Form field capture before submission
FullStory can record keystrokes in form fields by default. Users who type and abandon a form may still have their input captured and transmitted, often before consent is given.
Marketing and Analytics
FullStory records everything. Does your consent configuration know that?
FullStory is a powerful digital experience platform that captures full session recordings, including clicks, scrolls, rage clicks, and form interactions. That depth makes it valuable for product and UX teams and a significant compliance risk when it fires outside a valid consent state. Lokker validates whether FullStory is gated correctly and what it actually captures relative to your banner configuration.
Marketing and Analytics
FullStory
FullStory is a session replay and digital experience analytics platform that records complete user sessions so teams can understand friction, replay errors, and analyze behavioral funnels at scale.
Trademark
FullStory is a trademark of FullStory, Inc.. Lokker is not affiliated with or endorsed by FullStory, Inc..
Risk and failure modes
Why session replay creates outsized privacy risk
Unlike a pixel that sends a single event, session replay tools record a continuous stream of behavior. That stream often includes typed text, form field values, and identifiers before the user submits anything. Consent configuration that works for analytics tags may not address the full data surface of a session recorder.
Pre-consent recording window
If FullStory initializes before the consent banner resolves, session data starts accumulating immediately. The recording that begins in the pre-consent state is often the most contested ground in regulatory and litigation contexts.
PII in page content
Pages that surface account numbers, health information, or transaction details may transmit that content through the session stream even if FullStory has masking enabled, because masking rules depend on correct CSS class application and developer discipline.
Cross-session identity stitching
FullStory links sessions to persistent identifiers. If those identifiers are set or shared before consent, the user may be trackable across visits without a valid legal basis.
Consent and configuration
Session replay requires more than a checkbox in your CMP
Adding FullStory to a consent category is not sufficient. The network layer must confirm the script does not initialize, the WebSocket connection does not open, and no session data moves until a valid consent signal is present.
Reject state must prevent the FullStory recording session from starting entirely, not only mask certain elements.
GPC signals should be treated as opt-out and prevent session replay initialization in US states with recognized GPC obligations.
Masking rules for sensitive fields such as passwords and payment inputs need to be tested under real recording conditions, not only visual inspection.
Page-level consent gates should be confirmed with network-layer testing, not inferred from CMP dashboard configuration.
Regional compliance
Session replay obligations vary by jurisdiction
GDPR requires explicit opt-in for session replay in European jurisdictions; recording user sessions without prior consent is a common enforcement area. Under California law as amended by the CPRA, the sale and sharing of behavioral session data is subject to opt-out rights and GPC recognition obligations. Healthcare environments add HIPAA risk for any site that surfaces protected health information in pages captured by the recorder.
How Lokker helps
How Lokker validates FullStory consent behavior
Lokker tests the full consent lifecycle for session replay: does the FullStory script load before consent resolves, does reject actually stop the session, and what data categories appear in the recording stream across states?
Consent-state session replay testing
Consent Validator automates browser flows across no interaction, accept, reject, and GPC states and captures whether FullStory initializes and what network activity it generates in each.
Explore Consent ValidatorPortfolio-wide session replay detection
Privacy Edge detects FullStory across your full web estate, identifies pages where it fires, and surfaces high-risk pages such as forms and checkout flows for prioritized review.
Explore Privacy EdgeRuntime blocking before data leaves the browser
Guardian intercepts the FullStory script and WebSocket connection at the network layer and enforces trust rules so session recording cannot start in an unauthorized state.
Explore GuardianExplore Lokker
Products that address FullStory privacy risk
Each product links to its full details so you can explore features, view a demo, and understand how it applies to your FullStory deployment.
Validation
Consent Validator
Tests whether FullStory actually stops recording in reject and GPC states.
Explore Consent ValidatorIntelligence
Privacy Edge
Detects FullStory across all properties and flags high-risk form and checkout pages.
Explore Privacy EdgeEnforcement
Guardian
Blocks the FullStory script at the network layer before any session data leaves the browser.
Explore GuardianMarketing and Analytics
Other marketing and analytics tools
Before you deploy
Privacy questions to answer before adding FullStory
Marketing teams often evaluate tools on performance and features. These privacy questions are worth settling before the script goes live, because fixing them after a complaint is significantly more expensive.
Does your CMP category for session replay prevent FullStory from initializing before consent, not just hide elements?
Have you tested what FullStory captures in the no-interaction (pre-banner) state using actual network inspection?
Do your masking rules cover all pages that surface PII, PHI, or account data, and are those rules tested in production?
Does your privacy policy disclose session recording, and does it align with the user choices your CMP offers?
How does your team handle GPC signals for session replay in states that recognize GPC as an opt-out?
Next step
Validate FullStory consent behavior across your portfolio
Lokker runs automated browser-level consent flows and scans the network layer to confirm whether FullStory fires in states where it should not.