Sensitive data masking in Session Replay

Session Replay helps you find flaws in site design by showing you how people interacted with a site in the tiniest detail, including filling out form fields. However, this option should still protect the privacy of site users. That is why we are introducing sensitive data masking, where all the contents of form fields that may contain sensitive data are now automatically changed to asterisks.

How does it work?

Yandex.Metrica only scans the form field name (for example, “Your email”), and the format of the data a user enters into that field (for example, “***@***.com”). We never analyze the meaning of the content in the form fields. Based on that data, a form field can then be classified as sensitive, and all its content will be changed to asterisks.

What kind of information is now masked?

All contents of the fields that can possibly contain a person’s name, surname, address, contact details and payment information. As usual, password-type fields have their data masked as well.

Does this change require any actions from me?

The update should not in any way interfere with analyzing site usability. However, in rare cases, the system may wrongly classify a field as sensitive or non-sensitive. Therefore, we recommend checking that the form field classification is working correctly for your site.

If any fields are wrongly classified, you can use special CSS classes for them. Assign the CSS class -ym-disable-keys for fields that should not be recorded, while you can use the CSS class -ym-record-keys for fields that should be recorded. If you are unsure how to do this, ask your website developer for help. More information can be found in the relevant Help section.

How does this update affect the “Record all fields” toggle?

By default, this toggle is in the “on” position. This means that Session Replay will record all fields that are not password-type fields. At the same time, the contents of sensitive fields will be automatically masked. If the toggle is moved to the “off” position, Session Replay will only save the contents of fields that have the the CSS class -ym-record-keys set.

If you have any other questions about this update, please feel free to ask us in the comments or contact us via our feedback form.

To learn more about other steps Yandex.Metrica is taking to enhance user privacy, check out our page on the GDPR compliance.