Replay tools record what visitors click, scroll, and type, and stream it to a third party in real time. That's the exact fact pattern at the center of the website-wiretapping lawsuit wave — here's how to run replay without it.
Fresh incognito window, DevTools → Network, banner untouched. A replay tool announces itself twice: first the recorder script loads — www.clarity.ms/tag/…, static.hotjar.com, edge.fullstory.com/s/fs.js, cdn.mouseflow.com — then a steady stream of batched POSTs follows for the entire visit, carrying DOM snapshots and interaction events to collectors like *.clarity.ms/collect or rs.fullstory.com/rec/bundle. If those begin before the banner is answered, the session was being recorded before consent.
In our 2026 scan of 1,478 small-business sites, replay tools were among the most common pre-consent trackers: Microsoft Clarity on 209 sites and Hotjar on 119.
Not sure what's firing on your site? See every pre-consent tracker — free, 30 seconds.
Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.
Replay increasingly arrives as a feature of something else — Microsoft Clarity is free and one toggle away, PostHog bundles it with product analytics, and error monitors like Sentry, Datadog, and LogRocket all offer session replay. Teams enable the parent tool and get an ungated recorder as a side effect.
A marketer or agency adds a recorder to diagnose funnel drop-off. The default install records everyone from page load — nobody connects it to the consent platform because it was never routed through the tag process.
Most replay tools can mask or suppress input fields, but it's not always the default for every field type. Unmasked, the recording contains what visitors actually typed — the most sensitive version of the problem.
On single-page apps, the recorder was gated at first page load, but a client-side route change or a second init path (e.g., an app bootstrap that runs unconditionally) starts recording anyway.
California's Invasion of Privacy Act (CIPA), Penal Code § 631, prohibits intercepting a communication without the consent of all parties. Since 2022, plaintiff firms have applied that decades-old wiretapping statute to websites — arguing that recording the contents of a visitor's interaction — clicks, scrolls, keystrokes, form input — and transmitting them to a recording vendor in real time before the visitor consents is an intercepted communication. Statutory damages under § 637.2 run up to $5,000 per violation, and plaintiffs argue each affected visitor session is a separate count, which is why even small sites receive demand letters. Similar all-party-consent statutes in Pennsylvania (WESCA), Florida (FSCA), and Massachusetts have produced parallel filings.
Replay is the core of the wave for a structural reason: plaintiffs argue the recording vendor is a third party listening in on the visitor's exchange with the site, which maps onto § 631's aiding-and-abetting prong. A widely cited Third Circuit decision under Pennsylvania's WESCA held that interception can occur at the point a third party receives the data — which is precisely how hosted replay works.
To be precise about what a network log can tell you: a tracker firing before consent is a technical finding — it establishes when a script transmitted data, not whether any law was broken. But timing is exactly what these claims are built on, which is why fixing the timing is the practical response.
maskAllInputs) so form contents are never captured even post-consent.Verify the fix in 30 seconds — free re-scan, no signup.
Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.
Because replay captures the contents of a visitor's interaction — clicks, keystrokes, form input — and streams it to a third-party vendor in real time. Plaintiffs argue the vendor is a third party intercepting the visitor's communication with the site, which maps onto CIPA § 631, and courts applying Pennsylvania's similar statute have held interception can occur where the third party receives the data.
Replay tools are legal products, and the risk pattern is about timing and consent, not the tool's existence. The conservative posture: initialize the recorder only after the visitor consents, mask all inputs so typed content is never captured, and verify the gating with a real-browser scan. Whether any specific setup complies with any statute is a legal question for a qualified attorney — this is general information, not legal advice.
Microsoft Clarity (free, widely installed), PostHog, and the error-monitoring/RUM tools Sentry, Datadog, LogRocket, and New Relic all offer session replay. Teams often enable the parent product without realizing a recorder came with it — an inventory scan shows what's actually running.