From 1ae7b007311a612d3d24ea8d9aba55c808da136f Mon Sep 17 00:00:00 2001 From: Alex Krawiec Date: Thu, 5 Jun 2025 12:03:01 -0700 Subject: [PATCH 1/2] Add updates regarding replay to user privacy page --- .../scrubbing/protecting-user-privacy.mdx | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/docs/security-legal-pii/scrubbing/protecting-user-privacy.mdx b/docs/security-legal-pii/scrubbing/protecting-user-privacy.mdx index 16fe968abb92b..f96cacf357bf0 100644 --- a/docs/security-legal-pii/scrubbing/protecting-user-privacy.mdx +++ b/docs/security-legal-pii/scrubbing/protecting-user-privacy.mdx @@ -56,6 +56,22 @@ A: Yes, [our BAA](https://sentry.io/legal/baa/) covers HIPAA requirements for an A: As with all user data that you submit to Sentry for processing on your behalf, you are responsible for providing appropriate notices to your users. How you choose to configure Session Replay and your own site or app will ultimately determine the contents and presentation of your user privacy notices. +**Q: Do I need to obtain consent from my users to use Session Replay?** + +A: As with notices (see above), you need to consider whether or not you have to obtain user consent. In the U.S. in particular, we've noticed an [increase in lawsuits under U.S. state wiretapping laws](https://iapp.org/resources/article/us-litigation-series-website-tracking/) that involve session replay software. You should evaluate the risk based on your location, service, and customer type, and whether you want to mitigate the risk by obtaining consent from your users to collect data about their interaction with your services via Session Replay. + +**Q: What should consent for Session Replay look like?** + +A: Consent can take different forms, including using consent banners or similar technology, as well as consent incorporated into your terms of service with users. The type of consent you want to present (if any) is going to depend largely upon your assessment of the risks based on your location, service, and customers. + +Here's an example of consent language: + +> Provider may use and collect data and learnings about customer's use of the Provider service, including customer's behavior within the Provider service, such as clicks, scrolls, mouse movements, keystrokes, page refreshes, and other user session information to operate, improve, and support the Provider service for other lawful business purposes. + +**Q: How do I configure Sentry SDK's for Session Replay to be compatible with a consent banner?** + +A: If you choose to utilize a consent banner, you can find [technical guidance](https://sentry.zendesk.com/hc/en-us/articles/37358708239003-How-can-I-delay-replay-recording-until-a-user-consents) to configure Session Replay SDKs to initiate only after user consent is obtained. + **Q: Where is Session Replay data hosted?** See our [subprocessor list](https://sentry.io/legal/subprocessors/) for our infrastructure hosting location, which applies to all data within your specific Sentry instance, including Session Replay data. @@ -63,3 +79,5 @@ See our [subprocessor list](https://sentry.io/legal/subprocessors/) for our infr **Q: How long do you retain Session Replay data?** Please see [our security policy](https://sentry.io/security/). Our data retention policy applies to the overall Sentry service, including Session Replay. + +*The information on this page is for information purposes only and does not constitute legal advice. You should consult with your own legal counsel to determine how relevant laws and regulations apply to your specific situation, taking into account your specific configuration and use of Sentry and Session Replay, and to ensure your compliance.* From a4ba4caa2019681192570fdaee160dab8990979c Mon Sep 17 00:00:00 2001 From: Alex Krawiec Date: Fri, 6 Jun 2025 12:03:26 -0700 Subject: [PATCH 2/2] Small copy update from stakeholder --- docs/security-legal-pii/scrubbing/protecting-user-privacy.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/security-legal-pii/scrubbing/protecting-user-privacy.mdx b/docs/security-legal-pii/scrubbing/protecting-user-privacy.mdx index f96cacf357bf0..d032bb06226f1 100644 --- a/docs/security-legal-pii/scrubbing/protecting-user-privacy.mdx +++ b/docs/security-legal-pii/scrubbing/protecting-user-privacy.mdx @@ -66,7 +66,7 @@ A: Consent can take different forms, including using consent banners or similar Here's an example of consent language: -> Provider may use and collect data and learnings about customer's use of the Provider service, including customer's behavior within the Provider service, such as clicks, scrolls, mouse movements, keystrokes, page refreshes, and other user session information to operate, improve, and support the Provider service for other lawful business purposes. +> Provider may use and collect data and learnings about customer's use of the Provider service, including customer's behavior within the Provider service, such as clicks, scrolls, mouse movements, keystrokes, page refreshes, and other user session information to operate, improve, and support the Provider service and for other lawful business purposes. **Q: How do I configure Sentry SDK's for Session Replay to be compatible with a consent banner?**