> field analysis · the worst tracker category

Session Replay: the scariest tracker you've never heard of

Q: What is session replay?

Session replay is a category of tracker that records every mouse move, click, keystroke, and scroll on a web page and reconstructs a video-like playback of the visitor's entire session. The publisher watches the replay later to 'understand user behavior' or feed product design decisions. FullStory, Hotjar, LogRocket, Microsoft Clarity, and Mouseflow are the most-used vendors in 2026.

Q: Does session replay capture passwords and credit card numbers?

It can. Session replay SDKs offer redaction features — publishers can mark fields as 'sensitive' so keystrokes in them are not recorded. Redaction is opt-in at the publisher's implementation, not default. Academic studies from 2017 onward have repeatedly found session replay capturing unredacted password fields, credit card numbers, and SSN inputs on major sites. The capture is a publisher mistake but the architecture makes the mistake trivially easy.

Q: How do I know if a site uses session replay?

Open browser developer tools on the site, go to the Network tab, and look for connections to known session-replay domains: fullstory.com, hotjar.com, logrocket.com, clarity.ms, mouseflow.com, smartlook.com. If any of these appear, session replay is active. ADBLOAT's benchmark fires against these endpoints to measure how many of them your defenses catch.

Q: Is session replay legal?

Depends on jurisdiction. In the EU, session replay requires explicit consent under GDPR because it constitutes personal data processing. Many EU sites include it in their cookie banner's 'analytics' or 'marketing' categories; users who accept those categories have technically consented. In the US, session replay is mostly unregulated; California's CCPA requires an opt-out mechanism but enforcement is inconsistent. Several class-action lawsuits against publishers using session replay have succeeded on wiretap-act theories in specific states.

Every other tracker on this site — cookies, pixels, analytics beacons — records facts about your visit. Session replay records the visit itself: every mouse movement, every click, every character you typed into a form (usually including the password field), every scroll, every time you hovered over a button and thought about clicking before you didn't. The publisher watches it back later. There are five dominant vendors. Most users have never heard of any of them. Most major commerce and SaaS sites use at least one. This page is the factual treatment of the category.

published 2026-04-22 · ~8 min read · factual and unvarnished

What session replay actually captures

A session replay SDK is a JavaScript library that the site loads on every page. The library hooks every DOM mutation (what's on the page), every user event (mouse, keyboard, touch), and every network request (what data is being fetched). The events are serialized with timestamps and shipped in small bursts to the vendor's servers. The vendor's dashboard plays the serialized stream back to the publisher as a video-like recording: they see exactly what you saw, your cursor moving across the page, your keystrokes appearing in input fields, your scroll position, your tab switches, your accidental typos you later corrected.

This is not metaphor. The recording is frame-perfect at ~30fps for mouse movements and exact-character-by-exact-character for typing.

Session replay sits in a privacy category of its own. Cookies can be cleared. Pixels can be blocked. Session replay observes your behavior directly and produces a forensic record of the session the publisher can later scrub through.

The five dominant vendors

In order of market share as of 2026:

Microsoft Clarity (free, owned by Microsoft) — dominant in 2026 because free and integrated with Microsoft's advertising ecosystem. Found on ~20-25% of the top 10k sites.
Hotjar (acquired by Contentsquare 2021) — the original popularizer of session replay for small-to-medium publishers.
FullStory — enterprise-focused, most feature-rich, high-price. Used by most Fortune 500 e-commerce sites.
LogRocket — developer-focused, often combined with error tracking (Sentry-adjacent positioning).
Mouseflow — similar feature set to Hotjar at lower price; common in European SMBs.

Plus many smaller vendors (Smartlook, Pendo, Glassbox, Quantum Metric, Decibel) in the same category. Academic measurement studies from 2021 onward found session replay running on 15-25% of the Alexa top 10,000 sites.

Why it is a privacy problem

Three stacked problems:

1. The user is almost never told it's happening. GDPR technically requires consent for session replay in the EU; in practice it's often lumped into "analytics cookies" in the cookie banner, which many users accept out of click fatigue. In the US, no federal law requires disclosure, and state-level requirements vary. The average user on an average site has no idea a recording is happening.

2. Unredacted capture of sensitive fields is routine. Every major session-replay SDK supports a "redact this field" attribute that tells the SDK not to capture keystrokes in the marked input. Redaction is opt-in at the publisher's implementation. Publishers frequently misconfigure it. Princeton's 2017 study found session replay capturing unredacted passwords, SSNs, and credit-card numbers on major sites. Follow-up studies in 2021 and 2023 found the same pattern persisting.

3. The recording is persistent and searchable. The vendor stores sessions for 30 days to several years depending on plan. Publishers can search by IP, session ID, geography, or user-behavior patterns. A class-action lawyer can subpoena specific sessions. An insider with access to the dashboard can watch anyone's session on-demand.

What ADBLOAT measures

ADBLOAT's 46-tracker fixture includes the five dominant session-replay vendors as individual probes. When you run ADBLOAT, the score tells you how many of those vendors your defenses caught. A typical default browser with no blocker fails all five (all vendor scripts load, session replay would be active if this were a real site). A browser with Pi-Hole or any standard blocklist catches all five at the DNS layer (none of the vendor scripts load). A browser with uBlock Origin catches all five at the request layer.

In other words: session replay is among the easiest tracker categories to block, because the vendors serve from well-known, long-lived domains that every blocklist maintainer has known about for years. The reason so many sessions are still being recorded is that most users have no ad blocker at all, not that the blockers fail.

How to defend against it

The defense stack for session replay is simpler than for most privacy threats:

A network-level blocker. Pi-Hole, AdGuard Home, NextDNS — any of them with a standard blocklist (Hagezi, OISD, Energized) blocks all major session-replay vendor domains. This is the single most effective move because it catches session replay even for devices that can't run extensions (phones, smart TVs).
A browser content blocker. uBlock Origin with default lists blocks the same vendors at the browser level. Belt-and-suspenders with the DNS layer. On devices where DNS-level blocking isn't possible, this is the primary defense.
Sec-GPC (Global Privacy Control) header. Browsers that support GPC send a Sec-GPC: 1 header that some session-replay vendors respect as an opt-out signal. Compliance is voluntary but increasing. Brave, Firefox, and DuckDuckGo browser send GPC by default.
Never type sensitive data on logged-in first-party sites without checking. The worst-case scenario (an unredacted password field being recorded) can't be prevented by a blocker if the session-replay vendor is the same origin as the site. Self-hosted session replay is rare but exists; major-vendor session replay is what blockers defeat.

Legal and regulatory status

The regulatory landscape is mixed and evolving.

EU / GDPR — session replay constitutes processing of personal data and requires explicit consent. Sites that hide it under "analytics cookies" in a bundled consent are pushing the boundary. The ePrivacy Directive applies to any cookie or tracker that reads or writes on the user's device, which session replay SDKs do by definition.
US federal — no law specifically restricts session replay. The FTC has investigated specific cases of unredacted capture as unfair/deceptive practices.
US state — California's CCPA/CPRA require an opt-out mechanism. Several states have active class-action litigation against specific publishers on wiretap-act theories (Pennsylvania, Florida, Massachusetts). The most cited cases are Popa v. Harriet Carter Gifts (Pennsylvania, 2023) and various 2024 Massachusetts cases.
Industry self-regulation — the IAB (Interactive Advertising Bureau) published consent frameworks that include session replay as a data-processing category, but compliance is at the publisher's discretion.

If you're a publisher considering it

The honest product argument for session replay is UX research. A recording reveals friction points (visitors who clicked the wrong button, filled a form halfway, hovered over a link without clicking) that funnel metrics alone miss. This is a real product benefit. The honest privacy argument is that the same insights are available via heatmaps, funnel analytics, and targeted user interviews — all of which carry less forensic exposure of your users.

Publishers who do use session replay should: (1) disclose it explicitly in a privacy notice, not buried in cookie banners; (2) configure redaction aggressively on every form field; (3) shorten retention periods to the minimum useful (30 days, not 12 months); (4) limit dashboard access to specific named employees; (5) honor GPC and Do-Not-Track headers as full opt-outs.

FAQ

What is session replay?

A category of tracker that records every mouse move, click, keystroke, and scroll on a web page and reconstructs a video-like playback. FullStory, Hotjar, LogRocket, Microsoft Clarity, and Mouseflow are the most-used vendors in 2026.

Does session replay capture passwords and credit card numbers?

It can. SDKs offer redaction features that are opt-in at the publisher's implementation, not default. Academic studies from 2017 onward have found session replay capturing unredacted password, credit card, and SSN inputs on major sites. The capture is a publisher mistake but the architecture makes the mistake trivially easy.

How do I know if a site uses session replay?

Open dev tools, go to Network, look for connections to fullstory.com, hotjar.com, logrocket.com, clarity.ms, mouseflow.com, smartlook.com. If any appear, session replay is active. ADBLOAT's benchmark fires against these endpoints to measure how many your defenses catch.

Is session replay legal?

Depends on jurisdiction. EU requires explicit consent under GDPR. US is mostly unregulated; California's CCPA requires an opt-out mechanism. Several class-action lawsuits against publishers on wiretap-act theories have succeeded in specific US states.

How do I block session replay?

DNS-layer blocking (Pi-Hole, AdGuard Home, NextDNS) catches the known vendor domains; standard blocklists include them. Content blockers (uBlock Origin with default lists) block the scripts at the browser level. Either layer is sufficient for vendor-based session replay.

> MEASURE YOUR SESSION-REPLAY DEFENSE

ADBLOAT fires against the five dominant session-replay vendors and reports pass/fail per vendor. See exactly which ones your stack catches and which still reach your browser.

> RUN ADBLOAT →