First hand visitor insights in real time. Learn more!

Table of Contents

The title: Choosing the Right Session Replay Tool: 5 Tips to Mitigate Privacy Concerns. And a picture of a padlock.

Choosing the Right Session Recording Tool: 5 Tips to Mitigate Privacy Concerns


According to a report by the Irish Council, Google transmits our data 70 billion times a day. 

Mark Zuckerberg has been entering the court many times since 2016 when Facebook targeted many Facebook users with political messages. It formed because of a great data breach.  

Meta has been litigated many times as they use their algorithm to target young people and promote addictive games to them. 

These are all with us. The protection of private data is one of the key parts of today’s generation of the internet. 

And do not think that just the largest companies try to take advantage of the gullibility of humans. The misuse of our personal data appears in almost all the fields of the internet. 

Even in companies that provide session replay analytic tools. In this article, I will try to present you how to filter these sites, avoiding software where everything can go out of control. 

But first, let’s start with the beginning:

A man caring about privacy. A screen with a padlock on it.


What is the function of session recordings?

As a website owner, you usually face many different problems connected to your customers. It is very hard to figure out why they spend less time on your site than you expected and why they can’t go through one exact step of their shopping procedure. 

It depends on many things. Maybe, it’s their fault – but most of the time, if a user doesn’t find or understand something, you can only blame yourself. 

Session replay is the ability to replay your visitor’s journey on a website. Here, you can track how they behave, and what their main direction is. You can also track mouse movements, clicks, scrolling, and keyboard inputs. Most of the time, it draws an overall picture of your customer’s route to your website, and it helps you find and fix your mistakes. 

To get crucial and useful data from a session replay tool you need information about your customers. There are two types of information that we distinguish mostly. Personally identifiable, and personally non-identifiable. 

Now let’s understand what are the differences between them, and where the issues occur!

Personally identifiable information and the regulations

A woman is holding a padlock to hide sensitive information and to secure privacy.


Personally Identifiable Information (PII) is a term that is overall all of that information that contains patterns and with the help of that – directly, or indirectly – a human being can be recognized. 

What can be a PII? 

  1. Names
  2. Addresses
  3. Social security numbers
  4. Telephone numbers
  5. Email addresses

It is one of the most important steps of a website that handles secure data to somehow hide these from foreigners, secure and defend them from misusing acts. 

On the other side of this problem, there is the GDPR. It is an abbreviation of the General Data Protection Regulation. This consists of the regulation of the EU and it is valid to all companies that are legally registered inside the EU or just doing activities or doing business there. They all have to obey these rules. 

It contains strict restrictions, for example, it doesn’t allow unlimited data recording and doesn’t enable collecting data without permissions and warnings. 

However, there are certain points where it gives a free hand to the companies. This is why businesses in connection with data stores or data analysis are consistently working towards complying with these regulations. 

For this reason, it is always a very sensitive area, when a site requires personal data from its customers to improve the user experience and give quality service. 

From the perspective of a single user, it is very hard to trust an unknown company from the very first minute and permit them to use personal data anytime they want. 

Selecting the right tool can be a challenging task. That’s why in this article, I aim to provide some crucial tips that, as a website owner, you need to consider and verify before investing in data analytics software to monitor your customer activity.

What can be identified as personal data, and what can’t be identified as personal data?

According to the European Commission, personal data is any information that relates to an identified or identifiable living individual.

Personal data remains personal data even after protecting them with anonymization techniques if it can be used to re-identify the person later. 

However, personal data, which is rendered anonymous, and the person is no longer identifiable, it is no longer considered personal data. 

Here, we arrived at the point where it is needed to define what can be personal data. 

According to the official site of the European Commission, personal data can be:

  1. a name and surname
  2. a home address
  3. an identification card number
  4. an Internet Protocol (IP) address
  5. a cookie ID

If these data are recorded, but not stored anonymously, it is considered a criminal offense by the EU privacy regulations. 

However, there is one specific area where exceptions may occur. Email addresses are also considered personal data, but only in those cases, where the email address contains the name of the owner of the address. 

Because filtering this is almost impossible, companies tend to give access to this function to their clients. 

Anonymization of personal and recognizable data

There are many techniques on how a company can convert personal data to anonym. We can call this the first step the site owner must implement to ensure the security of personal data. 

Luckily, there are many forms of data anonymization, just as:

  1. Data masking
  2. Pseudonymization
  3. Generalization
  4. Data swapping
  5. Synthetic data

These solutions all point to the issue from a different perspective, but there is one similar thing in all of them: if the website owner correctly implements one of these solutions, it will create a secure environment.

Stealing sensitive data with a hook.


Let’s see how Capturly, a behavior analytics website handles this situation!

Capturly uses a data masking technique to hide personal information.

How does data masking work?

It is basically one of the most powerful defending tools and makes cracking almost impossible. This technique can change each character of the input text to a random character or symbol.

For example, if the personal data is “7657” – like the last 4 digits of a credit card number – this system can store it as “+>gz”. There are infinite variations and combinations of how you can order these characters and symbols, so if someone wants to decode this, I have bad news for that person…

At Capturly, you have the option to choose from two different types of masking procedures. One is more restrictive, the other is a little permissive – but inside the border of the laws. 

The restrictive one is called default masking. This is the basic setting. You can grab this without subscribing to one of our packages, as it’s in our free plan.  However, if you need a bit more information about your customers, you can turn this off and turn on advanced masking. 

On advanced masking, you can customize what you want to record one by one with some limitations. Of course, you can’t track information about credit cards, and passwords, but besides those, everything is possible. Check this option in Capturly’s Growth plan.

However, this function can only be used by those who send a letter of acceptance to the email address of Capturly. Here, a user has to declare their own responsibilities and accept the terms of conditions. From that moment, the user is responsible for handling these data in the right manner, the same way,  as the regulations of the given country are required to do that. 

You don’t need to record every single piece of data!

The second piece of advice for you is that if you want to implement a data analyzing service, you don’t need to track everything. As most of the time, it is not necessary, and it is suspicious. 

There’s no need for you to obtain credit card numbers or passwords to enhance your potential customers’ experience. Don’t be swayed by anyone suggesting otherwise. In fact, such activities are regulated within the European Union!

According to the GDPR regulations, the age of consent is 16 years. If someone is younger than this age limit, the person can’t give access to the data. However, the EU members have their own choice to decrease this limit to 13 years.

Many countries use this freedom and set the age limit to 13 years. For this reason, and because of the COPPA (Children’s Online Privacy Protection Acts) websites, web pages mustn’t collect data from children who are under 13. 

A woman is analyzing diagrams.


You may ask how Capturly handles this whole issue. 

  • We use a secure third-party credit card processing company to manage the billing services. This company does not store, share, or use these personal data besides what the signed agreement contains between the two parties. 
  • We also delete every piece of information if we find out that it belongs to underaged (>13) people. Capturly does everything to explore other solutions to prevent collecting data from underaged people.

Look for transparency

A secure site that belongs to this market always communicates about its safety restrictions, privacy policy, terms of service, or commitments.  

They have to persuade their subscribers that their site is safe and protected. So they use every single moment to grab their attention to the given topic. 

If you – as a website owner – don’t find those documents at the very first minute, you have to search for them immediately. 

People are discussing a piece of paper.


In this document, the company needs to explain what data they record. How they use it, and who will have access to it. If you don’t find these documents at all, or it seems shady, choose another one. 

Seek out websites where the terms of service are written in plain English, aiming to minimize the use of complicated legal jargon. If the text is easy to read and comprehensively addresses most aspects, you can confidently infer that you’re in a reliable place.

A transparent site usually also uses pop-ups to warn the visitors and explain the whole process.  

  • Capturly has terms of use and a privacy policy to ensure a safe data collection process. 
  • The provided documents are easy-to-read ones, and we also define each hardly identified word and phrase in connection with our legal aspects.  

Opt-out mechanism

Opt-out means you have the opportunity to decline something. In this case, your users are not obligated to share sensitive data from themselves, if they don’t want to. 

You must offer this opportunity to your customers. It is not optional; it is mandated by European law.

In reality, it usually means a checkbox, which the user can reach from the main page or at least from the settings. With one click, your customers can disable collecting their data, even if those are not personal ones. 

A better approach is to allow customers to personalize which data they want to share with you and which they don’t. It is a great option when there is one specific area that seems sensitive to many of them, but excluding that, they can accept everything. 

Luckily, if your data-collecting program is secure and complies with the first three rules, the majority of your clients will be willing to share their data with you

  • Capturly has an opt-out mechanism, so if your clients don’t want to share their data with you, they have the right to do it.
The description of disabling Capturly on your computer.
  • All the visitors who open Capturly have access to that opt-out mechanism. They only need to scroll down to the bottom of the landing site, find the “explore” row, and click the opt-out button. Here, they will see the same page as I inserted here. Their only task here is to click on the disable Capturly button, and our tool can’t record anything. 

Continuous messages about updated policies

These analytical tools can give you great power but are very volatile too. What does it mean? It means the actual power and the possible usage will depend on the law creators. 

If they believe that the GDPR regulation is very permissive, they will make them stricter. It is not impossible. It is not impossible also, that these regulations will become more punctual, more extensive. 

And what was a legal act one day may become a criminal act the next day. You have to prepare for these changes

A woman is pointing on a privacy button.


One of the best ways to get instructions and news about the new changes is by subscribing to that analyzer tool where their policy always stays up-to-date and sharing the new information with the subscribed company as fast as their capacity allows. 

  • At Capturly, this is the way it works. We alert subscribers to the latest news via email. It relates to the changes in our policy or the law itself.  


Implementing a session replay analytics tool comes with many responsibilities. 

  • What if they won’t store the data in a secure place?
  • What if they record all the sensitive data?
  • And if it’s not transparent?

You can be worried about these things all day long. Or you can choose a software that is 100% secure, and many small, medium, and large enterprises are satisfied with the services. 

This is Capturly, where we prioritize avoiding privacy issues and strive to do everything in our power to ensure data security.

We take the regulations seriously, and we are committed to creating a safe, but useful data analytical tool. 

*The article was written on 2023.06.01., so the information relates to this date. These GDPR regulations can change at any time, so always check the latest regulations.

Don't forget, sharing is caring! :)

Leave a Reply