DocsSession ReplayPrivacy Controls

Session Replay for Web Privacy Controls

Last updated July 30th, 2024

Introduction to Session Replay for Web

Mixpanel offers a privacy-first approach to Session Replay, including features such as data masking. Mixpanel’s Web Session Replay privacy controls were designed to assist customers in protecting end user privacy.

Data privacy regulations are rapidly evolving and vary considerably across states and countries. A consistent requirement across many data privacy regulations for website operators is disclosing to end users that their personal information is being collected, often in a privacy notice. Before implementing Session Replay on your website, a best practice is to review your privacy notice with legal counsel to ensure it remains accurate and compliant with data privacy laws.

How does Session Replay (Web) work?

Session Replay for Web captures the Document Object Model (DOM) structure and changes to it. Mixpanel then reconstructs the web page, applying recorded events at the time an end user completed them. Within Mixpanel’s platform, you can view a reconstruction of your end user’s screen as they navigate your website. However, Session Replay for Web is not a video recording of your end user’s screen and end user actions are not literally video-recorded.

How does masking and blocking work? What are the high-level technical details?

Masking and blocking are slightly different.

Masked data is suppressed client-side, meaning it is not collected in its original form by Mixpanel’s SDK, and the data is not stored on Mixpanel servers. Masked elements have their text replaced with asterisks of the same length [****].

Blocked data is similarly suppressed client-side, meaning it is not collected in its original form by Mixpanel’s SDK, and the data is not stored on Mixpanel servers. However, blocked elements will be rendered with a placeholder element (e.g., an empty box of similar size).

Note: interactions (such as mouse-clicks) with blocked and masked elements are still captured by Session Replay for Web.

Configuring Privacy Controls

By default, Mixpanel masks and/or blocks the most common elements that contain content like input text, non-input text, images, and videos. However, Mixpanel also offers its customers a range of privacy controls to choose to unmask / unblock elements as needed, which are detailed further on this page.

Element TypeDefault StateCustomizable
InputsMixpanel attempts to mask all user input text. When a user enters text into an input field, Mixpanel captures [****] in place of text.No. You cannot disable this privacy feature.
TextBy default, Mixpanel attempts to mask all non-input text on your webpage. This masked content on your webpage is replaced with [****].Yes. Mixpanel empowers its customers to decide to record all non-input text as-is. First, change record_mask_text_selector’s default value from “*” to “” to make all text elements no longer masked. Then, you can individually mask each text element detailed in the next section.
Videos and ImagesBy default, Mixpanel blocks videos and images. These elements will be rendered with a placeholder element (i.e., an empty box of similar size). Note: interactions with blocked elements will still be captured (e.g., mouse-clicks).Yes. Mixpanel empowers its customers to decide to record images and videos as-is.

Other elements not listed in this table are captured by default, and can be blocked at your discretion. You can specify a CSS selector under the config option record_block_selector to block all elements which match the selector.

How to mask and block elements

  • To mask text, add the class name “.mp-mask.” Masked content is replaced with [****]
  • To block elements containing text entirely, add the class name “.mp-block.” Blocked content will be rendered with a placeholder element
  • Specify a CSS selector record_mask_text_selector to mask all text in elements that match the selector

Example code below for masking text:

mixpanel.init(YOUR_PROJECT_TOKEN, {record_mask_text_selector: ''})
<div class="text mp-mask">This text is masked!</div>

Example code below for blocking elements:

mixpanel.init(YOUR_PROJECT_TOKEN, {record_block_selector: '.sensitive-data'})
<img src="https://image.com" class="mp-block"/>

Disabling Replay Collection

Once enabled, Session Replay runs on your website until either:

  • The user leaves your site
  • The user is inactive for more than 30 minutes
  • You call mixpanel.stop_session_recording()

Call mixpanel.stop_session_recording() before a user navigates to a restricted area of your site to disable replay collection while the user is in that area. To restart replay collection, call mixpanel.start_session_recording() to re-add the plugin.

Additional Considerations

WebComponents that utilize HTML attributes may be ingested and stored by Session Replay for Web, regardless of whether they are displayed in an individual recording as text. Customers should utilize the block functionality outlined above to the extent specific areas of a webpage should not be ingested.

User Opt-Out

Mixpanel’s Session Replay for Web follows Mixpanel’s standard SDK opt-out setting.

Data Deletion

Deletion requests for Session Replay for Web use Mixpanel’s standard end user management process for events documented here.

Data Retention

Mixpanel retains Session Replays for 30 days from the date the replay is ingested and becomes available for viewing within Mixpanel.

Was this page useful?