A Guide on Session Recording and Its Privacy Concerns

A company is entitled to use session recording or session replaying as long as their marketing and analytics needs require so. However, as enticing the recording of everything the user does at all times can be, even within the existing regulations, there is a high chance that doing so will quickly push the data towards a non-compliant realm. And even in cases where regulations may not be explicit on the matter, we see more and more how the industry is leaning towards discouraging these practices. So, how do you make sure you get the data you need without having to worry about breaching data protection laws and not end up spending more time/money?

Spoiler: avoid Session Recording.

Session Recording vs. Screen Recording (vs. Data Privacy)

Let’s start by clarifying the concepts at hand here to make sure we are all on the same page.

• Session Recording is a bit more complex. It includes screen recording, but also everything that the user did during the session, such as clicks made, the time elapsed between every action, keys pressed in the keyboard, etc.
• Screen Recording is a feature that allows the recording of what is being shown on the screen of a device. Simply put, somebody else will be able to see what you see on your screen.

In both cases, the recording can be played and replayed at will by whoever owns and/or shares the recording.

For example, if you have a banking app and your provider has enabled session recording, the bank will theoretically be able to see everything you did in the app from the moment you opened it until you closed it, including if it was left open in the background. This means that all your interactions with the app are visible, ranging from obvious actions, like making a transaction or reviewing your statements, to perhaps more high-risk actions, such as:

• Entering your personal tax information
• Typing your password when logging in

Those “high-risk actions” bring us the case built around data privacy and the protection of personal identifiable information (PII). Regulations like GDPR have provisions guiding and limiting the access to and usage of data from end-users, and how such users must be aware of why and for what their data is used. Now, what happens when passwords or PII are visible on session recordings and available to everyone with access to them to replay it? Would that not be putting data at risk in case it falls into the wrong hands?

For and Against Screen Recording

Aside from the subject of compliance with regulations regarding what is being recorded and tracked from any given user, ethics and return over investment come into play. Ethics because we are talking about people’s data; and return over investment because, at the end of the day, the objective of most businesses is to generate profit.

Ethics

Ethics can have a level of subjectivity to it, obviously, but they have a reflection in the moves being made by the industry and its own level of self-regulation. And lately, we have seen major and bold moves from the industry to move towards a privacy-conscious approach to user data, including Apple’s iOS 14.5 privacy changes and Facebook’s decision to ditch Facebook Analytics. We have yet to see an actual change specifically banning session recording, but maybe we do not have to if it ends up not adding up from a budget perspective.

Benefits?

You see, session recording may seem beneficial for the investment of having a product analytics solution, because among other things:

• it tracks everything the user does, so you do not need to decide on individual actions;
• lets you see and replay what was happening on a screen when an error or crash occurred; and
• gives you individualized data, as you can track actions from each user.

Costs!

But at the same time,

• it can lead to an overwhelming inflow of data that cannot be processed on time;
• runs up data-point billing schemes;
• lacks the exact context of what was happening with the user during the session — which may lead to wrong assumptions and bad decisions -; and
• poses the risk of your app getting called out by one of the Internet’s biggest publications for not taking the security of PII seriously enough.

Session recording has benefits, but it also has costs. And with data privacy growing and user awareness growing, what is the solution to getting the detail you can in a session recording but keeping privacy in mind?

Less Is More

What works better than session recording? A solid strategy and the right tech stack.

Trying to harness too much data of the wrong kind will most likely end up being more of a curse than a blessing. The truth is that better insights can be achieved by deploying the right strategy with the right features. To keep it short and simple, let’s refute those benefits mentioned earlier:

• There is no need to track everything the user does all the time if you set up your events correctly and with a higher degree of granularity. This allows to, for example, track the step-by-step progress of a user from the moment they sign up until they complete their first transaction through a funnel, and then being able to add an extra step you forgot you wanted to track. The same goes if you need to know which section visible in your application is the most viewed and or clicked on.
• Understanding an error or crash and their context can be enhanced so much more by obviously having real-time information about the crash and the status of the device when they occurred, getting the information both granular and aggregated for all related crashes, instead of having to watch the recording of each individual crash experienced by each individual user. This, combined with the ability to monetize the crash — i.e., know how much potential revenue was lost by it — and the chance of reaching out to affected users in bulk, make session recording quite cumbersome.
• Does having to watch recordings of everything a user did in each of their sessions sound like too much wasted time? Yes? Well, it is. A much more effective way to understand how an individual user is interacting with your app and how their customer journey goes is to have a single snapshot that centralizes that information, enabling you to get feedback from them.

More Features = Even More Power

Aside from getting way more actionable insights, staying away from features like session recording also puts you in the safe zone when it comes to being compliant with data protection policies. Plus, if the industry’s key players seem to be already trying to have a more ethical approach to user data, basing your product analytics strategy on screen recordings may backfire and end up costing you more time and money to fix the damage.

Therefore, choosing a solution with abundant features that are not only powerful but also let you combine them in different ways for a more holistic strategy, is your way to go.

Get that strategy going with a privacy-first product today by reaching out to us, booking your demo. Or you can see for yourself the wide variety of features you too can combine at will and that is always privacy-focused, which is why you will not see session recording in Countly.