CertScore.ai
Open navigation menu
Finding reference

Possible session replay near sensitive input surface

Retained runtime and page-surface evidence showed session-replay-related signals on or near a form, flow, or page surface that may collect sensitive information. Review the evidence context, methodology, common causes, and reviewer questions for this CertScore finding.

Selected finding

Possible session replay near sensitive input surface

CriticalReview Signal evidenceCorrelated observationThird-party trackingSeen on <1% of scanned top sites

Benchmark frequency is directional market context only. It is not a compliance benchmark, legal conclusion, or severity score. Rare findings may be top-ranked only when retained evidence is strong; common findings may remain medium when evidence is automated or context-dependent. Rarity is not severity, and prevalence is not compliance risk.

Observed

Retained runtime and page-surface evidence showed session-replay-related signals on or near a form, flow, or page surface that may collect sensitive information.

Why this matters

Replay-related tooling near sensitive forms or flows can raise higher review priority because masking, event capture, visual-capture settings, and page exclusions matter more in those contexts. The signal helps review teams locate pages where sensitive context and replay runtime evidence should be checked together.

Detection methodology

CertScore correlates retained session-replay-related runtime evidence with retained page-surface evidence for sensitive input fields, sensitive form context, or sensitive page purpose. The finding is surfaced when replay-style tooling appears on or near a surface that may collect health, financial, identity, location, contact, or other sensitive information in the observed scan scope. CertScore treats the co-occurrence as a review signal. The scanner does not determine that sensitive values, keystrokes, form contents, screenshots, recordings, or intercepted communications were captured, or that GDPR Article 9 applies. Financial, identity, contact, location, employment, children, protected-class, or other high-risk context signals require manual review and are not automatically GDPR Article 9 special-category data. Reviewers should confirm masking, sampling, page exclusions, payload contents, event capture, consent state, vendor configuration, and whether the retained evidence reflects the affected user-visible state.

Confidence semantics: Good when retained replay-related runtime evidence co-occurs with retained sensitive-input or sensitive-context page evidence; stronger when retained evidence includes replay endpoint context, field or surface context, consent timing, masking or exclusion context, repeated examples, and usable coverage. Manual review is still needed for active capture, masking, payload contents, consent state, sensitive context, and remediation quality.

Top-finding calibrationWhat must be retained to surface, top-rank, demote, or suppress this finding.

Minimum to surface

  • Replay signal plus sensitive surface in same observed scope.

High confidence requires

  • Replay collection endpoint or strong replay runtime signal plus sensitive field/page context.

Top ranking requires

  • Collection endpoint plus sensitive form plus no masking/exclusion observed or consent concern.

Demote or suppress when

  • Replay library only.
  • Global script only.
  • Sensitive field not same page/flow.
  • Masking or page exclusion observed.

These rules describe ranking calibration for already-projected findings. They do not create findings from raw signals.

Example evidence

Replay near sensitive surface

  • artifact=replay_sensitive_001
  • role=finding_supporting_artifact
  • url=https://example.com/apply
  • replay_request_origin=https://replay.example
  • replay_request_path=/collect [query_redacted=true]
  • surface_context=application_form
  • sensitive_field_context=financial_or_identity [values_not_retained]
  • detected_pattern=replay_runtime_on_sensitive_surface
  • review_caveat=manual review should confirm active collection, masking, visual-capture settings, keystroke capture, payload contents, consent state, and page exclusions

Review context

  • possible_source=shared_template_or_tag_manager
  • states_to_review=default, focus, typing, validation_error, multi_step_form
  • payload_values_retained=false
  • screenshots_retained=false
  • manual_review_needed=true

What should not count by itself

  • replay_vendor_present=true [insufficient_without_sensitive_surface_context]
  • sensitive_field_label=income [insufficient_without_runtime_replay_anchor]
  • screenshot_claim [requires_manual_verification]
  • raw_dom_or_field_value [must_not_be_public_sample_evidence]
View redacted sample JSON
Redacted sample JSON
{
  "findingId": "possible_session_replay_on_sensitive_input_surface",
  "label": "Possible session replay near sensitive input surface",
  "category": "Third-party tracking",
  "criticality": "critical",
  "evidenceConfidence": "review_signal",
  "directVsInferred": "correlated_observation",
  "evidence": {
    "summary": "Retained runtime and page-surface evidence showed session-replay-related signals on or near a form, flow, or page surface that may collect sensitive information.",
    "examples": [
      {
        "title": "Replay near sensitive surface",
        "lines": [
          "artifact=replay_sensitive_001",
          "role=finding_supporting_artifact",
          "url=https://example.com/apply",
          "replay_request_origin=https://replay.example",
          "replay_request_path=/collect [query_redacted=true]",
          "surface_context=application_form",
          "sensitive_field_context=financial_or_identity [values_not_retained]",
          "detected_pattern=replay_runtime_on_sensitive_surface",
          "review_caveat=manual review should confirm active collection, masking, visual-capture settings, keystroke capture, payload contents, consent state, and page exclusions"
        ]
      },
      {
        "title": "Review context",
        "lines": [
          "possible_source=shared_template_or_tag_manager",
          "states_to_review=default, focus, typing, validation_error, multi_step_form",
          "payload_values_retained=false",
          "screenshots_retained=false",
          "manual_review_needed=true"
        ]
      },
      {
        "title": "What should not count by itself",
        "lines": [
          "replay_vendor_present=true [insufficient_without_sensitive_surface_context]",
          "sensitive_field_label=income [insufficient_without_runtime_replay_anchor]",
          "screenshot_claim [requires_manual_verification]",
          "raw_dom_or_field_value [must_not_be_public_sample_evidence]"
        ]
      }
    ]
  }
}

Regulatory review context

Session replay near sensitive input review

Retained runtime and page-surface evidence showed session-replay-related signals near a sensitive-input or sensitive-context surface that may be relevant to masking, consent, special-category or high-risk context, security, and vendor-governance review. Browser-visible evidence does not determine capture, retention, interception, or legal status.

GDPR special-category or high-risk context reviewGDPR minimization, security, and transparency reviewWiretap, eavesdropping, or recording-law manual reviewHealth-context online tracking reviewCCPA/CPRA sensitive personal information reviewEU GDPR special-category or high-risk context reviewMore context in reference notes
View applicability notes

Legal and regulatory frameworks

  • GDPR special-category or high-risk context reviewThe retained surface context may involve Article 9 special-category data, such as health, biometric-for-identification, genetic, racial or ethnic origin, political opinion, religious or philosophical belief, trade-union membership, sex-life, or sexual-orientation context, or may otherwise involve sensitive/high-risk fields that require manual review.
  • GDPR minimization, security, and transparency reviewReplay telemetry, identifiers, form context, or user behavior signals may involve personal data or sensitive inferences depending on implementation and manual review.
  • Wiretap, eavesdropping, or recording-law manual reviewReplay or recording signals may require jurisdiction-specific manual legal review where interaction capture, communications, consent-to-record, or similar theories may be relevant. Browser-visible evidence does not determine capture, retention, interception, or legal status.

Jurisdictional contexts

  • Health-context online tracking reviewThe observed surface may involve health, telehealth, patient portals, health apps, or consumer health data.
  • CCPA/CPRA sensitive personal information reviewCalifornia users and sensitive personal information, sale/share, or cross-context advertising may be in scope.
  • EU GDPR special-category or high-risk context reviewEU/EEA users and Article 9 special-category data, sensitive inferences, or high-risk context may be in scope depending on the surface, purpose, and manual review.
  • Jurisdiction-specific wiretap/eavesdropping or session-replay reviewReplay or recording signals may require jurisdiction-specific manual legal review where interaction capture, communications, consent-to-record, or similar theories may be relevant. Browser-visible evidence does not determine capture, retention, interception, or legal status.

This finding does not determine legal status, GDPR Article 9 status, consent validity, keystroke capture, screenshot capture, sensitive-value capture, recording retention, interception, or compliance status. Financial, identity, contact, location, employment, children, protected-class, or other high-risk context signals require manual review and are not automatically GDPR Article 9 special-category data. Review retained replay anchors, sensitive-surface context, masking, sampling, payload evidence, consent state, and vendor configuration.

Evidence standard

Strong

  • Retained runtime evidence includes replay-related script, request, endpoint, or vendor context on or near a sensitive-input or sensitive-context surface.
  • Retained page-surface evidence identifies the sensitive form, field context, or page purpose without exposing user-entered values.
  • Evidence includes page URL, replay-related runtime anchor, representative field or surface context where safe, consent timing where available, and redaction of payloads and identifiers.
  • Evidence distinguishes replay-service presence from confirmed sensitive-value capture where retained.
  • Coverage context indicates the runtime and page-surface observations were not materially blocked or unreliable.

Good

  • Retained evidence shows replay-related runtime context and a sensitive-input or sensitive-context surface in the same observed scope, but active capture, masking, or payload contents require manual review.
  • The retained example is enough for a reviewer to inspect vendor configuration, page exclusions, masking, and consent state manually.
  • The evidence is likely a replay-on-sensitive-surface review signal, but keystroke capture, screenshots, recordings, masking, and user impact require manual review.

Audit-only

  • Replay-related tooling appears somewhere on the site, but retained evidence does not clearly connect it to the sensitive surface.
  • Sensitive surface evidence exists, but replay-related runtime evidence is incomplete or outside the observed page scope.
  • Vendor documentation, policy text, or template name suggests replay risk, but no retained co-occurrence artifact supports the observed state.

Insufficient

  • Replay vendor name alone without retained page or runtime co-occurrence evidence.
  • Sensitive field label alone without replay-related runtime evidence.
  • Raw DOM, screenshots, user-entered values, full payloads, or session recordings as public evidence.
  • Replay observed only on unrelated pages.
  • Claims that sensitive values, keystrokes, screenshots, form contents, or recordings were captured based only on automated co-occurrence evidence.

Evidence levels explain how CertScore treats retained runtime artifacts. They are not legal conclusions.

Common causes

  • Replay or behavior-analytics tooling is loaded on form pages or account, application, health, financial, or identity flows.
  • Sensitive fields, helper text, error states, or typed input events may not be fully masked or excluded.
  • Replay vendor settings are managed separately from CMP or tag-manager consent state.
  • Page-level replay exclusions do not cover dynamic routes, multi-step forms, or responsive variants.
  • Sensitive forms inherit global replay scripts from a shared template or tag container.

Recommended review questions

  • Which replay-related runtime artifact and which sensitive surface were retained?
  • Is the affected surface a form, multi-step flow, account page, checkout, application, portal, health, financial, identity, or support page?
  • Was replay collection active on the surface, or was the evidence limited to replay library or vendor presence?
  • Could sensitive values, field labels, error states, helper text, screenshots, DOM mutations, or typed events be exposed under current vendor settings?
  • Are sensitive fields, page sections, and dynamic states masked or excluded before collection?
  • Did the replay signal occur before consent, after consent, after reject, or outside known consent context?
  • Do page-level exclusions cover responsive variants, localized pages, authenticated states, and multi-step forms?
  • Are payloads, identifiers, screenshots, raw DOM, and user-entered values excluded or redacted from public evidence?
  • Should manual privacy, security, legal, and accessibility review confirm masking, consent posture, user impact, and remediation quality?

Limitations and cautions

  • This finding is an automated replay-on-sensitive-surface review signal, not a legal conclusion, certification, compliance determination, or determination of consent validity.
  • Co-occurrence of replay-related runtime evidence and a sensitive surface does not determine that sensitive field values, keystrokes, screenshots, form contents, or recordings were captured.
  • The evidence may reflect a shared template, global script, library availability, or vendor tag presence rather than active replay collection on a submitted form.
  • Automated evidence may not fully determine masking quality, sampling, page exclusions, payload contents, authenticated states, user-triggered form states, or vendor-side retention.
  • Manual review is needed to confirm sensitive context, replay configuration, masking, consent state, payload contents, page exclusions, user impact, and remediation quality.
  • CertScore redacts or avoids retaining full query strings, payloads, identifiers, screenshots, raw DOM, and user-entered values while preserving stable anchors needed for review.
  • Automated findings may contain errors and should be reviewed with the retained evidence.
  • Not detected means not observed in the scan scope; it is not proof of absence.
  • Findings are runtime evidence and public-surface observations for review, not legal conclusions.

Related reading

Tracking before consentCookie consent enforcementThird-party cookies before consentThird-party cookies and RTB sync

Reference notes

  • CertScore uses findings, evidence, signals, and observations consistently: signals are raw runtime or page-surface events, evidence is retained support, observations are interpreted evidence context, and findings are promoted review items.
  • Findings are runtime evidence and public-surface observations for review. Observed signals may surface possible concerns, but review is recommended before operational or legal reliance.
  • Finding reference content is reviewed periodically and updated when material guidance changes. CertScore monitors guidance families such as EDPB consent and ePrivacy materials, ICO cookie guidance, CNIL tracker recommendations, FTC privacy and dark-pattern materials, and relevant accessibility guidance where applicable.
  • EDPB consent guidance is relevant to consent quality and affirmative indication where consent is relied upon.
  • EU ePrivacy cookie/tracker principles are relevant to storing information or gaining access to information on user terminal equipment.
  • ICO cookie and similar technologies guidance is relevant to active consent, clear explanation, and essential-cookie exceptions.
  • CNIL cookie/tracker and analytics guidance is relevant to tracker consent and limited analytics exemptions.
  • FTC dark-pattern and commercial-surveillance materials may be relevant to hidden tracking or unclear user-choice review, but this finding does not determine deception, unfairness, or legal status.
  • Prevalence labels use the Tranco top 1-2500 calibration set, an approximately 2,505-scan directional calibration set.