaware that their web activity is meticulously logged and replayed. Think of it like this what if somebody was peeking over your shoulder and watching everything you are typing and doing on your phone would that be okay with you without consent? Well thats a good way to think about session replay tech and why a business needs to have a Captain Compliance consent banner to toggle on and off tracking.
Why Risk Assessments Should Flag Session Replay
Modern privacy laws especially wiretapping statutes like California’s CIPA and Pennsylvania’s WESCA are increasingly being used to target companies that deploy session replay without explicit informed consent. Risk Assessment checklists must now include:
-
Is site recording software present? (If yes, list software found).
-
Is a disclosure given to users before activation?
-
Does the privacy policy mention session replay and third-party vendors?
-
Are cookies present from major session replay vendors?
Legal exposure comes from failing to disclose both the presence and scope of session recording, especially when third-party scripts (via SaaS) are involved.
Major Litigation Cases: Quantum Metric & Others
Quantum Metric: CVS and Bed Bath & Beyond Lawsuits
Session replay provider Quantum Metric has faced multiple class actions for allegedly violating privacy rights and wiretapping laws by intercepting and recording website visitors’ private digital communications without disclosure or consent:topclassactions+3
-
CVS.com Case: Plaintiffs argue Quantum Metric’s code records real-time mouse moves, clicks, and form entries—alongside account names and IP addresses—without user notification or an opportunity to opt out.
-
Bed Bath & Beyond: Class action alleges the retailer used Quantum Metric’s “spyware” to record intimate session replays, intercepting keystrokes, clicks, and searches for its own profit without consumers’ knowledge.
Other Recent Session Replay Litigation
-
Lululemon: Sued for abetting Quantum Metric in wiretapping user sessions; claims allowed to proceed over inadequate disclosure.
-
Pennsylvania Retailer Case: Federal judge found that session replay data is “private” and covered by state wiretapping laws, opening the door to consumer class actions against any site using session recording.
-
Javier v. Assurance IQ: Landmark district court ruling that third-party session replay tools constitute wiretapping under CIPA, setting precedent for future claims in other states.
Top Session Replay Technologies and Their Cookies
The landscape of session replay technologies includes free, paid, open-source, and enterprise options. Below is an authoritative list based on current user adoption and the cookies that you would find on a site running session replay technology. You can do a free scan with our Cookie Scanner tool to check and see if your website has any of these red flagged tracking technologies:
| Tool | Type | Notable Cookie(s) | Consent Requirement | Key Features |
|---|---|---|---|---|
| Microsoft Clarity | Free SaaS | _clck, _clsk, ANONCHK | Explicit (EU/UK/CH) | Heatmaps, session replay, AI summaries |
| Hotjar | Paid SaaS | hjSessionUser{site}, hjSession{site} | Explicit (GDPR, CCPA) | Heatmaps, funnels, session recording |
| Quantum Metric | Enterprise SaaS | _qmTracker, _qmid | Explicit (CA, PA) | Session replay, analytics, masking |
| FullStory | Enterprise SaaS | fs_uid, fs_session | Explicit (GDPR) | High-fidelity replay, advanced analytics |
| Smartlook | Paid SaaS/Startup | SL_C_* | Explicit (GDPR) | Click/scroll/cursor tracking |
| LogRocket | Developer SaaS | lr_session, lr_analytics | Explicit | Event tracking, bug reporting, replay |
| Mouseflow | Paid SaaS | mf_user, mf_session | Explicit | Form analytics, heatmaps, session replay |
| Lucky Orange | Paid SaaS | _lo_session, _lo_v | Explicit | Live chat, session replay, engagement |
| Contentsquare | Enterprise SaaS | cs_session, cs_id | Explicit | AI UX, session replay, analytics |
| Mixpanel | Analytics SaaS | mp_* | Explicit | Funnels, journey analytics, replays |
| Heap | Analytics SaaS | _hp2_id., _hp2_ses_props. | Explicit | Auto capture, session tracking |
| PostHog | Self-hosted/Open source | ph_host, ph_session | Explicit | Session replay, analytics, self-hosting |
| Dynatrace | Enterprise SaaS | dtCookie, dtLatC | Explicit | Performance monitoring + replay |
(Cookie names and consent requirements may change; always check vendor documentation for updates or our cookie scanner.)
Compliance Risks Associated with Session Replay
Session replay technologies pose special compliance challenges:
-
Failure to disclose third-party recording can trigger state and federal wiretapping claims—potentially with statutory damages per session.
-
Tools often use cookies and fingerprinting to stitch together user sessions even across multiple visits, enhancing privacy risks.
-
In some cases, session replays are used to aggregate PII and behavioral data, risking data leakage if vendors lack airtight contracts and technical protections.
How to Mitigate Session Replay Litigation Risks
-
Flag the presence of all session recording tools in risk and vendor assessments.
-
List all scripts and cookies deployed on your site; disclose third-party access in privacy policies.
-
Activate session replay only after obtaining explicit user consent in affected jurisdictions (EU, UK, California, Pennsylvania).
-
Mask, encrypt, or avoid recording sensitive inputs (names, emails, credit card numbers).
-
Regularly review privacy and vendor contracts to ensure user data is not sold, shared, or reused for non-operational purposes.
Session Replay Litigation Warning
Session replay is not simply digital analytics it’s a privacy and compliance litigation risk and not having the proper disclosures and opt-out mechanisms can now cost you millions of dollars in fines. Often times the marketing agency or conversion rate optimization shop set this up but you may not even know. Risk assessments must flag every session recording tool and cookie, and enforce full user transparency. With mounting lawsuits and multimillion-dollar statutory fines, companies must treat session replay compliance with the same gravity as chatbot or biometric privacy. Disclose, document, and audit to protect your business and book a demo with Captain Compliance below to audit your business and get your site compliant with our software solutions.
