Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Amazon CloudWatch RUM (Real User Monitoring) is an AWS service that collects performance, error and user journey data from real browsers and feeds it into the CloudWatch console for engineering and SRE teams. The web client is a JavaScript SDK that batches page views, Core Web Vitals (LCP, INP, CLS), JavaScript errors, custom events and an optional session replay payload, then sends them to a CloudWatch RUM data plane endpoint in the AWS region you configure. By default it uses localStorage rather than cookies, so it can be deployed in a cookieless mode, but it still stores a session identifier on the visitor terminal which falls under Article 5(3) of the ePrivacy Directive.
Amazon CloudWatch RUM is part of the AWS observability stack. After creating an AppMonitor in the AWS console, the operator embeds a small JavaScript snippet that loads the cwr web SDK from a public Amazon CloudFront URL. The SDK observes the browser using PerformanceObserver, the Long Tasks API, error events, navigation timings and an optional session replay engine. It batches the events every few seconds and pushes them to the regional CloudWatch RUM data plane endpoint, where they are stored, aggregated and exposed through CloudWatch dashboards, Contributor Insights and CloudWatch alarms.
By default CloudWatch RUM stores a session and a user identifier in localStorage rather than in cookies, which makes it cookieless from a banner perspective but still subject to Article 5(3) ePrivacy because it accesses the device storage. Each event payload typically contains the AppMonitor ID, the session ID, the URL of the current page, the referrer, the user agent, the device type, Core Web Vitals (LCP, INP, CLS, FCP, TTFB), navigation and resource timings, JavaScript errors with stack traces, HTTP request metrics from the Fetch and XHR observers, and any custom event the operator emits via the recordEvent API. The visitor IP address is observed by AWS at the network level when the request reaches the data plane.
Even cookieless analytics fall under Article 5(3) of the ePrivacy Directive when they read or write data on the user device. The CNIL exemption for audience measurement is narrow and requires the data to be collected on behalf of the operator only, not shared with third parties for further use, with IP truncation, no cross site tracking and a clear opt out. Native CloudWatch RUM does not meet every requirement out of the box, so most European deployments need either explicit consent (Article 6(1)(a)) or a configuration that enforces all CNIL conditions through SDK options and request rewriting. Operators activating session replay must always rely on consent because session replay can capture personal data inside form fields and URLs.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
CloudWatch RUM is regional: events stay in the AWS region of the AppMonitor. To keep European personal data inside the EEA, create the AppMonitor in Frankfurt, Ireland, Paris, Stockholm or Milan, and ensure your CloudWatch dashboards, alarms and Lambda subscribers are also deployed in the same region. AWS acts as a processor under the AWS GDPR Data Processing Addendum and is certified under the EU US Data Privacy Framework, which provides additional safeguards if a US region must be used for global teams.
The recommended approach is to gate the CloudWatch RUM SDK loading through your CMP and to expose two switches: one for the strictly necessary error tracking (which can be argued under legitimate interest with IP truncation) and one for the optional session replay or custom event reporting that always requires consent. Use the disableCookies and identityPoolId options carefully, prefer the unauthenticated Cognito Identity Pool to avoid linking events to AWS user accounts, and clear the localStorage entries cwr_s and cwr_u when the visitor opts out.
Choose an EU region for the AppMonitor, sign the AWS GDPR DPA, set sessionSampleRate to a value that minimises data collection, disable session replay or activate the masking rules to redact form inputs, configure short retention on the underlying CloudWatch Logs (30 to 90 days), strip query string parameters that may contain personal data with the urlsToInclude option, document the IAM principals authorised to read RUM data, and add CloudWatch RUM to your record of processing activities and your privacy policy.
Websites using Amazon CloudWatch RUM must obtain user consent under GDPR regulations.
DPIA considerations
A standalone DPIA on CloudWatch RUM is rarely required because the service is not used for behavioural advertising or scoring. A DPIA is appropriate when the operator activates session replay (which can capture URLs, form fields, mouse moves and DOM mutations), when CloudWatch RUM is correlated with X Ray and CloudWatch Logs to reconstruct individual journeys, when the AppMonitor is hosted in a US region and personal data is transferred outside the EEA, or when custom events are used to capture identifiers (user IDs, e mail hashes, customer numbers). The DPIA should cover the data categories collected by the SDK, the AWS region, the IAM access scope, the retention configured in CloudWatch Logs and the masking rules applied to session replay.
Sample consent text
Our website uses Amazon CloudWatch RUM to monitor real user performance, page load times and JavaScript errors. With your consent, the CloudWatch RUM SDK will run in your browser, store a session identifier in localStorage and send technical data including Core Web Vitals, navigation timings, errors and a truncated IP address to AWS infrastructure in the European region we have selected. We do not use this data for advertising or for individual profiling. You can refuse this measurement at any time from the cookie preferences page.
Third-party domains contacted
dataplane.rum.{region}.amazonaws.comcognito-identity.{region}.amazonaws.comclient.rum.us-east-1.amazonaws.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| cwr_s | localStorage | Session | CloudWatch RUM session identifier stored in browser localStorage. Used to associate RUM events with a single session. |
| cwr_u | localStorage | Persistent (until cleared) | CloudWatch RUM anonymous user identifier stored in browser localStorage. Used to deduplicate users across sessions. |
Amazon CloudWatch RUM places tracking cookies for advertising — comply with GDPR using FlowConsent.
By default, no. CloudWatch RUM uses localStorage to persist a session ID (cwr_s, cwr_u) instead of a cookie. No third party cookies are set. Note that localStorage access still triggers ePrivacy Article 5(3) and requires consent in most cases.
Yes in most cases. The localStorage session ID falls under ePrivacy Article 5(3) and Section 25 TDDDG, which require prior consent unless a strict audience measurement exemption applies. The data processing requires a GDPR Article 6 legal basis: consent by default, legitimate interest only for aggregated monitoring with IP minimisation and no session replay.
Consent (Article 6(1)(a) GDPR) is the safer default. Legitimate interest (6(1)(f)) can be invoked only for strictly aggregated, IP minimised performance monitoring without session replay, supported by a documented balancing test.
Not by default if you choose an EU region (Frankfurt, Ireland, Paris, Stockholm). Data stays in the selected AWS region. If you select a US region or enable cross region replication, the AWS DPA and the EU US Data Privacy Framework (AWS is DPF certified) cover the transfer.
Not for basic, aggregated performance monitoring with IP minimisation. A DPIA is recommended or required when session replay is enabled, when sensitive personal data is monitored, or when large scale custom event tracking is performed (Article 35 GDPR).
Choose an EU region, enable IP anonymisation, disable session replay unless you collect explicit consent, gate the SDK behind your CMP, restrict IAM permissions, sign the AWS DPA, and document the processing in your Article 30 record. Limit retention of RUM events.
Yes: Sentry (with EU region), Datadog RUM (with EU region), Raygun (with EU hosting), New Relic (with EU region), and self hosted options like GlitchTip or Posthog. Matomo offers basic Web Vitals tracking on EU infrastructure.
Mention CloudWatch RUM as a processor (AWS), describe the localStorage session ID with purpose, retention and AWS region, explain the legal basis (consent or legitimate interest), and provide a way for users to withdraw consent and delete the local storage entry.