Massively Popular, Session Replay Scripts are a GDPR Liability

Third-party session replay scripts provide analytics that gives website owners insight into user behavior and how people interact with different parts of their site. These scripts capture and playback browsing sessions—every click, scroll, and input—and send this data to a third-party server. This data can even be linked to a user’s real identity.

Data from session replay scripts proves incredibly valuable to companies that want to optimize their site based on the way people interact with it, which has driven a massive popularity of the scripts—a study published by researchers at Princeton University reported that 482 of the 50,000 most trafficked websites use them, many without clear disclosure to users. In fact, almost 100,000 websites in total use the scripts, the most popular ones from companies such as FullStory, SessionCam, Clicktale, Smartlook, UserReplay, Hotjar, and Yandex.

While great for marketing purposes, using these scripts can be a big problem. On May 25, 2018, the General Data Protection Regulation (GDPR) goes into effect, which applies to any organization that collects, stores, and uses personal information about an EU citizen. As part of the regulation’s fairness and transparency guidelines, organizations must clearly state at the point of capture how they’ll be using an individual’s data. Permission to use their data must be explicit and demonstrated through an action such as ticking a box, a significant departure to the ‘opt out’ process most organizations have in place today. Evidence of violations and negligence serves as cause for significant fines.

Since the Princeton researchers released their research, two of the prominent companies they found using session replay scripts—Bonobos and Walgreens—said they would stop using them until they could evaluate their use for themselves. With two major online retailers needing some introspection vis-à-vis their data collection to make sure their marketing strategies align with the GDPR, many more could find themselves flat-footed on May 25th.

In fact, querying our own data, RiskIQ uncovered that the domains of 38 of the top 50 U.S. online retailers contain session replay scripts.

To support GDPR specifications, organizations need a comprehensive understanding of their digital footprint—all of the various internet-exposed assets that belong to them. They must be able to discover which external assets collect personally identifiable information (PII), including a user’s name, phone number, address, social media presence, photos, lifestyle preferences, location data, and even their IP address.

It sounds straightforward, but for multinational companies with expansive web infrastructure, merely compiling and assessing site details is often fraught with gaps and inaccuracies. When looking at 25 of the 50 largest banks in the U.S. (2017), the RiskIQ Threat Research team discovered that 68% of the banks had significant security gaps in PII collection.

RiskIQ Digital Footprint PII/GDPR Analytics feature helps expedite GDPR compliance during the initial discovery and subsequent audit processes by helping organizations identify websites belonging to them, as well as specific pages on those websites that collect PII insecurely.

With PII/GDPR Analytics applied to the Digital Footprint inventory, RiskIQ will automatically tag an organization’s internet-facing assets that have login forms, collect PII, or have cookies, and flag potential GDPR violations. Assets in this inventory can be filtered by tags, allowing for easy compliance evaluation and analysis. Organizations will also receive a detailed, quarterly point-in-time GDPR assessment in a PDF format for convenient analysis, reporting, and sharing, as well as a CSV file of external assets that collect PII.

Register for our upcoming webinar to learn more about RiskIQ GDPR Analytics and investigate assets running session replay scripts in our RiskIQ Community Public Project.