How to comply with GDPR while using Smartlook session recordings

If you're using session recording tools like Smartlook to see how people interact with your website, you're probably collecting a lot more data than you realize. If any of your users are in the EU or UK, that means the GDPR applies to you—even if you’re not based there yourself.

This guide is for anyone responsible for website analytics, product management, or compliance—basically, if you clicked “install” on a session recorder, you need to read this. We’ll break down how to use Smartlook without running afoul of privacy laws, and spare you the legalese.

Step 1: Understand What GDPR Actually Requires

A lot of GDPR advice is either vague or terrifying. Here’s what actually matters with session recording:

  • Personal data is any info that can identify someone, directly or indirectly. IP addresses, email addresses, and even mouse movements can count.
  • You’re responsible for any data collected by third-party tools you install, even if you never look at it.
  • “Consent” is specific. You can’t just mention “cookies” and call it a day. If you’re recording sessions, you need clear, active consent for that.

Put simply: if your session recordings can capture personal data (and most do), you need to have a legal basis for collecting it—usually, that’s user consent.

Step 2: Configure Smartlook to Minimize Data Collection

Smartlook is powerful, but out-of-the-box it can collect more than you need. Less is better here—if you don’t have it, you can’t leak it or misuse it.

What to check and adjust:

  • Mask Input Fields: Turn on masking for all input fields (passwords, search bars, email fields, etc.). This prevents sensitive data from ever being recorded.
    • Double-check your implementation. Sometimes masking only covers default fields, and you may have custom ones.
  • Block Sensitive Pages: Don’t record pages like account settings, payment screens, or admin panels. Use Smartlook’s URL blocking or API to exclude them.
  • Disable IP Recording: If possible, set Smartlook to anonymize or not store IP addresses. This helps reduce risk.
  • Custom Events Only: If you just want to track clicks or page flows, consider disabling full session recording and relying on event tracking.

Pro Tip: Run a test session on your site and watch the playback. If you can see anything you wouldn’t want to leak (emails, names, etc.), you need to reconfigure masking and blocking.

Step 3: Update Your Consent Mechanism

This is where most sites mess up. GDPR consent means you need to:

  • Get explicit permission before recording sessions.
  • Make it as easy to refuse as to accept.
  • Give users a way to change their mind later.

What works:

  • Use a real cookie consent tool (not just a banner). It should let users opt in or out of session recording specifically—not just “analytics” in general.
    • Popular options: Cookiebot, OneTrust, or open-source scripts.
  • Don’t load Smartlook until users have opted in. That means no “fire the script before consent” shortcuts.
  • Make your consent request clear and non-deceptive: “We use session recording to improve our site. This may capture your clicks, mouse movements, and page visits. Do you agree?”
  • Respect “Do Not Track” browser settings if you want to go above and beyond.

What doesn’t work:

  • Burying session recording in a privacy policy.
  • Pre-ticked checkboxes or “by using this site, you agree…” statements.
  • Loading the script and then offering an “opt-out” after the fact.

Step 4: Update Your Privacy Policy (and Actually Mean It)

Your privacy policy isn’t just for show. It needs to:

  • Name Smartlook as a data processor.
  • Say what data you collect, why, and how long you keep it.
  • Explain users’ rights (access, erasure, etc.).
  • Tell people how to withdraw consent or request deletion.

If you’re using masking or blocking, say so. If you’ve configured Smartlook to anonymize data, mention that too. Keep it readable—people smell a copy-paste job a mile away.

Step 5: Sign a Data Processing Agreement (DPA) with Smartlook

Under GDPR, any third-party tool that processes personal data on your behalf is a “data processor.” You need a signed DPA with them.

  • Smartlook offers a standard DPA (usually linked in their dashboard or support docs). Download it, sign it, and keep it on file.
  • If you have custom privacy requirements, you might need your legal team to review the DPA or request amendments.
  • Don’t skip this step. In an audit, having a DPA is non-negotiable.

Step 6: Respect User Requests and Data Rights

GDPR gives users rights over their data. If someone asks to see their data, delete their recordings, or withdraw consent, you have to act.

  • Smartlook lets you search for and delete recordings based on user identifiers (if you collect them).
  • Set up a simple process for handling data requests—don’t make people jump through hoops.
  • Be honest. If you can’t find a session or if you’ve properly masked all data, say so.

Pro Tip: If you don’t need to tie sessions to specific users, don’t. The less you can identify, the easier compliance gets.

Step 7: Document Everything

This isn’t the fun part, but it matters when someone asks “are we compliant?”

  • Keep a log of your consent mechanism: screenshots, code snippets, and dates of any changes.
  • Document your masking/blocking settings in Smartlook.
  • Save copies of your DPA, privacy policy, and data request procedures.
  • If you work in a team, make sure someone else knows where this stuff lives.

What to Ignore (and What Not To)

  • Ignore: Scaremongering online that says you can’t use session recording in the EU at all. That’s just not true—plenty of companies do it right.
  • Don’t ignore: Half-baked consent forms or “we’ll fix it later” thinking. Regulators do audit small companies, and users are getting savvier.

Quick Checklist

Here’s a no-fluff compliance checklist:

  • [ ] Mask all sensitive fields in Smartlook
  • [ ] Block recordings on sensitive pages
  • [ ] Only load Smartlook after consent
  • [ ] Update privacy policy (mention Smartlook, data collected, user rights)
  • [ ] Sign and file a DPA with Smartlook
  • [ ] Set up a process to handle user data requests
  • [ ] Document your setup

If you can tick all these, you’re in good shape.

Wrap-Up: Keep It Simple, Review Often

GDPR compliance isn’t about chasing perfection or living in fear of fines. It’s about being clear, minimizing what you collect, and respecting your users.

Set up Smartlook with care, use plain language, and review your setup every few months. When in doubt, collect less—nobody ever got in trouble for not storing someone’s email address.

If something changes (like Smartlook updates their features, or your site adds new forms), revisit your privacy approach. Don’t get paralyzed by complexity—iterate as you go.