By David Estrada
Regulatory Compliance Specialist
Dealers, beware! As the spooky season is upon us, a new monster has emerged in the data privacy realm: session replay tools, also known as “session recordings.” Some websites have the ability to record and recreate a consumer’s entire visit to the website, from logging keystrokes and tracking the cursor’s movements to recording clicks and other interactions. This practice has been characterized as “looking over the shoulder of each visitor to the [business’s] website for the entire duration of their website interaction” in one highly-publicized lawsuit.
Benefits to the Organization
Proponents of these tools state that this practice provides the business with highly valuable information to help better understand how the website is navigated, improve the user’s experience, and learn which features are working well. As you can imagine, dealers could use this information to better advertise certain vehicle specials, understand which areas of their sites produce the most customer engagement, and improve the overall user experience.
Consumer Consent is at the Heart of the Issue
On the other hand, the opponents (i.e. the plaintiffs in class action lawsuits related to session replay tools) allege that this practice is being done without the consumer’s consent and in situations where the consumer outright declines to have their personal information collected or shared with outside parties. To make matters worse, this data might ultimately be shared with third-party vendors. If true, these practices potentially violate various state laws, such as the California Invasion of Privacy Act and the Missouri Wiretap Act, as well as other federal laws. At least these are some of the creative arguments plaintiff attorneys have proposed! Though some of the lawsuits in this area have been thrown out due to factual issues, others proceed when they involve users inputting sensitive information in specific chat bot tools where the information is recorded, stored, and shared.
Disclosure is Key
Now that we have thoroughly discussed some of the benefits and pitfalls of session replay tools, we want to be clear: there is nothing inherently wrong with dealers using session replay tools so long as that fact is disclosed to consumers via the dealer’s privacy policy. Disclosing the use of session replay tools in a privacy policy can not only protect dealers against potential litigation, but serves to promote transparency with website visitors. ComplyAuto is currently working on updating our dealers’ privacy policies to reflect this recent trend, and the solution will likely be implemented by the time this article is published! In the interim, we highly recommend that dealers work with their website providers to determine whether session replay tools are being used on their websites so that they are prepared to update their privacy policies when the time comes.
2 Comments. Leave new
Thank you David for the information, this is extremely helpful. Does ComplyAuto offer a list of who may be using this technique of tracking? A list would be very helpful for dealerships to know who they should be watching when allowing marketing groups access to their website and data.
While by no means a comprehensive list, search your website’s HTML for the following scripts, which are the most popular session replay tools:
fullstory.com/s/fs.js
d2oh4tlt9mrke9.cloudfront.net/Record/js/sessioncam.recorder.js
ws.sessioncam.com/Record/record.asmx
userreplay.net
script.hotjar.com
insights.hotjar.com/api
clicktale.net
smartlook.com
decibelinsight.net
quantummetric.com
inspectlet.com
mouseflow.com
logrocket.com
salemove.com
d10lpsik1i8c69.cloudfront.net
luckyorange.com
vwo.com