Which session replay tools are genuinely GDPR compliant with proper PII masking? Not all tools that claim compliance actually stop recording when a user rejects analytics, and default masking settings vary wildly across vendors. This guide compares the leading session replay tools on default PII masking behavior, EU data residency, HIPAA BAA coverage, GPC signal handling, consent state behavior, and pricing, so privacy, legal, and engineering teams can make an informed choice.
Quick summary
What it does
Session replay records visitor interactions including mouse movement, clicks, scrolls, form interactions, and network requests so product and UX teams can understand exactly what happened during a session.
What to look for
Evaluate default form masking, EU data residency, HIPAA BAA availability, GPC signal handling, server-side relay options, and whether the tool truly stops recording on a consent reject.
Where Lokker fits
Lokker validates that session replay stops in reject and GPC states, detects every replay vendor across your portfolio regardless of how it was deployed, and enforces blocking on sensitive paths when consent fails.
Quick answer
GDPR-aligned session replay requires default PII masking on forms and sensitive fields, EU data residency or a valid DPA, and proof that recording stops when visitors reject analytics or send Global Privacy Control. Vendor choice is only the first decision. Lokker often sees the same root cause as on CMP engagements: no consent layer, or a banner that says opt-out while replay and pixels still fire. Replay scripts drift through GTM, direct page embeds, and stale categories. We inventory replay on the wire and validate reject and GPC with evidence counsel and insurers can use outside the vendor dashboard.
Field perspective
Replay tools are a frequent subject in privacy programs, underwriting, and demand letters involving tracking. Teams want product insight; legal and compliance need proof that recording stops when the visitor opts out. We are not saying every deployment is unlawful. We are saying the mismatch between banner and network is what we see when matters go wrong.
The CMP may list replay under analytics and the privacy policy may describe opt-out rights. If the recording script still loads after reject or GPC, you have the same problem as a misconfigured ads pixel: policy and UI say one thing, behavior says another. That gap does not depend on whether you chose Hotjar, FullStory, or Clarity. It depends on tag order, categories, rescans, and whether marketing added the snippet outside the tag manager.
Use this guide to shortlist vendors on masking and residency, then treat maintenance as non-optional. Privacy Edge finds replay across the estate, Consent Validator proves each consent state, and Guardian can block recording when the stack drifts so teams can get back to building the business.
On this page
Evaluation framework
Feature matrices help you shortlist vendors. These criteria cover masking defaults, lawful basis, consent gating, and the proof privacy teams need after marketing keeps publishing new tags.
Replay captures form input, URLs, and custom identify calls. Vendors differ on whether text fields are masked by default or only after configuration.
Session replay is analytics or performance, never strictly necessary. The recording script must not load in pre-consent, reject, or GPC states.
EU residency and HIPAA BAA availability vary by vendor and plan. Retention limits matter for GDPR data minimization.
Vendor dashboards and CMP admin views do not show what crossed the wire from the visitor browser.
Operating model
Replay is almost always deployed through Google Tag Manager or a similar container. Compliance depends on load order, consent variables, and whether the recording script is blocked entirely when consent is denied.
Map the vendor to analytics or performance in OneTrust, Cookiebot, TrustArc, or your CMP. Misclassification is a frequent root cause of replay firing before consent.
GTM triggers should read CMP purpose flags or Consent Mode signals. Time-based or all-pages triggers bypass visitor choice.
Masked replay still loads the SDK and transmits metadata. Reject and GPC states should show zero outbound calls to the replay host in network logs.
Use vendor URL rules to exclude checkout, account, intake, and video-heavy templates where VPPA or HIPAA exposure is elevated.
Treat replay like any other high-risk tag: quarterly consent-state matrix minimum, and full retest on every container publish that touches marketing or analytics.
The tools
8 leading tools covering free, mid-market, and enterprise tiers, cloud and self-hosted deployment, and a range of privacy and compliance postures.
Microsoft Clarity
Free, cookieless session recording and heatmaps from Microsoft.
Hotjar
Session recording, heatmaps, and user feedback surveys in one platform.
FullStory
Enterprise digital experience intelligence with high-fidelity session replay and DX Data analytics.
LogRocket
Session replay with JavaScript error monitoring and network request logging for product and engineering teams.
Mouseflow
Session recording with funnel analysis, form analytics, and GDPR-focused privacy defaults.
Glassbox
Enterprise session analytics with on-premises deployment for financial services and regulated industries.
PostHog
Open-source product analytics platform with session replay, feature flags, A/B testing, and data warehouse exports.
Smartlook
Session recording and event analytics with native mobile SDKs at a competitive price point.
All product names and trademarks are property of their respective owners. Lokker is not affiliated with or endorsed by any of the companies listed. Pricing and feature information is based on publicly available data and may change; verify with each vendor before purchasing.
Feature comparison
How each tool compares across the dimensions that matter most for product, engineering, and privacy teams.
Focus the matrix
Showing 5 of 8 tools. Add vendors as needed, or show the full table when you want every column.
3 tools are hidden from the focused table. The full text matrix below keeps every capability visible in the page source.
| Capability | |||||
|---|---|---|---|---|---|
| Recording scope | Clicks, scrolls, mouse movement, and page structure; cookieless; all sessions captured | Clicks, scrolls, mouse movement; sampling by percentage or user attribute filters | High-fidelity DOM capture including dynamic content; DX Data analytics layer on top | Full session with JavaScript errors, network requests, Redux state, and console logs | Clicks, scrolls, movement, and form interactions; funnel and conversion path analysis |
| Heatmaps and click maps | Click maps, scroll maps, and area heatmaps included at no cost | Click maps, scroll maps, and move maps included in all plans | DX Data heatmaps and click maps; segment-filtered heatmaps on higher plans | Heatmaps included on paid plans | Click maps, scroll maps, movement maps, attention maps included |
| Rage and frustration detection | Rage click and dead click detection; frustration score per session | Rage click detection and frustration signal filtering | Rage click, error click, and thrash detection | Rage click detection and JavaScript error correlation | Rage click, cursor thrash, and frustration score per session |
| User identification and session tagging | Anonymous sessions only; no user identification API | Identify API for tagging sessions with user ID and custom attributes | FS.identify() with user variables and session search by user attributes | LogRocket.identify() with traits and attribute-based session search | User tagging with custom variables and segment filters |
| Native mobile app support | Web only; no native mobile SDK | Web only; mobile web recording supported | Native iOS and Android SDKs with mobile-specific session replay | Native iOS and Android SDKs | Web only |
| Developer and analytics integrations | Google Analytics 4 and Microsoft Advertising UET integration | HubSpot, Segment, Jira, Slack, and over 30 integrations | Segment, Amplitude, Heap, Salesforce, BigQuery, and data warehouse exports | Jira, GitHub, Segment, Amplitude, Sentry, and error monitoring platforms | Google Analytics, Salesforce, and major CMP integrations |
| Free tier | Fully free with no session or usage limits | Free for up to 35 daily sessions and 300 recordings per month | No free tier; enterprise pricing on request | Free for up to 1,000 sessions per month | Free for up to 500 recordings per month |
| Default data retention | 13 months (fixed; cannot be shortened) | 365 days (configurable on paid plans) | 90 days default; longer retention available on higher plans | 30 days default; longer periods on paid plans | 30 to 365 days depending on plan |
| Session sampling controls | No sampling; all sessions are captured automatically | Percentage sampling and user attribute filtering | Capture rules for URL targeting and attribute-based session sampling | Configurable sampling rate and attribute-based session targeting | Sampling rate controls on all paid plans |
| API and data export | No public API; GA4 export integration only | Recordings and heatmaps API on paid plans | Data Export API; BigQuery and data warehouse exports on enterprise plans | Data export API; analytics and CDP destination integrations | REST API on paid plans |
Head-to-head
Both target UX and product teams, but privacy posture and enterprise features diverge. Neither natively honors GPC without CMP gating.
| Dimension | Hotjar | FullStory |
|---|---|---|
| Best for | Marketing and growth teams wanting heatmaps, surveys, and fast SaaS deployment | Product orgs needing advanced search, frustration signals, and enterprise GDPR tooling |
| Default PII masking | Password fields only by default; broader masking requires configuration | Masks passwords by default; general text masking available with rules and services |
| HIPAA BAA | Not available; avoid PHI pages | Available on enterprise plans with scoped deployment review |
| Pricing motion | SMB-friendly tiers; scales with sessions and sites | Enterprise quote; higher floor but deeper product analytics coupling |
| Privacy proof burden | Requires explicit CMP gating and network tests on reject/GPC | Same; EU hosting and DPA do not remove consent obligations |
Head-to-head
Clarity is often adopted for cost reasons. Hotjar bundles surveys and feedback. Compare masking, retention, and consent behavior before you deploy on regulated properties.
| Dimension | Microsoft Clarity | Hotjar |
|---|---|---|
| Cost | Free without session caps | Free tier limited; paid plans from roughly $39 per month and up |
| Default masking | Password fields; other inputs need CSS selector rules | Password fields only unless configured |
| Retention | Fixed 13-month retention; not configurable | Configurable retention on paid plans |
| GPC handling | No native GPC; must gate via CMP or Guardian | No native GPC; must gate via CMP or Guardian |
| When to avoid | Healthcare PHI, strict HIPAA, and some financial flows without hard blocks | Same; plus evaluate cost of surveys if you only need replay |
Does your tool actually stop in reject and GPC states?
Lokker Consent Validator runs automated browser sessions across every consent state and confirms at the network layer whether tools in this category still send requests when they should not.
Privacy and compliance
The dimensions Lokker Privacy Edge evaluates when it detects session replay tools on your properties. Use this scorecard alongside the capability matrix when making your vendor decision.
| Privacy dimension | ||||||||
|---|---|---|---|---|---|---|---|---|
| Password fields masked by default | ||||||||
| Text inputs masked by default | ||||||||
| GPC (Global Privacy Control) respected | ||||||||
| EU data residency option | ||||||||
| HIPAA BAA available | ||||||||
| Block recording on specific URLs | ||||||||
| Server-side relay or proxy option | ||||||||
| Cookie-free mode | ||||||||
| Configurable retention period | ||||||||
| Published sub-processor list |
Scores reflect publicly available product documentation as of 2026. Vendor capabilities change; verify current behavior with each vendor and through independent testing. "Partial" indicates the capability exists but requires non-default configuration, an additional plan tier, or has meaningful limitations.
Buyer guidance
Choosing among these session replay tools depends on your industry, infrastructure, privacy posture, and budget. Use these decision guides to narrow your evaluation.
Mouseflow, Glassbox, and PostHog mask all text inputs by default, making them the strongest choices for GDPR-compliant deployments that prioritize PII masking out of the box. FullStory and LogRocket require configuration to mask general text fields beyond passwords. Microsoft Clarity requires explicit CSS selector configuration to mask any input beyond passwords. Default masking is only part of the story: you must also confirm the tool stops recording entirely when a user rejects analytics, which requires network-layer validation rather than dashboard inspection.
Lokker note: For teams that need strong default masking with minimal configuration overhead, Mouseflow or PostHog self-hosted are the most GDPR-aligned starting points. Pair any choice with Lokker Consent Validator to confirm the tool stops recording on reject and GPC states.
Only FullStory, LogRocket (enterprise), Glassbox, and PostHog (enterprise cloud or self-hosted) offer HIPAA BAA coverage. Clarity and Hotjar should not be used on any page that renders PHI or ePHI.
Lokker note: Validate that the tool you choose stops recording in reject and GPC states using Lokker Consent Validator, and confirm that your CMP gates the script correctly.
All listed vendors offer EU data residency, but residency alone does not satisfy GDPR. Require a DPA, confirm sub-processor lists, and validate that the tool is gated by explicit opt-in consent before any recording occurs.
Lokker note: PostHog self-hosted gives the highest level of data location control. Mouseflow and Hotjar have long-standing EU hosting with straightforward DPA processes.
Microsoft Clarity is fully free with no session limits. PostHog and Smartlook offer generous free tiers. Hotjar and Mouseflow have entry plans under $50 per month.
Lokker note: Even free tools create compliance obligations. Validate consent gating before go-live, regardless of cost tier.
Glassbox targets financial services with on-premises options, strong default masking, and governance features. FullStory and LogRocket offer enterprise BAAs and configurable field-level masking for apps that handle account numbers and support flows. Confirm EU data residency, role-based access to replays, and that recording is blocked on payment and authenticated account URLs.
Lokker note: Run Consent Validator on login, transfer, and quote flows after every release. Pair with Guardian on paths where a single misconfigured tag could expose financial PII in replay payloads.
LogRocket combines session replay with JavaScript error monitoring and network request logging in a single tool, making it particularly useful for engineering teams that need to correlate UX issues with code-level errors. PostHog offers an open-source stack with analytics, feature flags, and A/B testing alongside replay.
Lokker note: PostHog self-hosted gives engineering teams full data ownership and eliminates third-party data transfer concerns entirely.
PostHog is the only mainstream session replay tool that is fully open source and self-hostable with complete feature parity. Glassbox offers an on-premises enterprise option. All other tools are cloud-only.
Lokker note: Self-hosted deployments shift data processing entirely to your infrastructure, but you still need to validate consent logic, since the recording script still runs in the visitor browser.
Ongoing operations
Launch validation is necessary but not sufficient. No replay vendor removes the need for a team to maintain the CMP, tag manager, and blocking rules. Replay tags arrive through GTM, agencies paste snippets on campaign landers, and categories fall behind live vendors. Without ongoing proof in opt-out states, drift becomes a demand letter risk, not a theoretical compliance gap.
A single new trigger can fire replay before consent resolves. Store network captures for counsel and insurers when you change analytics tags.
Privacy Edge detects replay vendors by network fingerprint, including tag-manager aliases and agency-added snippets not in your CMP vendor list.
Long fixed retention (for example Clarity at 13 months) may conflict with data minimization expectations. Document business justification and deletion workflows.
Pages with embedded video are higher risk for VPPA theories. Legal review before enabling replay on news, entertainment, or patient education content.
Developers sometimes pass email or account IDs into replay identify calls. Code review plus Guardian rules reduce accidental disclosure.
Privacy context
Session replay is one of the highest-risk third-party tool categories in web privacy law. Three separate legal theories have produced active litigation: VPPA (Video Privacy Protection Act) claims for recording "video" content, HIPAA tracking technology obligations from HHS OCR guidance, and wiretapping-theory suits under California CIPA. Understanding what session replay actually captures, beyond what the vendor marketing says, is essential before deployment.
Even fully masked session replay loads the recording script, sets cookies or local storage, and transmits session metadata including URLs, referrers, session durations, and device fingerprints to the vendor. A consent reject must prevent the script from loading entirely, not merely mask inputs. Most CMP configurations block the visual output but leave the script running.
Session replay captures the full URL for every page visit, including query parameters and fragments that may encode search terms, filter states, user IDs, product details, or health-related keywords. A URL like /results?condition=diabetes&zip=90210 transmitted to a third party may constitute a disclosure of health data even if all form inputs are masked.
Replay tools that support user identification or custom event tracking can receive explicit PII through developer API calls. Attributes like name, email, user ID, and behavioral properties are transmitted to vendor servers. These calls often originate from product analytics code rather than the replay SDK directly, making them easy to miss in a consent audit.
VPPA class actions in the US have alleged that session replay tools capture "video" of the visitor interacting with video content on the page, creating an unlawful disclosure of viewing history to the replay vendor. Healthcare, streaming, and news sites are common targets. The legal theory does not require a dedicated video player; embedded players in editorial content are sufficient.
Session replay scripts are frequently deployed through Google Tag Manager or similar containers. If the tag manager itself loads before the CMP resolves, or if the replay tag lacks proper consent-mode integration, it may fire in pre-consent or reject states regardless of the CMP configuration. Network-layer validation is the only reliable way to confirm this.
Global Privacy Control is a browser-level signal for opt-out of sale and sharing of personal data. None of the session replay tools in this comparison natively intercept the GPC signal and stop recording without additional configuration. Organizations with California GPC obligations must gate session replay through a CMP or network-layer enforcement tool.
Where Lokker fits
Deploying a session replay tool is only the first decision. What protects the business is proof that opt-out and GPC stop the script on the wire, including when tags bypass the CMP. Lokker documents that behavior for counsel and insurers and can block recording when the stack drifts.
Privacy Edge scans your web properties and identifies session replay scripts by network fingerprint, not just domain name. It surfaces obfuscated or tag-manager-delivered replay tools that may not appear in a manual inventory, maps them to the Session Replay risk category, and produces HIPAA and VPPA-mapped reason codes where applicable.
See Privacy EdgeConsent Validator runs automated browser sessions in pre-consent, reject, accept, and GPC states and captures exactly what the session replay tool does in each. If replay requests fire in a state where they should not, Consent Validator surfaces the finding with network-level evidence for your legal and privacy team.
See Consent ValidatorGuardian intercepts session replay scripts at the browser network layer before they can load, transmit data, or identify the visitor. Trust rules defined in Privacy Edge are enforced in real time, so a CMP misconfiguration cannot result in an unauthorized replay session reaching the vendor.
See GuardianCommon questions
The most common questions from privacy teams, legal counsel, and buyers evaluating session replay tools.
More comparison guides
Related to consent and tag orchestration
More comparison guides
Next step
Lokker confirms that the tool you choose stops collecting data in reject and GPC states, surfaces any gaps in your CMP configuration, and enforces blocking at the network layer so a misconfigured consent banner cannot result in an unauthorized data collection event.
Privacy policy guidance
Each guide explains what data the tool collects, illustrative policy language for discussion with counsel, jurisdiction notes, and a CMP configuration checklist.