FullStory Engineering Blog

GDPR and Fullstory


About the General Data Protection Regulation and Fullstory

Last updated May 2021

First, a disclaimer: The content below is provided for informational purposes only. The information shared here is not meant to serve as legal advice. You should work closely with legal and other professional counsel to determine exactly how the GDPR may or may not apply to you.

In this article: If you’ve landed here, you’ve likely already heard lots about the General Data Protection Regulation (GDPR). There is already a lot of great content that explains in detail what the GDPR is. Here, we’ll mostly focus on the intersection of the GDPR, your company, and your use of Fullstory session replay.

1. What is the GDPR?

At a basic level, the GDPR is intended to give more control to EU citizens over their personal data. Among other things, it regulates how people and organizations can obtain, use, store and eliminate personal data of EU citizens. The ideas in the GDPR actually aren’t so new. Many of the concepts in the GDPR were introduced over 20 years ago when the EU adopted the Data Protection Directive in the mid-1990s.

The GDPR seems to represent a real sea change, giving people strong agency in how their personal data is collected and used. Unlike the Directive from the mid-90s, the GDPR:

  • is much more specific about what is okay and not okay,

  • introduces a broader definition of personal data,

  • sets forth such stringent requirements that companies are required to make real operational changes,

  • is completely uniform across the EU, leaving a lot less wiggle room for interpretation, and

  • enforces penalties that are really, really steep; it’s clear that the EU wants to ensure real change.

2. What does the GDPR require?

A bunch of stuff, but because it’s new, it can be hard to say exactly how the GDPR requirements map onto specific operational changes. Some of the key concepts are:

  • Being really clear about what constitutes personal data.

  • Being really clear about ensuring that personal data is used only with a user’s explicit consent or some other lawful basis for processing it.

  • Keeping data secure.

  • Giving EU citizens a set of rights with respect to their personal data, including things like:

  • the right to see what data a company has collected about them,

  • the right to control how that data is shared with other companies,

  • the right to have all of their data deleted.

Let's take a closer look at how these GDPR requirements can be applied to Fullstory and session replay.

What is considered “personal data?”

According to the GDPR, personal data is any information relating to an identified or identifiable individual, which could mean any information that could be used either on its own or in conjunction with other data, to identify an individual.

Sensitive personal data, such as social security numbers, health information, or information that suggests a person’s racial or ethnic origin will require even greater protection under the GDPR. This kind of sensitive personal data should never be captured by Fullstory (it’s against our Acceptable Use Policy) and we have provided some easy-to-use tools that allow you to exclude sensitive data from ever being recorded by Fullstory.

Before we go further, just what is recorded by Fullstory and why? The power of Fullstory is linked to "session replay" (a.k.a. session playback).

What is session replay?

Session replay is the reproduction of a user’s interactions on a website or web application exactly as the user actually experienced it. Session replay transforms logged user events, such as mouse movements, clicks, page visits, scrolling, tapping, etc., into a reproduction of what the user did on the site or app. 

The reproductions provided by session replay are used to recreate the experiences of actual users. Replay is useful for all sorts of reasons—e.g. to support customers, debug errors, optimize pages, and more.

In order for any session replay tool to work, session replay vendors must log user behaviors on websites and apps down to clicks, taps, scrolls, mouse movements, and more.

How might you capture personal data With Fullstory session replay?

There are two types of personal data you can send to Fullstory. You can actively send things like name, email address, company, etc. to Fullstory using our API or one of our integrations. You can also passively send personal information that your visitors are typing into fields or that might get displayed on pages of your website or app that Fullstory logs simply because we are recording the page.

As mentioned above, in the case of passively captured information, you have full control over which fields or elements are excluded, and it is important that you exclude the personal data that you do not want captured.

As a Fullstory customer, how should I think about Fullstory with respect to the GDPR?

For Fullstory customers, Fullstory is a processor of data that you send to us about your users. To understand how Fullstory session replay operates with respect to the data you send it, a helpful metaphor is to think of Fullstory as a provider of safe deposit boxes.

When you use Fullstory on your site, you are sending data about your users (which may or may not be personal data) into your Fullstory account, which is like your very own safe deposit box.

In the same way that a bank doesn’t access the contents of your safe deposit box, Fullstory doesn’t access the data in your Fullstory account. You’ll work directly with your customers to honor their requests about the data you have captured and stored about them whether it is in your Fullstory account or not. We will help by providing tools that allow you to easily access, change, remove and delete the data in your Fullstory account at your user’s request.

Because Fullstory is a processor, you may need to obtain consent from your identified users for the way that you plan to use Fullstory to process their data. If so, we suggest you be as clear as possible about how you use Fullstory and why your end users might want to grant you consent to identify them for those purposes.

For example, if you use Fullstory on your support team, you could explain that you use Fullstory session replay to provide faster and better support to your customers and aid your engineering team in solving bugs and improving their user experience. We believe that being more descriptive about how you’re using data to ultimately help your customers will improve the likelihood that they grant consent.

Do I need to obtain consent before recording sessions with Fullstory?

Not necessarily. The GDPR is primarily concerned with personal data and defining the rights that an EU citizen has to their own data. An unidentified session that cannot be traced to a certain individual is just that, unidentified, and as such recording that session for the purpose of session replay/session playback is a-ok.

However, as noted above, it is possible to capture personal or sensitive data passively if you are recording forms or pages where personal data is inputed or displayed on your website or application. It is important that you audit your own site and ensure all appropriate form fields or elements are excluded before you start recording.

But what about IP Address?

This is a great question and it seems this is still up for interpretation. However, in Fullstory you have the ability to discard IP addresses. While we hold the IP address while a session is processed, once processing is complete the IP address is discarded.

3. How will Fullstory empower me to honor my users' requests around their own personal data?

Under the GDPR, EU citizens have certain rights with respect to their own data. As you think about Fullstory’s role in helping you honor your users’ rights, it is helpful to revisit the safe deposit box metaphor.

When you choose, with consent or some other lawful basis, to record or pass into Fullstory personal data about your visitors, that data goes into your Fullstory account. As mentioned above, you’ll work directly with your customers to honor their requests about the data you have captured and stored about them whether it is in your Fullstory account or not. Fullstory will help by providing tools that allow you to easily access, change, remove and delete that data at your user’s request.

Let’s dive into some specific rights introduced via the GDPR and how Fullstory will help you honor those rights.

Right to be forgotten

Fullstory users with admin privileges can entirely erase users from their account at the click of a button after confirmation.

After a user is completely deleted, a discreet email is sent acting as a receipt to confirm that the appropriate action has been taken. We also offer an API endpoint for deleting users.

Right to object

Under the GDPR, users have the right to prohibit certain data uses. As mentioned above, you may need to get explicit consent from EU citizens regarding the data you capture and how you plan to use it.

We already covered how you might send personal data into your Fullstory account (actively via our Identify API or an integration, or passively by capturing pages on which personal data is inputted or displayed). It is already possible to choose not to actively or passively send any personal data into Fullstory simply by not using our Identify API and by excluding all elements (like form fields or confirmation pages) that might have personal information typed into or displayed on them.

You’ll be able to set more granular rules about what data is passed into Fullstory by default and what data can be passed into Fullstory when consent is present. This functionality will be part of our new Consent API (more details coming).

Right of access

Your users may contact you to request to access information that you hold about them. You’ll be able to log into your Fullstory account and quickly do a search for your user in order to understand what personal data of theirs you’ve sent to Fullstory and help construct your response to your user.

Data portability

As mentioned above, any end user data that is in your Fullstory account, is yours (and theirs), but not ours. You will be able to quickly understand what data you do have about your user thanks to our search functionality and Data Export. Then you can hand it over to the customer however you choose.

Please read "GDPR Made to Order" to learn about how the Fullstory app works to accommodate GDPR.

4. Does Fullstory offer a Data Processing Agreement (DPA)?

Yes. You can view and sign our DPA online: Fullstory Data Processing Agreement.

Once you follow that link, you'll need to authenticate your access using an emailed verification code. You will have the chance to read the document prior to signing.

5. How will I know if I’m compliant with the GDPR?

There does not yet appear to be any sort certification process by which you can be assured that you are in compliance. As we mentioned earlier, you should work closely with legal and other professional counsel to determine if you’re in compliance with the GDPR.

Each company that wants to serve EU citizens will need to remain vigilant and pay attention to how GDPR may evolve, and make changes to accommodate any additional clarifications that appear over time.

6. Are there more resources to help me understand Fullstory’s GDPR efforts?

See below for more GDPR resources:

If you have further questions about GDPR, please reach out and contact us.