Selected finding
Session replay observed with sensitive input surfaces
Benchmark frequency is directional market context only. It is not a compliance benchmark, legal conclusion, or severity score. Rare findings may be top-ranked only when retained evidence is strong; common findings may remain medium when evidence is automated or context-dependent. Rarity is not severity, and prevalence is not compliance risk.
Observed
Retained runtime and page-surface evidence showed session-replay-related signals and sensitive input surfaces in the same observed scan scope, without retained same-page or same-flow replay linkage.
Why this matters
This observation can help reviewers decide whether the site behavior deserves deeper privacy, accessibility, consent, or consumer-protection review in context.
Detection methodology
CertScore compares retained replay-related runtime evidence with retained page-surface evidence for sensitive input fields, form context, page purpose, and semantic cues in the same scan. The finding is surfaced when replay-related runtime context and sensitive-surface context are both retained, but the retained evidence does not need to show same-page or same-flow replay linkage. CertScore treats this co-presence as a review signal. The scanner does not determine that sensitive field values, keystrokes, screenshots, recordings, or user communications were captured. Reviewers should consider vendor configuration, masking, sampling, page exclusions, consent state, payload evidence, field purpose, and whether the retained evidence reflects the affected user-facing flow.
Confidence semantics: Good when retained replay-related runtime evidence and sensitive-input or sensitive-context page evidence appear in the same scan; stronger when retained evidence includes replay endpoint context, field or surface context, consent timing, masking or exclusion context, repeated examples, and usable coverage. Manual review is still needed for same-page linkage, active capture, masking, payload contents, consent state, sensitive context, and remediation quality.
Top-finding calibrationWhat must be retained to surface, top-rank, demote, or suppress this finding.
Minimum to surface
- Retained evidence supports the finding through the canonical concern/policy/unified-finding pipeline.
High confidence requires
- Corroborated retained evidence and usable coverage.
Top ranking requires
- Stronger directness, corroboration, affected surface, and review relevance.
Demote or suppress when
- Evidence is ambiguous, unsupported, blocked, or audit-only.
These rules describe ranking calibration for already-projected findings. They do not create findings from raw signals.
Example evidence
Replay plus sensitive surface scan context
artifact=replay_sensitive_scan_001role=finding_supporting_artifacturl=https://example.com/replay_request_origin=https://replay.examplereplay_request_path=/collect [query_redacted=true]sensitive_surface_context=account_or_application_form [values_not_retained]observed_scope=same_scansame_page_or_same_flow_linkage=false_or_not_retainedreview_caveat=manual review should confirm active collection, masking, visual-capture settings, payload contents, consent state, and page exclusions
Review context
possible_source=shared_template_or_tag_managercontexts_to_review=replay_vendor_config, masking, sampling, page_exclusions, consent_gating, field_purposepayload_values_retained=falsescreenshots_retained=falsemanual_review_needed=true
What should not count by itself
replay_vendor_present=true [insufficient_without_sensitive_surface_context]sensitive_field_label=income [insufficient_without_runtime_replay_anchor]same_scan_context [does_not_show_field_value_capture]raw_dom_or_field_value [must_not_be_public_sample_evidence]
View redacted sample JSONHide redacted sample JSON
{
"findingId": "session_replay_present_with_sensitive_surfaces_observed",
"label": "Session replay observed with sensitive input surfaces",
"category": "Third-party tracking",
"criticality": "high",
"evidenceConfidence": "review_signal",
"directVsInferred": "correlated_observation",
"evidence": {
"summary": "Retained runtime and page-surface evidence showed session-replay-related signals and sensitive input surfaces in the same observed scan scope, without retained same-page or same-flow replay linkage.",
"examples": [
{
"title": "Replay plus sensitive surface scan context",
"lines": [
"artifact=replay_sensitive_scan_001",
"role=finding_supporting_artifact",
"url=https://example.com/",
"replay_request_origin=https://replay.example",
"replay_request_path=/collect [query_redacted=true]",
"sensitive_surface_context=account_or_application_form [values_not_retained]",
"observed_scope=same_scan",
"same_page_or_same_flow_linkage=false_or_not_retained",
"review_caveat=manual review should confirm active collection, masking, visual-capture settings, payload contents, consent state, and page exclusions"
]
},
{
"title": "Review context",
"lines": [
"possible_source=shared_template_or_tag_manager",
"contexts_to_review=replay_vendor_config, masking, sampling, page_exclusions, consent_gating, field_purpose",
"payload_values_retained=false",
"screenshots_retained=false",
"manual_review_needed=true"
]
},
{
"title": "What should not count by itself",
"lines": [
"replay_vendor_present=true [insufficient_without_sensitive_surface_context]",
"sensitive_field_label=income [insufficient_without_runtime_replay_anchor]",
"same_scan_context [does_not_show_field_value_capture]",
"raw_dom_or_field_value [must_not_be_public_sample_evidence]"
]
}
]
}
}Regulatory review context
Session replay plus sensitive-surface review
Retained runtime and page-surface evidence showed session-replay-related signals and sensitive-input or sensitive-context surfaces in the same scan. This may be relevant to masking, consent, special-category or high-risk context, security, and vendor-governance review, but browser-visible evidence does not determine capture, retention, interception, same-flow linkage, or legal status.
View applicability notes
Legal and regulatory frameworks
- GDPR special-category or high-risk context reviewThe retained surface context may involve Article 9 special-category data or otherwise sensitive/high-risk fields that require manual review.
- GDPR minimization, security, and transparency reviewReplay telemetry, identifiers, form context, or user behavior signals may involve personal data or sensitive inferences depending on implementation and manual review.
- Wiretap, eavesdropping, or recording-law manual reviewReplay or recording signals may require jurisdiction-specific manual legal review where interaction capture, communications, consent-to-record, or similar theories may be relevant. Browser-visible evidence does not determine capture, retention, interception, or legal status.
Jurisdictional contexts
- Health-context online tracking reviewThe observed surface may involve health, telehealth, patient portals, health apps, or consumer health data.
- CCPA/CPRA sensitive personal information reviewCalifornia users and sensitive personal information, sale/share, or cross-context advertising may be in scope.
- EU GDPR special-category or high-risk context reviewEU/EEA users and Article 9 special-category data, sensitive inferences, or high-risk context may be in scope depending on the surface, purpose, and manual review.
- Jurisdiction-specific wiretap/eavesdropping or session-replay reviewReplay or recording signals may require jurisdiction-specific manual legal review where interaction capture, communications, consent-to-record, or similar theories may be relevant. Browser-visible evidence does not determine capture, retention, interception, or legal status.
This finding does not determine legal status, GDPR Article 9 status, consent validity, same-flow linkage, keystroke capture, screenshot capture, sensitive-value capture, recording retention, interception, or compliance status. Review retained replay anchors, sensitive-surface context, masking, sampling, payload evidence, consent state, and vendor configuration.
Evidence standard
Strong
- Retained runtime evidence includes replay-related script, request, endpoint, or vendor context in the scan.
- Retained page-surface evidence identifies a sensitive form, field context, or page purpose without exposing user-entered values.
- Evidence includes replay-related runtime anchor, representative field or surface context where safe, consent timing where available, and redaction of payloads and identifiers.
- Evidence distinguishes scan-level co-presence from same-page or same-flow replay linkage.
- Coverage context indicates the runtime and page-surface observations were not materially blocked or unreliable.
Good
- Retained evidence shows replay-related runtime context and a sensitive-input or sensitive-context surface in the same scan, while same-page linkage, active capture, masking, or payload contents require manual review.
- The retained example is enough for a reviewer to inspect vendor configuration, page exclusions, masking, and consent state manually.
- The evidence is a replay-plus-sensitive-surface review signal, but keystroke capture, screenshots, recordings, masking, and user impact require manual review.
Audit-only
- Replay-related tooling appears somewhere on the site, but sensitive-surface evidence is incomplete or materially blocked.
- Sensitive surface evidence exists, but replay-related runtime evidence is incomplete or too weak.
- Vendor documentation, policy text, or template name suggests replay risk, but no retained scan-level co-presence artifact supports the observed state.
Insufficient
- Replay vendor name alone without retained runtime evidence.
- Sensitive field label alone without replay-related runtime evidence.
- Raw DOM, screenshots, user-entered values, full payloads, or session recordings as public evidence.
- Claims that sensitive values, keystrokes, screenshots, form contents, or recordings were captured based only on automated co-presence evidence.
Evidence levels explain how CertScore treats retained runtime artifacts. They are not legal conclusions.
Common causes
- Replay or behavior-analytics tooling is loaded globally through a shared tag manager or layout.
- Sensitive forms inherit sitewide replay scripts from general marketing, support, or product analytics templates.
- Replay vendor settings are managed separately from CMP or tag-manager consent state.
- Page-level replay exclusions do not cover all account, application, intake, payment, health, financial, or identity flows.
- Sensitive-surface routing or multi-step forms make same-page or same-flow linkage harder to retain in an automated public scan.
Recommended review questions
- Which replay-related runtime artifact and which sensitive surface were retained in the same scan?
- Is the sensitive surface a form, multi-step flow, account page, checkout, application, portal, health, financial, identity, or support page?
- Was replay collection active, or was the evidence limited to replay library or vendor presence?
- Does retained evidence show same-page or same-flow linkage, or only scan-level co-presence?
- Could sensitive values, field labels, error states, helper text, screenshots, DOM mutations, or typed events be exposed under current vendor settings?
- Are sensitive fields, page sections, and dynamic states masked or excluded before collection?
- Did the replay signal occur before consent, after consent, after reject, or outside known consent context?
- Do page-level exclusions cover responsive variants, localized pages, authenticated states, and multi-step forms?
- Are payloads, identifiers, screenshots, raw DOM, and user-entered values excluded or redacted from public evidence?
- Should manual privacy, security, legal, and accessibility review confirm masking, consent posture, user impact, and remediation quality?
Limitations and cautions
- This finding is an automated replay-plus-sensitive-surface review signal, not a legal conclusion, certification, compliance determination, or determination of consent validity.
- Scan-level co-presence of replay-related runtime evidence and a sensitive surface does not determine that sensitive field values, keystrokes, screenshots, form contents, or recordings were captured.
- This finding is distinct from same-page or same-flow replay linkage, which requires stronger retained evidence.
- The evidence may reflect a shared template, global script, library availability, or vendor tag presence rather than active replay collection on a submitted form.
- Automated evidence may not fully determine masking quality, sampling, page exclusions, payload contents, authenticated states, user-triggered form states, or vendor-side retention.
- Manual review is needed to confirm sensitive context, replay configuration, masking, consent state, payload contents, page exclusions, user impact, and remediation quality.
- CertScore redacts or avoids retaining full query strings, payloads, identifiers, screenshots, raw DOM, and user-entered values while preserving stable anchors needed for review.
- Automated findings may contain errors and should be reviewed with the retained evidence.
- Not detected means not observed in the scan scope; it is not proof of absence.
- Findings are runtime evidence and public-surface observations for review, not legal conclusions.