Skip to main content
Personnal data

Session replay: the CNIL’s draft recommendation

By 27 February 2026No Comments
Imprimer

Publication by the CNIL on its website.

The CNIL has published a draft recommendation on “session replay” tools and opened a public consultation on this text until April 22, 2026. The stated objective is to provide guidance to both designers and deployers of these solutions, in a context where such technologies are spreading rapidly and offer particularly detailed insight into users’ online behavior.

Powerful tools, intrusive by nature

Session replay tools make it possible to reconstruct a user’s entire browsing journey on a website or mobile application: mouse movements, clicks, scrolling, touch interactions, and, in some cases, form inputs. The collected data are then reproduced in the form of “replayed” sessions, comparable to video recordings of navigation.

The CNIL emphasizes that these tools may result in highly granular tracking capable of revealing precise information about individuals’ private lives (habits, interests, and potentially sensitive data depending on the context), creating a structural risk of excessive data collection in relation to the intended purpose.

A dual legal framework: Article 82 and the GDPR

The project is based on a classic but essential articulation of two legal frameworks.

First, session replay tools involve read/write operations on a user’s terminal through trackers (cookies or similar technologies). Consequently, they are subject to Article 82 of the French Data Protection Act (“Loi Informatique et Libertés”), which transposes the “cookies” provisions of the European ePrivacy Directive.

Second, session replay reconstructs individual sessions and necessarily entails the processing of personal data (directly or indirectly identifying), regardless of the configuration chosen. These processing operations, which are “subsequent” to the technical read/write operation, must therefore comply with the GDPR.

Qualification of the parties involved

The draft specifies the qualification of the actors concerned.

The publisher (website or application operator) is, in principle, the data controller for all operations (read/write and subsequent processing): it decides to use the tool, determines the purposes, and participates in defining the essential means through its configuration choices.

The provider of the replay solution is, depending on the case:

  • a processor when it provides the tool without reusing the data for its own purposes;
  • a separate data controller for its own purposes if it reuses the data (e.g., to improve its service);
  • joint controller with the publisher for read/write operations when these operations serve the purposes of both parties (Article 26 of the GDPR).

Purposes: the CNIL frames “Admissible” Uses of Session Replay

The draft stresses a fundamental requirement: purposes must be specific, explicit, and legitimate, and above all defined prior to deployment. They cannot be “discovered” or adjusted retrospectively based on what the tool reveals.

The CNIL identifies use cases for which session replay is presented as acceptable (and for which it subsequently provides configuration and minimization recommendations):

  • Detection and understanding of errors or technical issues, where visualizing sessions makes it possible to identify and resolve bugs or anomalies not detectable through traditional analytics tools;
  • Improvement of user experience (UX), in order to identify friction points (e.g., rage clicks, misclicks) and enhance ergonomics;
  • Customer support and assistance, where reproducing the session of a user who encountered a problem enables a response to a request (e.g., difficulty completing an order).

The text adds that if a publisher intends to use a session replay tool for other purposes, it is responsible for ensuring the compliance of such use. The authority goes further by providing a clear example: in light of the principle of data minimization and the inherent risks of these tools, a session replay tool should not be used for advertising retargeting purposes, given the existence of less intrusive alternatives (e.g., cart reminder cookies).

The CNIL thus clearly excludes marketing uses such as retargeting, positioning session replay as a tool intended for technical, UX, or support purposes, but difficult to reconcile with advertising logic.

Consent and information: a systematic prerequisite

In its draft, the CNIL considers that purposes related to session replay are subject to prior consent under the rules applicable to cookies and other trackers. These operations are neither strictly necessary for the provision of the service nor exclusively intended to enable or facilitate electronic communication. Consequently, they cannot benefit from the consent exemption provided for in Article 82 of the French Data Protection Act.

Imprimer

Similar Posts

Personnal data Social media advertising: the French DPA sanctions the transmission and combination of data for targeting purposes without valid information and consent

Social media advertising: the French DPA sanctions the transmission and combination of data for targeting purposes without valid information and consent


Personnal data Cookies: CNIL publishes its final recommendations on multi-device consent

Cookies: CNIL publishes its final recommendations on multi-device consent


Personnal data Mandatory collection of individual titles (“Mr.”/ “Mrs.”): the French Administrative Supreme Court endorses the CJEU’s teachings and overrules the CNIL

Mandatory collection of individual titles (“Mr.”/ “Mrs.”): the French Administrative Supreme Court endorses the CJEU’s teachings and overrules the CNIL


Close Menu