France’s data protection authority, the CNIL, has published a draft recommendation on session replay tools and opened a public consultation on the text, with stakeholder comments due by 22 April 2026. The guidance targets a category of technology that has spread rapidly across websites and mobile applications, often with limited transparency to users.
Session replay tools reconstruct a user’s entire browsing journey — mouse movements, clicks, scrolling, touch interactions, and in some cases form inputs — then reproduce the data as “replayed” sessions comparable to video recordings of navigation. The CNIL considers that these operations are neither strictly necessary for the provision of the service nor exclusively intended to enable or facilitate electronic communication. Consequently, prior consent is required under the rules applicable to cookies and trackers.
The draft recommendation imposes several concrete requirements. Purposes must be specific, explicit, and legitimate, and must be defined before deployment — they cannot be “discovered” or adjusted retrospectively based on what the tool reveals. Controllers must prefer sampling or trigger-based collection over blanket recording, implement role-based access controls, and apply data minimisation through content masking, limited identifiers, and short retention periods. Passwords and payment data must be blocked by default. Retargeting is singled out as a purpose for which session replay should never be used.
While the recommendation is drafted in the context of French law, its reasoning draws on core GDPR principles — purpose limitation, data minimisation, and transparency — that apply across the EU. Organisations using session replay tools in any member state should treat this as an early signal of regulatory expectations.
Acompli perspective: If your organisation uses session replay tools, this draft recommendation should prompt an immediate review. Start by checking whether your data mapping captures session replay as a processing activity, confirm that consent mechanisms meet the CNIL’s threshold, and ensure that your records of processing reflect the actual data categories being collected. The principle here is straightforward: if you cannot explain precisely what data is captured, why, and for how long, you are unlikely to satisfy a regulator’s expectations.