FullStory captures high-fidelity session data including every click, scroll, and page interaction. Its data loss prevention features help limit PII capture, but accurate policy disclosure requires describing what the tool actually collects, what masking is in place, and how consent controls its activation.
Last reviewed by Lokker Privacy Engineering
Not legal advice
The example language on this page is provided for educational purposes only. It is not legal advice and does not create an attorney-client relationship. Privacy laws vary by jurisdiction, sector, and the specific technologies you deploy. Always have a qualified privacy counsel or attorney review your privacy policy language to ensure it accurately reflects your actual data practices and complies with applicable law. Policy text alone does not make you compliant: your technical controls must match what the policy describes.
Data collection
This is what your privacy policy needs to describe. Be specific: vague references to "usage data" or "technical information" are not sufficient in most jurisdictions.
Full session replay including mouse movements, clicks, scrolls, and rage clicks
Page content visible during the session (with DLP rules applied)
Custom user variables and attributes passed via FullStory identify
Page URLs and navigation sequences
Form interactions with DLP masking applied to sensitive fields
Browser and device metadata
Session identifiers stored in FullStory cookies
Performance metrics including JavaScript errors and network timing
Processing purposes
Privacy laws require you to specify the purpose for each category of data processing. These are the purposes typically associated with FullStory.
Digital experience quality analysis
Debugging user-reported issues using session replay
Conversion funnel optimization
Accessibility and usability testing
Customer support and troubleshooting context
Jurisdiction notes
These are representative notes, not exhaustive legal guidance. Laws continue to evolve and your counsel should review the current requirements for each jurisdiction where your visitors reside.
United States
Session replay data constitutes personal information under the CCPA when linked to an identifiable user. FullStory's identify integration means that sessions can be associated with authenticated user accounts, making this personal data explicitly tied to named individuals. CIPA wiretapping claims have named session replay vendors in California litigation. Consent or an all-party notice may be required depending on jurisdiction.
EU and UK (GDPR)
FullStory requires consent as a non-essential analytics tool under the GDPR. FullStory offers EU data residency. Your policy must describe FullStory as a data processor, state the legal basis, identify the types of data captured (including session content), and describe masking and exclusion rules. If users are identified via FullStory's identify API, this constitutes processing of identifiable personal data and must be reflected in the policy.
Example language
The examples below are starting points for discussion with legal counsel. They are not approved or jurisdiction-complete language. Your policy must accurately reflect your actual technical configuration and comply with the laws of the jurisdictions where your visitors reside.
Analytics or session replay table row
FullStory (FullStory, Inc.): Captures session replays, heatmaps, and behavioral analytics to analyze how visitors interact with our website. Applies data loss prevention rules to limit capture of sensitive field content. Category: Analytics and product intelligence.
Full digital experience intelligence disclosure
We use FullStory, a digital experience intelligence platform provided by FullStory, Inc., to understand and improve how users interact with our website and digital products. FullStory records user sessions including mouse movements, clicks, scroll behavior, navigation paths, and interactions with page elements. These recordings are used to identify usability issues, analyze conversion funnels, and improve the overall digital experience. FullStory applies data loss prevention rules to automatically exclude or mask input fields containing sensitive information such as passwords and payment details. We have also configured exclusion rules for additional fields containing personal information. Session recordings may capture page content visible to the user at the time of their visit. If you are an authenticated user and we have configured FullStory's user identification feature, session recordings may be associated with your user account to facilitate customer support and product analysis. Where consent is required by applicable law, FullStory will only activate after you have provided explicit consent through our consent management platform.
Configuration checklist
An accurate policy is only useful if the technical controls behind it work correctly. These are the configuration points to verify for FullStory.
Assign FullStory to the "Analytics" or "Product Intelligence" category. Do not mark it as Strictly Necessary.
Confirm that FullStory's initialization script does not fire before CMP consent is received. FullStory's script makes requests to rs.fullstory.com; Consent Validator can verify these are blocked in the reject state.
If FullStory's identify API is used to link sessions to user accounts, update your policy to reflect this and ensure the data retention settings in FullStory match your policy statements.
Review FullStory's DLP configuration against your actual DOM. Default DLP rules cover common input types, but custom components, third-party form embeds, and dynamically rendered content may require additional exclusion rules.
If FullStory is deployed on pages with video content, assess VPPA exposure: session replay that captures what video content a visitor viewed and transmits this to a third party has been the basis of VPPA litigation.
Policy vs practice
These are common gaps between FullStory privacy policy language and what actually happens in the browser. Checking only inside each SaaS admin (CMP, tag manager, or vendor console) rarely answers whether the full stack works together. Lokker tests from the outside: consent state, tag firing, and network requests viewed as one system.
What the policy says
Policies often state that FullStory's data loss prevention protects all personal information captured during session recording.
Policies describe FullStory as collecting pseudonymous behavioral data that cannot be linked back to an individual.
Policies describe FullStory as consent-gated, loading only after the visitor accepts analytics or product intelligence cookies.
Policies do not reference CIPA or session replay wiretapping risk, treating FullStory solely as an analytics tool.
What Lokker validates
FullStory's DLP requires explicit configuration and does not automatically cover all sensitive DOM content. Lokker checks whether FullStory initialization occurs before consent and flags pages with sensitive content visible in the DOM at the time of recording.
When FullStory's identify API is active, session recordings are explicitly tied to authenticated user accounts. Lokker detects identity-linked FullStory calls and flags entries where the policy omits this transition from pseudonymous to personally identifiable data.
Lokker confirms whether FullStory's initialization request to rs.fullstory.com fires before, during, or only after a consent decision. Pre-consent initialization is a documented compliance failure even if the policy says otherwise.
FullStory has been named in California wiretapping litigation. Lokker establishes whether consent was in place before recording started, and can show whether FullStory contacts its endpoints in no-interaction or reject states where consent was never granted.
Consent Validator tests your site from the outside, not inside each vendor admin. It runs automated flows across accept, reject, no-interaction, and GPC states and checks whether FullStory loads through your CMP and tag manager, whether consent signals are honored, and whether any call to that vendor still occurs when the visitor has opted out.
Questions
References
Regulatory guidance, enforcement decisions, and legal cases referenced on this page.
Regulatory guidance
California Legislature
Related litigation
N.D. Cal., 2021
Explore further
Same category
Validate technical compliance
Check whether FullStory contacts its endpoints before consent is recorded and whether session replay stops in the reject state at the network layer.