Skip to main content
← Back to Blog
Technical Deep Dive·8 min read·

How Session-Replay Tools Work (And Why They Capture More Than You Think)

A technical deep-dive on session-replay services — Hotjar, FullStory, LogRocket, Mouseflow, Microsoft Clarity — how they record every user action and the privacy implications.

#session replay#Hotjar#FullStory#LogRocket#privacy

Quick answer

Session-replay tools reconstruct a video of everything a user did on a webpage — every mouse move, click, scroll, keystroke, and (with poor configuration) form input, including passwords, credit cards, and personal data typed in fields. In 2026 they are standard on most large consumer sites. GDPR-compliant deployments are possible but require explicit consent and careful configuration. Default installs are frequently unlawful in the EU.

How the recording works

The replay script injects a listener that captures three classes of event: input events (mouse, keyboard, scroll), mutation events (DOM changes), and network events (requests, responses). It does not actually record video — instead, it records a "log" of all events plus snapshots of the initial DOM. At playback time, the tool replays the events against the reconstructed DOM in the viewer's browser, producing a pixel-perfect recording.

Advantages over video: tiny bandwidth (kilobytes per session vs megabytes), searchable (by URL, element clicked, text typed), and viewable in-browser.

What actually gets captured

  • Every mouse coordinate (sub-second).
  • Every click target.
  • Every scroll position.
  • Every keystroke in input fields (unless explicitly masked).
  • The DOM, including dynamically-loaded content.
  • Network responses (in some tools).
  • Console errors.

The input-capture problem

By default, most session-replay tools capture keystrokes in form fields. That means unless the site has explicitly tagged a password field with a "don't record" attribute, your password typed into a login form is recorded and viewable by whoever has access to the replay dashboard. The same applies to credit-card numbers, addresses, phone numbers, and any sensitive text the user types.

Major providers — Hotjar, FullStory, LogRocket, Mouseflow, Microsoft Clarity — all provide masking features. Whether they are correctly configured on a specific site is a different question. Public research in 2018 (and repeated since) found widespread misconfiguration leaking sensitive data.

GDPR and session replay

ICO (UK) and EDPB (EU) guidance is explicit: session replay is processing of personal data requiring a lawful basis. Consent is the only realistic basis for third-party tools like Hotjar. That means: no recording before the cookie banner is accepted; full disclosure in privacy policy; ability to opt out; sensitive fields masked.

What PrivacyGuard does

PrivacyGuard blocks the script loads for major session-replay providers at the network level: Hotjar, FullStory, LogRocket, Mouseflow, Microsoft Clarity, Smartlook, Inspectlet, and others. The site still works; the replay does not record. Enforced automatically on every page — not dependent on cookie banners or user clicks.

Related reading

Third-party cookies · GDPR + CCPA rights · GeraCompliance — session-replay GDPR config