CIPA Risk ScannerPowered by HealSprings Tech
Scan

Learning Center

Session Replay and Heatmap Privacy Risk

Quick answer

Session replay and heatmap tools can help businesses understand user behavior, but they may deserve closer review because they can observe detailed visitor interactions on a website.

What session replay does

Session replay tools record visitor sessions, capturing clicks, mouse movements, scroll behavior, and sometimes form interactions, so teams can play back what a visitor did.

What heatmaps do

Heatmaps aggregate visitor interactions to show where people click, scroll, and hover most on a page.

Why these tools can be sensitive

Because they observe detailed interactions, they can capture data that visitors may not realize is being recorded, including potentially sensitive form contents if the vendor is not configured to mask them.

Common examples

  • Hotjar
  • FullStory
  • Microsoft Clarity
  • Mouseflow
  • Smartlook
  • Lucky Orange
  • Crazy Egg

What to ask your developer or vendor

  • What input masking is enabled?
  • Are sensitive fields excluded from recording?
  • Does recording start before or after visitor consent?
  • Where is recorded data stored, and for how long?

Frequently asked questions

Is this legal advice?

No. CIPA Risk Scanner provides educational and technical risk-modeling information. It does not provide legal advice or determine legal compliance. For legal guidance, consult a qualified attorney.

Can a cookie banner still allow tracking tools to load?

A cookie banner does not automatically mean every script is blocked before visitor choice. Configuration matters, and technical review may be needed.

What does CIPA Risk Scanner detect?

CIPA Risk Scanner looks for visible indicators of common website tracking tools, including pixels, analytics scripts, tag managers, chat widgets, heatmaps, session replay tools, and consent banner indicators.

Does CIPA Risk Scanner verify input masking?

No. CIPA Risk Scanner detects the presence of session replay or heatmap scripts. Input masking configuration must be reviewed inside the vendor's dashboard.

Scan Your Website for Tracking Risk Indicators

Run a free, plain-English scan of your homepage for visible tracking risk indicators.

Scan your website

Related reading

Trust note

CIPA Risk Scanner provides technical website tracking visibility. Our scanner is designed to help businesses understand visible tracking indicators, not to provide legal conclusions. For legal guidance, consult a qualified attorney.

CIPA Risk Scanner is not a law firm and does not provide legal advice. Content on this page is educational and technical. For legal guidance, consult a qualified attorney.