CNIL Consultation on Session Replay Draft Recommendation

CNIL News (France DPA)

Published February 25th, 2026

Detected March 16th, 2026

Summary

The CNIL has launched a public consultation on its draft recommendation for session replay tools. The recommendation aims to guide tool developers and website operators on compliance with data protection rules, particularly concerning user behavior monitoring. The consultation period closes on April 22, 2026.

View original document View source feed page

What changed

The CNIL, France's data protection authority, has initiated a public consultation on a draft recommendation concerning session replay tools. These tools, used to record and analyze user interactions on websites and applications, are subject to data protection regulations due to their potentially intrusive nature. The draft recommendation provides guidance for both providers of these tools and the operators who use them, addressing legal and technical challenges related to data minimization, user notification, and consent acquisition under GDPR.

The public consultation is open to all interested parties and will conclude on April 22, 2026. The CNIL encourages consolidated submissions from organizations and their representatives. Following the consultation, the CNIL will review feedback and publish a final version of the recommendation. Regulated entities, particularly website and application operators, should review the draft recommendation and consider submitting comments to influence the final guidance, which will impact their compliance strategies for user behavior tracking technologies.

What to do next

Review the CNIL's draft recommendation on session replay tools.
Submit comments to the CNIL by the consultation deadline of April 22, 2026.
Assess current use of session replay tools for compliance with draft guidance.

Source document (simplified)

Home
Session replay: the CNIL launches a public consultation on its draft recommendation

Session replay: the CNIL launches a public consultation on its draft recommendation

25 February 2026

The CNIL is launching a public consultation on its draft recommendation regarding session replay tools, which enable the monitoring and analysis of users’ online behaviour. The main goal is to support both tool developers, website and applications operators in their compliance efforts.

-

What is a session replay tool?

These tools make it possible to recreate the full browsing journey of an internet user on a website or a mobile application. They can be used to identify and fix technical issues or to improve the design and user experience of a website or mobile application.

In practice, they allow website and app operators to record user interactions such as mouse movements, screen touches, clicks, page scrolling and, in some cases, forms inputs. This data is then used to replay and visualise a user’s journey, through video replays, offering a detailed view of their navigation on a website or a mobile application.

These tools, in that they offer detailed visibility into what people are doing online, can potentially be intrusive and infringe on users’ privacy.

Professionals: A draft recommendation to regulate the use of session replay tools

Who is this draft recommendation aimed at?

The draft recommendation is aimed at two groups of stakeholders:

providers of session replay tools, who design the technical solutions and define their settings and features;
website or mobile application operators that use them.

What are the objectives of the recommendation?

This draft recommendation was developed following discussions with professionals and civil society organisations. These discussions contributed to a better understanding of the uses of session replay tools and their associated implications.

It provides practical guidance on legal and technical challenges related to data protection rules. It answers questions concerning the application of the principle of minimisation – which involves collecting information that is useful for the purpose pursued – and enables stakeholders to understand their obligations.

It also sets out the requirements professionals must meet when informing users, as well as how consent can be obtained in practice, through the use of a consent management platform (CMP), the level at which information should be provided, the wording that may be used to obtain consent, etc.

What is the timeline for the consultation, and who can contribute?

This public consultation will close on 22 April 2026.

At the end of the consultation period, the CNIL will review the contributions received and adopt a final version of the recommendation.

Any interested party may take part in the consultation. The CNIL particularly encourages participation from the stakeholders addressed by the draft recommendation, as well as the audiences directly concerned (internet users and mobile application users) and civil society organisations.

The CNIL invites stakeholders from the same organisation or sector to consolidate their comments into a single submission, in particular by coordinating with their representatives, networks, federations, associations, etc.

Participate in the consultation

Document reference