Free scan
Session replay · troubleshooting

Session replay and CIPA risk

Replay tools record what visitors click, scroll, and type, and stream it to a third party in real time. That's the exact fact pattern at the center of the website-wiretapping lawsuit wave — here's how to run replay without it.

What it looks like

Fresh incognito window, DevTools → Network, banner untouched. A replay tool announces itself twice: first the recorder script loads — www.clarity.ms/tag/…, static.hotjar.com, edge.fullstory.com/s/fs.js, cdn.mouseflow.com — then a steady stream of batched POSTs follows for the entire visit, carrying DOM snapshots and interaction events to collectors like *.clarity.ms/collect or rs.fullstory.com/rec/bundle. If those begin before the banner is answered, the session was being recorded before consent.

In our 2026 scan of 1,478 small-business sites, replay tools were among the most common pre-consent trackers: Microsoft Clarity on 209 sites and Hotjar on 119.

DevTools → Network — fresh incognito, banner untouched:
GET www.clarity.ms/tag/abcdefg ← recorder loads with the page
POST l.clarity.ms/collect ← batched DOM + interaction events, repeating
POST rs.fullstory.com/rec/bundle ← the stream continues for the whole visit

Not sure what's firing on your site? See every pre-consent tracker — free, 30 seconds.

Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.

Why it happens

1. Replay ships enabled inside a bigger tool

Replay increasingly arrives as a feature of something else — Microsoft Clarity is free and one toggle away, PostHog bundles it with product analytics, and error monitors like Sentry, Datadog, and LogRocket all offer session replay. Teams enable the parent tool and get an ungated recorder as a side effect.

2. Added for CRO without consent gating

A marketer or agency adds a recorder to diagnose funnel drop-off. The default install records everyone from page load — nobody connects it to the consent platform because it was never routed through the tag process.

3. Masking is off, so form input is captured

Most replay tools can mask or suppress input fields, but it's not always the default for every field type. Unmasked, the recording contains what visitors actually typed — the most sensitive version of the problem.

4. SPA re-initialization bypasses the gate

On single-page apps, the recorder was gated at first page load, but a client-side route change or a second init path (e.g., an app bootstrap that runs unconditionally) starts recording anyway.

The risk context

California's Invasion of Privacy Act (CIPA), Penal Code § 631, prohibits intercepting a communication without the consent of all parties. Since 2022, plaintiff firms have applied that decades-old wiretapping statute to websites — arguing that recording the contents of a visitor's interaction — clicks, scrolls, keystrokes, form input — and transmitting them to a recording vendor in real time before the visitor consents is an intercepted communication. Statutory damages under § 637.2 run up to $5,000 per violation, and plaintiffs argue each affected visitor session is a separate count, which is why even small sites receive demand letters. Similar all-party-consent statutes in Pennsylvania (WESCA), Florida (FSCA), and Massachusetts have produced parallel filings.

Replay is the core of the wave for a structural reason: plaintiffs argue the recording vendor is a third party listening in on the visitor's exchange with the site, which maps onto § 631's aiding-and-abetting prong. A widely cited Third Circuit decision under Pennsylvania's WESCA held that interception can occur at the point a third party receives the data — which is precisely how hosted replay works.

To be precise about what a network log can tell you: a tracker firing before consent is a technical finding — it establishes when a script transmitted data, not whether any law was broken. But timing is exactly what these claims are built on, which is why fixing the timing is the practical response.

How to fix it

  1. Inventory every recorder — including replay features hiding inside tools you think of as something else (Sentry, Datadog RUM, LogRocket, PostHog). A real-browser scan is the fastest way to get the true list.
  2. Decide whether you need replay at all. If heatmaps or aggregate analytics answer your questions, turning the recorder off is the one fix that can't regress.
  3. If you keep it, initialize the recorder only from your CMP's consent callback — never at page load or app bootstrap — and require consent on the GTM tag if it loads that way.
  4. Turn on full input masking/suppression (Hotjar Suppression, Clarity Masking, FullStory Private by Default, PostHog maskAllInputs) so form contents are never captured even post-consent.
  5. On SPAs, audit every init path — route changes, hydration, error-monitor bootstraps — so a second code path can't start recording unconsented.
  6. Re-scan to confirm no recorder endpoints receive data before consent.

Verify the fix in 30 seconds — free re-scan, no signup.

Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.

Common questions

Why is session replay the focus of CIPA lawsuits?

Because replay captures the contents of a visitor's interaction — clicks, keystrokes, form input — and streams it to a third-party vendor in real time. Plaintiffs argue the vendor is a third party intercepting the visitor's communication with the site, which maps onto CIPA § 631, and courts applying Pennsylvania's similar statute have held interception can occur where the third party receives the data.

Can I use session replay legally?

Replay tools are legal products, and the risk pattern is about timing and consent, not the tool's existence. The conservative posture: initialize the recorder only after the visitor consents, mask all inputs so typed content is never captured, and verify the gating with a real-browser scan. Whether any specific setup complies with any statute is a legal question for a qualified attorney — this is general information, not legal advice.

Which tools include session replay I might not know about?

Microsoft Clarity (free, widely installed), PostHog, and the error-monitoring/RUM tools Sentry, Datadog, LogRocket, and New Relic all offer session replay. Teams often enable the parent product without realizing a recorder came with it — an inventory scan shows what's actually running.

Related

Microsoft Clarity compliance guideFullStory compliance guideHotjar compliance guidePostHog compliance guideLogRocket compliance guideHotjar records before consent
Monitor my site ($99/mo) Estimate my exposure