I was in charge of building this kind of product for another analytics company, this technology is called session replay, and it is used for many use cases, like : UX improvement/ support/ bug detections ...
Most of vendors record keyboard inputs and thus can record password as well as credit card information, there was an affair about it a few years ago [1]. To not have this issue, most of vendors provide a way to not record those information. It requires manual tagging of the website on the element that contains critical content.
But many of session replays vendors have many clients, and don't force or don't verify that all the critical information are masked. This is not GDPR compliant, because when the GDPR apply you need to consent of the user to record his PII, and you are not even allowed to record information like password, sexual orientation, credit card even if you have the consent.
Two things:
- Nowadays on the web most of payment pages are not hosted on the client website, so those analytics tools are not included (but we still have many websites that don't use third party for that)
- This data is not (most of the time) recorded in a structured way, data of inputs is recorded as some element of an HTML, and thus it is not super easy to extract the information at scale
Most of vendors record keyboard inputs and thus can record password as well as credit card information, there was an affair about it a few years ago [1]. To not have this issue, most of vendors provide a way to not record those information. It requires manual tagging of the website on the element that contains critical content.
But many of session replays vendors have many clients, and don't force or don't verify that all the critical information are masked. This is not GDPR compliant, because when the GDPR apply you need to consent of the user to record his PII, and you are not even allowed to record information like password, sexual orientation, credit card even if you have the consent.
Two things: - Nowadays on the web most of payment pages are not hosted on the client website, so those analytics tools are not included (but we still have many websites that don't use third party for that) - This data is not (most of the time) recorded in a structured way, data of inputs is recorded as some element of an HTML, and thus it is not super easy to extract the information at scale
[1] https://freedom-to-tinker.com/2018/02/26/no-boundaries-for-c...