In this guide:
- What session replay tools capture and why § 631(a) applies directly
- Why the tape recorder defense is available — and what it requires
- Free-tier vs. enterprise agreements — why the tier matters
- What a CIPA-defensible session replay implementation requires
- Frequently asked questions
Do session replay tools violate CIPA? Session replay tools create significant CIPA exposure under § 631(a) — the wiretapping provision — because they capture the contents of user communications in real time, including keystrokes, form inputs, and mouse movements, through third-party vendor infrastructure. Unlike advertising pixels, however, a legal defense is available for session replay tools if the vendor relationship is structured correctly. Whether your specific deployment is defensible depends on two factors: whether your consent architecture blocks the tool before consent is received, and whether your vendor contract contains the specific provisions that produced a successful defense in Graham v. Noom.
Session replay tools sit in a different legal position than Meta Pixel. They carry higher intrinsic risk under the wiretapping provision because of what they capture. And they offer a more complete compliance pathway because the tape recorder exception is genuinely available — if you build it correctly.
Here is what you need to know about both.
What session replay tools capture and why § 631(a) applies directly
Session replay tools — Hotjar, FullStory, Microsoft Clarity, LogRocket, Mouseflow, and their equivalents — are designed to record exactly what a user does during a visit to your website. Every mouse movement. Every scroll. Every click. Every keystroke typed into every field on the page, including characters the user later deletes, text entered into search bars that is never submitted, and information typed into form fields that the user abandons before completing.
This last category is the legally significant one. When a user types a message into your website's chat widget, enters a search query, begins filling out a contact form, or starts typing their email address into a newsletter signup — they are communicating. The content of that communication is what they are typing. A session replay tool that captures every keystroke as it is entered is capturing the contents of that communication in real time, as it occurs, before it has been transmitted to you as the website operator.
This is the specific behavior that § 631(a) was written to prohibit. The section covers intentionally reading or learning the contents of a communication while it is in transit. Courts have consistently held that keystrokes captured before submission qualify as communication contents in transit — not stored data being accessed after the fact, but an active interception of what a user is in the process of communicating.
The St. Aubin v. Carbon Health decision expanded this further. The court held that descriptive URLs — web addresses that reveal what a user was searching for — can also qualify as communication contents under § 631(a). A session replay tool captures the full URL of every page a user visits. On a health platform, e-commerce site, or any site with a search function, those URLs frequently reveal exactly what a user was looking for in meaningful detail.
The third-party structure completes the CIPA analysis. The user communicates with your website. You are the intended recipient. The session replay vendor's infrastructure captures the communication as it flows — receiving a copy of the user's keystrokes, movements, and inputs on their own servers, before those inputs reach you. Three parties. Real-time interception. The § 631(a) structure is present.
Why the tape recorder defense is available — and what it requires
This is where session replay tools diverge significantly from advertising pixels, and where the compliance story becomes more constructive.
Graham v. Noom, decided by the Northern District of California in 2021, involved a FullStory session replay deployment. The plaintiff alleged that FullStory was acting as an unauthorized third-party eavesdropper under § 631(a). Noom moved to dismiss. The court agreed and dismissed the claim — on the basis that FullStory was not an independent eavesdropper but rather Noom's agent, functioning like a tape recorder that Noom was operating to capture its own users' sessions.
The facts that produced that outcome were contractual. Noom's agreement with FullStory explicitly prohibited FullStory from using collected data for any purpose other than providing the session replay service to Noom. FullStory could not sell the data, use it for its own advertising targeting, train its own models on it, or derive any independent commercial value from it. Under those conditions, FullStory was not a party with its own interests in the communication. It was a service provider acting entirely on Noom's behalf.
This is the defense. It is real, it has worked in court, and it is available for session replay tools in a way it is not available for advertising pixels — because session replay vendors, unlike Meta, are not in the business of independently monetizing the data they collect on your behalf.
But the defense has a precise set of requirements. Three contractual provisions must be in place before the defense is available.
The independent data use restriction must be explicit and comprehensive. The vendor agreement must prohibit the vendor from using collected data for advertising, model training, product benchmarking, audience building, or any other independent commercial purpose. A general statement that the vendor processes data on your behalf is insufficient. The prohibition must be affirmative and specific.
The processor classification provision must designate the vendor as a data processor acting on your instructions, not an independent controller. This aligns the CIPA analysis with the legal framework that courts have found dispositive: the vendor is your instrument, not an independent party.
The AI training carve-out must be identified and addressed. Most major session replay vendors have introduced AI-powered features — session summaries, behavior pattern detection, heatmap generation — that may involve using session data to train or improve their own models. Standard enterprise agreements increasingly include carve-outs permitting this use. If your agreement contains an AI training carve-out and you have not explicitly opted out, the independent data use restriction may be materially incomplete — and the defense it is supposed to support may not hold.
Free-tier vs. enterprise agreements — why the tier matters
The tape recorder defense depends entirely on what your vendor contract says. And the terms available on a free plan are not the terms that produced the Noom outcome.
Microsoft Clarity is free. The standard Clarity terms do not contain the same independent-use restrictions as a negotiated enterprise agreement. Microsoft uses Clarity data to improve its own products. If you are running Clarity under the standard free terms, the tape recorder defense is not available — the vendor relationship does not support it, regardless of how well your consent architecture performs.
Hotjar's free and starter tiers similarly have different terms than enterprise agreements. FullStory's free tier has terms that differ from the DPA available on paid plans.
The practical implication is straightforward: the tier at which you run a session replay tool is a compliance decision, not just a budget decision. If your session replay tool is on a free plan, assume the tape recorder defense is unavailable until you have reviewed the specific terms and confirmed that an independent-use restriction exists. If it does not, upgrade to a plan where a DPA can be executed, or treat the tool as carrying the same compliance burden as an advertising pixel — consent mechanism only, no contractual backstop.
What a CIPA-defensible session replay implementation requires
Two things must both be true. The vendor contract must support the tape recorder defense. And the consent architecture must prevent the tool from firing before consent is received. Neither alone is sufficient.
On the consent architecture side, session replay tools require the same pre-consent blocking implementation as any other high-risk tracking tool: the tool must be deployed through your tag management system, set to blocked by default, and configured to require affirmative analytics or functional consent before executing. The tool must not fire during the window between page load and consent banner interaction — a user who lands on your page and immediately begins typing into a search bar must not have those keystrokes captured before they have consented.
On the vendor contract side, confirm three things before relying on the tape recorder defense: the independent data use restriction is present and explicit, the AI training carve-out has been opted out of or is absent, and the DPA has been executed for your specific account rather than merely offered as a template.
Test the implementation the same way you would test any tracking tool. Load the site in a fresh private browser and watch for any requests to the session replay vendor's domain before consent. Click decline and watch for any subsequent replay requests. Enable GPC and confirm no replay requests appear. If any of these tests produce requests before consent or after decline, the consent architecture has a gap that the vendor contract cannot compensate for.
Frequently asked questions
Do Hotjar, FullStory, and Microsoft Clarity violate CIPA?
They create CIPA exposure under § 631(a) because they capture communication contents in real time through third-party infrastructure. Whether a specific deployment violates CIPA depends on two factors: whether the tool fires before consent is received, and whether the vendor contract supports the tape recorder defense. A deployment where the tool is gated behind prior consent and the vendor agreement contains the required provisions is defensible. A deployment where either element is missing is exposed.
What is Graham v. Noom and why does it matter?
Graham v. Noom is a 2021 Northern District of California decision that dismissed a CIPA § 631(a) claim against Noom for its use of FullStory. The court held that FullStory was acting as Noom's agent rather than an independent eavesdropper, because the vendor contract explicitly prohibited FullStory from using collected data for its own purposes. The case established that the tape recorder defense is available for session replay tools — but conditioned that availability on specific contractual terms. It is the most important precedent for session replay tool compliance and the direct basis for the vendor contract requirements described in this post.
Is Microsoft Clarity CIPA compliant?
Microsoft Clarity under its free standard terms does not support the tape recorder defense because Microsoft uses Clarity data to improve its own products — a form of independent data use that defeats the agent characterization. A Clarity deployment under standard free terms should be treated as carrying the consent mechanism as its only defense. For enterprise deployments with negotiated terms that include independent-use restrictions, the analysis differs. If you are running Clarity on the free tier, review the current terms and assess whether the defense is available before relying on it.
Do I need to disable session recording on form pages?
Not necessarily — but it is the highest-risk configuration. Form pages where users type sensitive information create the clearest § 631(a) exposure because the captured keystrokes most directly qualify as communication contents. If your session replay tool is running with proper prior consent and the vendor contract supports the tape recorder defense, form page recording is defensible. If either element is missing, form pages represent your highest-priority remediation target. Many compliance programs disable session replay on checkout and account creation pages as a risk reduction measure regardless of overall compliance posture.
Can session replay data be used in court against me?
In litigation, opposing counsel can seek discovery of records relevant to the claims. Session replay data that captures the specific user interaction at the center of a CIPA claim could be discoverable. This is one reason maintaining clear consent records is important: records showing that the specific session was recorded only after valid consent was obtained are a meaningful defense exhibit. Records showing the session was recorded before consent was possible are the opposite.
What this means for your compliance program
Session replay tools require the same pre-consent blocking architecture as every other high-risk tracking tool. What distinguishes them is that the vendor contract layer can provide meaningful additional protection — if it is built correctly. That additional protection is worth having, because it converts a single-point-of-failure compliance posture into one with a secondary defense.
The compliance program for session replay tools is therefore: implement pre-consent blocking first, then secure the vendor contract provisions that support the tape recorder defense. Both workstreams are required. Neither substitutes for the other.
The infrastructure answer
If you are unsure whether your current session replay deployment fires before consent or whether your vendor agreement supports the defense, the PieEye compliance scan identifies consent timing failures across all tracking tools including session replay — telling you exactly where the pre-consent blocking gap is before a plaintiffs' attorney's scan finds it first.
For the complete technical architecture required to implement pre-consent blocking across your full tracking stack, the CIPA compliance guide covers every component in detail.
Run a free PieEye compliance scan — it takes minutes, requires no code changes to initiate, and tells you exactly what a plaintiffs' attorney's scanning tool would find if it looked at your website today.