France's CNIL today launched a public consultation on session replay tools, setting strict consent and data minimization rules for website tracking technology used by millions of sites.
France's data protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL), today opened a public consultation on a draft recommendation governing session replay tools - software that records and reconstructs the full browsing sessions of website visitors and mobile application users. The consultation, announced on 25 February 2026, runs until 22 April 2026, and the final recommendation is expected to be adopted once all submissions have been reviewed.
The move places a category of analytics technology - widely deployed across e-commerce, media and software platforms, yet little understood by ordinary internet users - squarely within French and EU data protection law. Tools such as Microsoft Clarity, Hotjar, and Fullstory, among dozens of others, are used today by website publishers to capture mouse movements, clicks, scrolls, form field entries, and touch interactions, then replay those interactions as video-like recordings. Microsoft Clarity was among the first major providers to begin enforcing European consent requirements for session recordings in late 2025.
According to the CNIL draft recommendation, session replay tools "are technologies for capturing and visualising the complete browsing journey of a user of a website or mobile application." They go well beyond standard analytics metrics: rather than recording aggregate page view counts or bounce rates, they enable publishers to watch - step by step - what each individual user did during a visit.
The data collected can include cursor trajectories, rage clicks (rapid repeated clicks indicating frustration), dead clicks (clicks on elements that do not respond), form field inputs, dynamically loaded account information, and the order in which pages were accessed. The CNIL notes that these tools function using trackers - which may be cookies in web environments or mobile identifiers within apps - and that they allow visualisation of sessions "either from interaction data with a website or mobile application, or from the reading of recorded navigation sessions."
Three core use cases are identified in the draft: detecting and fixing technical errors, improving user experience (UX) by identifying friction points, and supporting customer service teams in reproducing a user's problem session. The CNIL is explicit that session replay should not be used for advertising retargeting, pointing out that privacy-respecting alternatives such as cart abandonment cookies already exist for that purpose.
The French regulator frames its intervention around two interconnected risks. First, permanent navigation tracking can produce detailed information about people's private lives - habits, interests, and, in some cases, sensitive data - in ways users rarely anticipate. Second, the tools can result in collection that is disproportionate relative to the stated purpose, violating the data minimisation principle enshrined in Article 5.1.c of the GDPR.
According to the CNIL, the risks are compounded by the commercial diversity of the market. "Their diversity increases the choices available to website and mobile application publishers and contributes to maintaining a rapid pace of technical evolution of these tools," the draft states. Publishers, drawn by expanding feature sets, may activate capabilities that collect more user data than any single purpose actually requires.
This context is not isolated. The CNIL has been methodically tightening its approach to web tracking for several years. The authority fined SHEIN's Irish subsidiary €150 million in September 2025 for placing advertising and analytics cookies before users could consent, and ordered multiple publishers in December 2024 to fix cookie banners that made rejection harder than acceptance. The cross-device consent recommendation adopted in December 2025, and the updated audience measurement cookie guidelines published in July 2025, are part of the same sustained programme of regulatory clarification. Session replay fits naturally into that sequence.
Session replay tools sit at the intersection of two bodies of law. At the first level, the read-and-write operations performed by trackers on a user's device fall under Article 82 of the French Data Protection Act (loi Informatique et Libertés), which transposes Article 5.3 of the ePrivacy Directive. At the second level, because these tools reconstruct individual navigation sessions and thereby collect data that identifies users directly or indirectly, they trigger the full requirements of the GDPR.
According to the CNIL, the "subsequent processing" of data generated by trackers - meaning everything done with that data after collection - must rest on one of the legal bases listed in Article 6 of the GDPR. Consent is described as "generally the most appropriate legal basis" for this subsequent processing, though the draft acknowledges that each controller must assess its own situation.
Critically, session replay does not qualify for any of the exemptions from consent that apply to strictly necessary cookies or audience measurement tools. The CNIL is unambiguous: "the purposes pursued by the deployment of session replay tools are subject to prior user consent." The operations performed are neither exclusively aimed at facilitating electronic communication nor strictly necessary for delivering the publisher's services.
The draft maps out how GDPR responsibility is allocated between the two main players in any session replay deployment: the tool provider and the site or app publisher.
When a provider simply supplies the technical solution without reusing the data for its own purposes, it acts as a data processor (sous-traitant). When it does reuse the data - for example, to improve its own product - it becomes an independent data controller for those secondary purposes, and a joint controller with the publisher for the original read-and-write operations. The CNIL traces this joint liability directly to the Court of Justice of the European Union's Fashion ID ruling (paragraphs 101 and 102) and its own guidelines on Article 82 operations.
The publisher, for its part, is "generally considered the data controller" because it decides to deploy the tool to meet its own operational need and, by configuring the tool's parameters, participates in determining the essential means of processing. The publisher bears sole responsibility for operations conducted exclusively for its own purposes.
When both parties are jointly responsible for consent collection, the CNIL states they cannot simply insert a contract clause placing that burden entirely on the publisher. A proper arrangement must specify: which mechanisms demonstrate valid consent, how proof is made available to each party, conditions for preserving that evidence, and the terms for regular auditing of consent collection systems.
For publishers using Consent Management Platforms (CMPs), the draft establishes that session replay should be presented as a distinct purpose - not buried within broader analytics categories. Each purpose must be shown to users before consent is given, with a short title and a brief description enabling users to understand the scope of their choice.
The CNIL encourages publishers, as a "good practice," to include specific information about session replay tools at the first level of the CMP interface, given that most users are unaware these tools exist. The decision of whether to surface that information at the first level should account for the extent of the navigation tracking involved, the impact on users, and the minimisation measures in place.
Withdrawal of consent must be as easy as giving it, consistent with Article 7 of the GDPR. The CNIL specifies technically what this means: read operations on previously placed cookies must stop immediately. One compliant approach is to send an HTTP response header with a set-cookie instruction specifying an expiry date in the past - effectively marking the cookie as expired. For cookies that lack the httpOnly attribute, the tool can execute a locally run script to delete them.
Section 7 of the draft is the most technically granular portion and sets out a framework of named measures that providers are recommended to make available, and that publishers should apply. The CNIL explicitly states these measures are not mandatory in themselves - alternatives are permitted as long as compliance is documented - but they form the baseline against which the regulator will evaluate deployments.
On session limitation, the CNIL proposes three options:
On data masking, the draft introduces a tiered masking system (M0 through M3). By default - in the absence of any configuration - masking should apply to all sensitive fields: images, forms, free-text inputs, and dynamically populated fields such as account information. Publishers can then choose:
On identifiers, the CNIL recommends three levels of pseudonymisation:
On security, two baseline measures are specified: S1 requires blocking the collection of passwords, banking data, and other sensitive information; S2 requires an access policy with distinct roles and periodic reviews.
The annexe to the draft maps these measures to specific purposes. For UX improvement, for example, the recommended combination is (L1 or L3) + (M2 or M3) + I1 + S1 + S2, with a retention period of "a few months" limited to the current version of the site. For technical error detection, the combination is (L2 or L3) + (M1, M2, or M3) + I1 + S1 + S2, again with a few months' retention. For customer support, retention should be limited to a few hours after the session ends, and unmasking should only occur following a validation process involving the user - given that the support context is triggered by direct user contact.
The CNIL calls on providers to build architectures that allow individual session deletion, not just bulk deletion by time period. This is necessary to comply with requests from users exercising their GDPR rights under Articles 15 to 20 - including rights of access, rectification, erasure, restriction, and portability - and to enable session-level deletion once, for example, a support ticket has been closed.
Users' rights must be facilitated through "ergonomic and comprehensible" mechanisms, such as a dedicated rights management centre. According to the CNIL's design recommendations, these interfaces should not themselves constitute dark patterns.
On further processing: data collected under user consent cannot be reused for a different purpose without new consent for that new purpose. The only exception is if the data has been genuinely anonymised beforehand, in which case reuse is presumed not to create additional privacy harm under Article 82.
Session replay tools are standard components in the conversion rate optimisation (CRO) and UX research stacks of marketing and product teams worldwide. Microsoft Clarity, offered free of charge, reports processing data from millions of websites globally. The CNIL's draft effectively defines the minimum consent and technical architecture that any such tool must support for deployment in France and, by extension, the EU.
The practical consequence is significant. Publishers operating sites with French traffic - which, given EU-wide GDPR application, means effectively any publisher serving European users - will need to audit their CMP configurations to ensure session replay appears as a distinct, properly described consent purpose. Providers will need to confirm their platforms offer at minimum the masking, sampling, and identifier controls described in the draft, along with the ability to delete individual sessions on demand.
The draft also has implications for contracts between publishers and providers. Joint controller arrangements must be documented with the specific requirements set out in the CNIL's guidance: proof mechanisms, evidence-sharing, audit schedules. A generic data processing addendum that delegates all consent obligations to the publisher is no longer sufficient where the provider uses the collected data for its own purposes.
The consultation remains open until 22 April 2026. Any stakeholder - providers, publishers, civil society organisations, or individual internet users - may submit contributions. The CNIL has asked that organisations from the same sector coordinate their responses through representative bodies where possible.
Who: France's data protection authority, the CNIL, addressing website and mobile application publishers and session replay tool providers - including vendors such as Microsoft Clarity and Hotjar - established in France, elsewhere in the EU, or processing data of EU residents.
What: A draft recommendation setting out the legal requirements and recommended technical measures for lawful deployment of session replay tools, including mandatory prior consent, a structured masking and sampling framework, retention limits, individual session deletion capability, and clear joint-controller contractual obligations.
When: The consultation was announced today, 25 February 2026, and runs until 22 April 2026. The final recommendation will be adopted after that date.
Where: The recommendation applies to session replay deployments on websites and mobile applications accessible to users in France and the broader EU, consistent with GDPR's territorial scope under Article 3.
Why: The CNIL considers existing compliance guidance insufficient given the growing commercial market for session replay tools, the risk of excessive and opaque data collection, and the low public awareness of how these tools operate. The authority aims to help both providers and publishers align their practices with GDPR and the loi Informatique et Libertés before initiating any enforcement action in this area.
