Header background

Understand customer experience with Session Replay without compromising data privacy

We've developed Session Replay with data privacy regulations and laws in mind, including GDPR (in Europe), California Consumer Privacy Act (CCPA), and Brazilian General Data Protection Law (LGPD).

Dynatrace introduced Session Replay some time ago to help modernize your DEM strategy. Session Replay enables you to capture and visually replay the complete digital experience of your end users. It helps you identify errors, analyze areas of struggle, and provides tons of analytical data for your testing teams. For details, see how to get the most value out of Session Replay.

We developed Session Replay with data privacy regulations and laws in mind, such as GDPR (in Europe), California Consumer Privacy Act (CCPA), and Brazilian General Data Protection Law (LGPD).  This allows you to capture your users’ experiences while remaining compliant with the data privacy regulations of your region. Session Replay is bundled with private-data masking rules that are enabled by default. Data masking rules enable you to fine-tune and customize masking to protect any sensitive data that may be captured by your applications. Proper configuration of these rules is required to ensure the privacy of your end users’ personal data.

We reached out to a number of Dynatrace customers to fully understand their pain points. Here’s some of what they had to say:

  • Our application exposes sensitive data on the registry page. We want to exclude this registry page from being recorded. Is it possible to configure this by using the Dynatrace web UI or can this be achieved only through the API?
  • If the masking rules are wrongly configured when a session is recorded, is there a way of preventing those who have access to Session Replay from viewing sensitive data?

From all the input that we received, we’ve decided to release a series of enhancements to Session Replay. See below for details on what we’ve released so far.

URL exclusion

To exclude pages from Session Replay recording in Dynatrace versions 1.183 and earlier, you had to modify the source code of your application by calling dtrum.disableSessionReplay(). This meant that you could only exclude the pages of applications for which you could access the source code—it wasn’t applicable to third-party applications.

With the introduction of the new URL exclusion feature, Dynatrace now provides the option to exclude pages and views from being recorded without changing the application code. You can configure an application to exclude pages from recording by adding regular expressions that match the respective URLs. These rules can be configured for individual web pages, entire websites, and even single-page applications.

To exclude URLs from Session Replay recording

  1. Select Applications from the Dynatrace navigation menu.
  2. Select the application you want to configure.
  3. Open the context menu () and choose Edit.
  4. Under Application settings, select the Session Replay tab.
  5. Scroll down to URL exclusion and select Add exclusion rule.
  6. Type in an exclude recording rule that identifies specific URLs using regular expressions.
  7. Select Add rule.
    Url exclusion section

With this configuration, the recorder, which runs in your end-user’s browser, evaluates every exclusion rule against the current page URL in the session, and, when it finds a match, Session Replay data from that page isn’t collected.

Note that despite this configuration, you can still measure the performance of the page because Session Replay URL exclusion is independent of your RUM configuration. So all RUM-related data will continue to be captured.

Apply masking rules during replay

Another cool new feature in Dynatrace version 1.189 is the ability to reapply masking rules at replay time. Previously, if masking rules weren’t properly configured before sessions were captured, the only way to hide sensitive information from users with access to Session Replay was to contact Dynatrace and request that the recorded sessions be deleted.

Dynatrace now applies the existing masking configuration to sessions when they’re replayed. This ensures that sensitive data won’t be visible to users who play back sessions that were recorded before masking rules were properly configured. For example, if you play back a recorded session and notice that some sensitive information on the Create new customer account page was not correctly masked, you can now perform steps to hide the sensitive data during replay.

To ensure that users with access to Session Replay will not see recorded sensitive data, perform the following steps:

  1. Select Applications from the Dynatrace navigation menu.
  2. Under Application settings, select Session Replay, and add the masking rules.
  3. Go back to the Session Replay page and refresh it.

The following two-minute video shows you how to hide sensitive data during replay:

masking rules applied at replay time

What’s next?

This is only the beginning of the Session Replay enhancements that we have planned. There’s much more to come. The next installment of enhancements will address the following requests from our customers:

  • Is there a way to evaluate Session Replay by enabling it and automatically ensuring that no sensitive data is captured?
  • Can I decide which teams in my organization are able to replay sessions and which users can view sensitive data while playing back those sessions?

Based on these customer requests, we’re now developing default masking configurations so that you can start using Session Replay without worrying about unintentionally capturing sensitive data. We’re also aiming to help you define roles to give you more control over defining the users that should be granted access to recorded sessions.

Stay tuned and watch this space for upcoming announcements!