CertScore.ai
Open navigation menu
Finding reference

Session replay service signal observed

Retained runtime evidence showed a script, request, or vendor pattern associated with session replay, heatmaps, recording, or behavior analytics in the observed public-page scope. Review the evidence context, methodology, common causes, and reviewer questions for this CertScore finding.

Selected finding

Session replay service signal observed

HighReview Signal evidenceDirect observationThird-party trackingSeen on ~9% of scanned top sites

Benchmark frequency is directional market context only. It is not a compliance benchmark, legal conclusion, or severity score. Rare findings may be top-ranked only when retained evidence is strong; common findings may remain medium when evidence is automated or context-dependent. Rarity is not severity, and prevalence is not compliance risk.

Observed

Retained runtime evidence showed a script, request, or vendor pattern associated with session replay, heatmaps, recording, or behavior analytics in the observed public-page scope.

Why this matters

Session replay and behavior-analytics tools can be useful for product debugging, but they may observe detailed interaction patterns. For review teams, this signal can help identify where replay tooling, masking, sampling, consent gating, and page exclusions may warrant review before relying on the finding operationally or legally.

Detection methodology

CertScore inspects retained network, script-host, request, vendor, and category evidence for session replay, heatmap, recording, and behavior-analytics patterns. The finding is surfaced when retained runtime evidence includes a script, request, endpoint, or vendor pattern associated with replay-style tooling in the observed public-page scope. CertScore treats session-replay service evidence as a review signal. The scanner does not determine that keystrokes, sensitive values, full recordings, or user communications were captured or retained. Reviewers should consider vendor configuration, masking, sampling, consent state, page-level exclusions, sensitive surfaces, payload evidence, and whether the retained artifact reflects active replay collection or only library availability.

Confidence semantics: Good when retained runtime evidence includes replay-related script, request, endpoint, or vendor context with page URL, category, timing, and enough detail for reviewer inspection; stronger when retained evidence also includes consent timing, collection endpoint context, repeated examples, page exclusions, and usable coverage. Manual review is still needed for active recording status, masking, sampling, payload contents, consent state, and remediation quality.

Top-finding calibrationWhat must be retained to surface, top-rank, demote, or suppress this finding.

Minimum to surface

  • Replay-related script, request, vendor, or endpoint artifact.

High confidence requires

  • Endpoint or service classification plus page, timing, and vendor context.

Top ranking requires

  • Collection endpoint.
  • Sensitive page.
  • Pre-consent or post-reject timing.
  • No masking or exclusion observed.

Demote or suppress when

  • Vendor name only.
  • Generic analytics.
  • Policy text only.

These rules describe ranking calibration for already-projected findings. They do not create findings from raw signals.

Example evidence

Session replay service signal

  • artifact=req_005
  • role=finding_supporting_artifact
  • url=https://example.com/
  • request_origin=https://replay.example
  • request_path=/recorder.js [query_redacted=true]
  • resource_type=script
  • vendor_category=session_replay_or_behavior_analytics
  • detected_pattern=replay_library_or_collection_endpoint
  • consent_timing_context=manual_review_recommended
  • review_caveat=manual review should confirm active collection, masking, sampling, consent state, page exclusions, and vendor configuration

Review context

  • possible_source=tag_manager_or_product_analytics
  • contexts_to_review=masking, sampling, page_exclusions, consent_gating, payload_contents
  • sensitive_surface_observed=false
  • payload_values_retained=false
  • manual_review_needed=true

What should not count by itself

  • vendor_name=Example Replay [insufficient_without_runtime_artifact]
  • generic_analytics_script=true [audit_only_without_replay_pattern]
  • policy_mentions_session_replay [insufficient_without_runtime_evidence]
  • screenshot_or_recording_claim [requires_manual_verification]
View redacted sample JSON
Redacted sample JSON
{
  "findingId": "session_recording_services_detected",
  "label": "Session replay service signal observed",
  "category": "Third-party tracking",
  "criticality": "high",
  "evidenceConfidence": "review_signal",
  "directVsInferred": "direct_observation",
  "evidence": {
    "summary": "Retained runtime evidence showed a script, request, or vendor pattern associated with session replay, heatmaps, recording, or behavior analytics in the observed public-page scope.",
    "examples": [
      {
        "title": "Session replay service signal",
        "lines": [
          "artifact=req_005",
          "role=finding_supporting_artifact",
          "url=https://example.com/",
          "request_origin=https://replay.example",
          "request_path=/recorder.js [query_redacted=true]",
          "resource_type=script",
          "vendor_category=session_replay_or_behavior_analytics",
          "detected_pattern=replay_library_or_collection_endpoint",
          "consent_timing_context=manual_review_recommended",
          "review_caveat=manual review should confirm active collection, masking, sampling, consent state, page exclusions, and vendor configuration"
        ]
      },
      {
        "title": "Review context",
        "lines": [
          "possible_source=tag_manager_or_product_analytics",
          "contexts_to_review=masking, sampling, page_exclusions, consent_gating, payload_contents",
          "sensitive_surface_observed=false",
          "payload_values_retained=false",
          "manual_review_needed=true"
        ]
      },
      {
        "title": "What should not count by itself",
        "lines": [
          "vendor_name=Example Replay [insufficient_without_runtime_artifact]",
          "generic_analytics_script=true [audit_only_without_replay_pattern]",
          "policy_mentions_session_replay [insufficient_without_runtime_evidence]",
          "screenshot_or_recording_claim [requires_manual_verification]"
        ]
      }
    ]
  }
}

Regulatory review context

Session replay and behavior analytics review

Retained runtime evidence showed session replay, heatmap, recording, or behavior-analytics service signals that may be relevant to consent, transparency, minimization, security, sensitive-page exclusion, and vendor-governance review. Browser-visible evidence does not determine capture, retention, interception, or legal status.

GDPR transparency, minimization, and security reviewePrivacy device access/storage reviewWiretap, eavesdropping, or recording-law manual reviewEU GDPR/ePrivacy session replay reviewUK PECR / UK GDPR behavior analytics reviewHealth-context online tracking reviewMore context in reference notes
View applicability notes

Legal and regulatory frameworks

  • GDPR transparency, minimization, and security reviewBehavior-analytics or replay signals may involve personal data, identifiers, form interactions, or user behavior profiles depending on implementation and context.
  • ePrivacy device access/storage reviewReplay tooling may store identifiers, access device/browser information, or use cookies/similar technologies depending on vendor configuration.
  • Wiretap, eavesdropping, or recording-law manual reviewReplay or recording signals may require jurisdiction-specific manual legal review where interaction capture, communications, consent-to-record, or similar theories may be relevant. Browser-visible evidence does not determine capture, retention, interception, or legal status.

Jurisdictional contexts

  • EU GDPR/ePrivacy session replay reviewEU/EEA users, identifiers, behavior telemetry, cookies, or device-access signals may be in scope depending on purpose, consent state, and jurisdictional context.
  • UK PECR / UK GDPR behavior analytics reviewUK users, cookies/similar technologies, or personal-data behavior analytics may be in scope depending on purpose, consent state, and manual review.
  • Health-context online tracking reviewThe observed surface may involve health, telehealth, patient portals, health apps, or consumer health data.
  • CCPA/CPRA sensitive personal information reviewCalifornia users and sensitive personal information, sale/share, or cross-context advertising may be in scope.

This finding does not determine legal status, consent validity, keystroke capture, sensitive-value capture, full recording retention, interception, or compliance status. Review retained runtime anchors, vendor configuration, masking, sampling, consent state, payload contents, and page exclusions.

Evidence standard

Strong

  • Retained runtime evidence includes a script, request, endpoint, or vendor pattern associated with session replay, heatmaps, recording, or behavior analytics.
  • Evidence includes page URL, request origin or script host, vendor or category classification, timing, and query or payload redaction where applicable.
  • Evidence gives enough context to distinguish replay or behavior-analytics tooling from generic analytics where possible.
  • Evidence includes consent timing, page-path context, or repeated observations across pages where retained.
  • Coverage context indicates the retained request or script evidence was not materially blocked or unreliable.

Good

  • Retained evidence shows a replay-related vendor, script host, request, or endpoint with enough context for reviewer inspection.
  • The retained example is enough for a reviewer to inspect vendor configuration, consent state, masking, sampling, and page exclusions manually.
  • The evidence is likely a session-replay or behavior-analytics review signal, but active recording, payload contents, masking, and user impact require manual review.

Audit-only

  • Vendor or script context suggests replay or behavior analytics, but retained evidence lacks enough detail to confirm service category or page context.
  • A tag manager or analytics container may load replay tooling, but no retained replay-related script, request, or vendor artifact identifies the affected service.
  • Policy text or vendor documentation mentions replay or recordings, but no retained runtime artifact supports the observed state.

Insufficient

  • Vendor name alone without retained script, request, endpoint, or page context.
  • Generic analytics request without replay, heatmap, recording, or behavior-analytics classification.
  • Policy text, CMP vendor name, or static source reference without runtime evidence.
  • A screenshot, user report, or visual impression without retained runtime artifact or manual verification.
  • Claims about keystroke capture, sensitive-value capture, full recordings, legal status, consent validity, or compliance status based only on automated evidence.

Evidence levels explain how CertScore treats retained runtime artifacts. They are not legal conclusions.

Common causes

  • Replay, heatmap, or behavior-analytics tooling is loaded globally through a tag manager.
  • Session-replay libraries initialize before consent state or page exclusions are applied.
  • Masking, sampling, or page-exclusion settings are configured only in the vendor dashboard and not verified against the public runtime.
  • Marketing, support, or product-analytics templates reuse the same replay snippet across sensitive and non-sensitive pages.
  • Vendor categorization treats replay tooling as generic analytics instead of a higher-review behavior telemetry service.

Recommended review questions

  • Which script, request, endpoint, or vendor pattern triggered the replay or behavior-analytics signal?
  • Was the retained artifact a replay library, collection endpoint, heatmap script, behavior-analytics vendor, or supporting tag-manager context?
  • Did the signal appear before consent, after consent, after reject, or outside known consent context?
  • Is replay active on the page, or is the evidence limited to library availability or a vendor script load?
  • Are masking, sampling, field exclusions, and page-level exclusions configured and verified?
  • Could the tool capture clicks, scrolls, forms, errors, DOM changes, screenshots, or typed input under certain settings?
  • Does the behavior vary by region, browser state, page path, login state, or CMP configuration?
  • Are query strings, payloads, session identifiers, and user-entered values redacted or avoided in retained/public evidence?
  • Should privacy, security, legal, and product teams manually review vendor configuration and remediation quality?

Limitations and cautions

  • This finding is an automated session-replay and behavior-analytics review signal, not a legal conclusion, certification, compliance determination, or determination of consent validity.
  • Detecting a replay-related vendor, script, or endpoint does not determine that keystrokes, sensitive values, full recordings, screenshots, or user communications were captured or retained.
  • Some replay and behavior-analytics tools can be configured for masking, sampling, field suppression, page exclusions, and consent gating.
  • Automated evidence may not fully determine active recording status, payload contents, masking quality, vendor settings, or downstream use.
  • Manual review is needed to confirm vendor configuration, consent state, page-level exclusions, masking, sampling, payload contents, user impact, and remediation quality.
  • CertScore redacts or avoids retaining full query strings, payloads, identifiers, screenshots, raw DOM, and user-entered values while preserving stable anchors needed for review.
  • Server-side processing, vendor-side recording retention, and dashboard configuration may not be visible to a browser scan.
  • Automated findings may contain errors and should be reviewed with the retained evidence.
  • Not detected means not observed in the scan scope; it is not proof of absence.
  • Findings are runtime evidence and public-surface observations for review, not legal conclusions.

Related reading

Tracking before consentCookie consent enforcementThird-party cookies before consentThird-party cookies and RTB sync

Reference notes

  • CertScore uses findings, evidence, signals, and observations consistently: signals are raw runtime or page-surface events, evidence is retained support, observations are interpreted evidence context, and findings are promoted review items.
  • Findings are runtime evidence and public-surface observations for review. Observed signals may surface possible concerns, but review is recommended before operational or legal reliance.
  • Finding reference content is reviewed periodically and updated when material guidance changes. CertScore monitors guidance families such as EDPB consent and ePrivacy materials, ICO cookie guidance, CNIL tracker recommendations, FTC privacy and dark-pattern materials, and relevant accessibility guidance where applicable.
  • EDPB consent guidance is relevant to consent quality and affirmative indication where consent is relied upon.
  • EU ePrivacy cookie/tracker principles are relevant to storing information or gaining access to information on user terminal equipment.
  • ICO cookie and similar technologies guidance is relevant to active consent, clear explanation, and essential-cookie exceptions.
  • CNIL cookie/tracker and analytics guidance is relevant to tracker consent and limited analytics exemptions.
  • FTC dark-pattern and commercial-surveillance materials may be relevant to hidden tracking or unclear user-choice review, but this finding does not determine deception, unfairness, or legal status.
  • Prevalence labels use the Tranco top 1-2500 calibration set, an approximately 2,505-scan directional calibration set.