Session replay tools under scrutiny: CNIL launches public consultation

France's data privacy regular, the CNIL, has opened a public consultation (deadline: 22 April 2026) on a draft recommendation covering session replay tools: technologies that reconstruct individual browsing sessions by recording clicks, scrolling, mouse movements and, in some configurations, form inputs. While the text is non‑binding at this stage, the draft sets out what will likely become the CNIL’s enforcement benchmark. Publishers, vendors and their advisers should review it and respond to the consultation.

The Draft Recommendation

The CNIL anchors its analysis in the ePrivacy framework. By involving the reading and/or writing of information on users’ devices, these tools fall within Article 82 of the French Data Protection Act (LIL, transposing Article 5(3) of the ePrivacy Directive). The draft leaves little ambiguity on the applicable rule: purposes frequently invoked, such as UX optimisation, technical troubleshooting or customer support, do not qualify as "strictly necessary" for service provision. Prior consent is therefore the rule. The CNIL also insists that purposes must be defined before deployment – controllers cannot justify collection retrospectively based on what recordings happen to reveal.

The draft also addresses role allocation between publishers and providers, where guidance has been scarce:

Processor scenario: Where the provider merely supplies the tool and does not reuse the collected data for its own purposes, it will generally act as a processor on behalf of the publisher.
Independent controller scenario: The CNIL indicates that providers may qualify as independent controllers where they reuse the collected data for their own purposes (for example, to improve their products or services).
Joint controllership for tracker operations: where the data collected through the tracker serve both the publisher’s and the provider’s purposes, the parties may qualify as joint controllers for the underlying tracker read and write operations. In such cases, the CNIL emphasises that contractual clauses alone are not sufficient to allocate compliance responsibilities. Each controller must independently be able to rely on and demonstrate valid user consent for the purposes it pursues. The draft also highlights the need for contractual arrangements to define how proof of consent will be generated, retained and shared between the parties where relevant. Critically, consent obligations cannot simply be shifted to the publisher by contract – a point with real bite for vendor agreements and CMP set-ups.

The CNIL distinguishes between stages of processing. Tracker data may give rise to “subsequent processing”, which must rely on a legal basis under Article 6 GDPR. Consent will often be the appropriate basis and can be collected through the CMP on a purpose-by-purpose basis. The CNIL encourages specific session replay disclosure at the first layer of the CMP where the privacy impact warrants it – not buried in a secondary policy page. By contrast, "further processing" for new purposes requires renewed user consent. Effectively anonymised data are excepted.

On the technical side, the draft requires privacy by design, on purpose‑driven configuration, data minimisation, masking of captured content, limited identifiers and short retention periods (a few hours post-session for support; a few months for UX or error analysis). Passwords and payment data must be blocked by default. The CNIL expects sampling or trigger-based collection – not blanket recording – and role-based access controls. Retargeting is singled out as a purpose for which session replay should never be used. Controllers must prefer less intrusive alternatives, meaning that systematic or large‑scale session replay deployments will be hard to justify. Default configurations must be privacy-protective, reflecting the principle of data protection by default.

The recommendation is still a draft but once finalised it will set the enforcement baseline. Interested organisations should audit their session replay set-ups, consent flows, role allocation, tool configuration, and respond to the consultation by 22 April 2026.