Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Dynatrace Real User Monitoring is a JavaScript agent injected by Dynatrace OneAgent that captures page performance, JavaScript errors, user actions, Core Web Vitals and optional session replay across web and mobile applications.
Dynatrace Real User Monitoring is the front end observability component of the Dynatrace platform. It runs as a JavaScript agent named ruxitagentjs that is either auto injected by the server side Dynatrace OneAgent or added manually to a page. Once loaded, it measures page load and route change timings, JavaScript and AJAX errors, Core Web Vitals, individual user actions such as clicks and form submits, third party resource performance and IP based geolocation. Optional session replay captures a reconstructed rendering of the user session. Dynatrace is provided as a SaaS service from clusters in the EU, the United States, APAC and AU, or as a self managed Dynatrace Managed deployment.
The agent collects technical and behavioural data: full URL, referrer, page title, navigation and resource timings, JavaScript exceptions, AJAX endpoints, browser and operating system, screen resolution, connection type, IP address (used for geolocation and bot detection) and a persistent visitor identifier. With session replay enabled, it also captures DOM mutations, mouse movements and input events. By default Dynatrace sets cookies including dtCookie (session correlation), rxVisitor (long lived visitor id), rxvt (session expiry), dtPC (page context), dtLatC (latency) and dtSa (session attributes). A cookieless mode is available but reduces some session correlation features.
Because the agent is loaded on the user device and reads or writes information stored there (cookies, local storage, browser characteristics), it falls within Article 5(3) of the ePrivacy Directive and the national rules implementing it, including the French CNIL guidelines and the German TDDDG. The personal data processed (IP address, persistent visitor cookie, behavioural traces, optional session replay content) brings the activity within the GDPR. Risks include re identification of users from the combination of visitor id and behavioural signals, accidental capture of special category data through session replay, and lack of transparency when RUM is bundled with broader OneAgent deployments.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For the default RUM configuration, and in any deployment that uses session replay, captures user actions or enriches profiles, prior informed consent under Article 6(1)(a) GDPR and Article 5(3) ePrivacy is the safe legal basis. Some controllers rely on legitimate interest under Article 6(1)(f) GDPR for strictly anonymised performance monitoring (no session replay, masked IP, no persistent identifiers), but this requires a documented balancing test and remains contested by several supervisory authorities. Consent must be granular, freely given, as easy to withdraw as to give, and the script must be blocked until the user accepts.
Data may flow to the EU, US, APAC or AU SaaS clusters depending on the tenant region. US transfers rely on Standard Contractual Clauses and on Dynatrace certification under the EU US Data Privacy Framework. To deploy compliantly, choose an EU tenant when possible, enable IP masking, mask input fields in session replay, exclude sensitive pages, shorten retention, use cookieless mode where feasible, integrate Dynatrace RUM into your Consent Management Platform so the agent only loads after consent, sign a Data Processing Agreement with Dynatrace, list cookies and domains in the cookie policy, and document the lawful basis analysis.
Websites using Dynatrace RUM must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Dynatrace RUM is deployed on public facing or employee facing applications, especially with session replay or user action capture enabled. Assess the categories of personal data collected (IP address, device fingerprint, click and form interaction streams, performance traces tied to a persistent visitor cookie), the retention period configured at tenant level, the geographic location of the SaaS cluster, the use of session replay (which can capture form inputs, identifiers and even special category data), and the risk of re identification through correlation of visitor id, IP and behavioural signals. Document mitigations such as IP masking, cookieless mode, exclusion rules for sensitive pages, masking of input fields in session replay, shortened retention and an EU tenant.
Sample consent text
We use Dynatrace Real User Monitoring to measure page performance, detect JavaScript errors and, where enabled, record anonymised session replays. Dynatrace sets cookies such as dtCookie and rxVisitor and may transfer technical data to Dynatrace servers in the EU or the United States. Click Accept to allow Dynatrace RUM, Reject to load only strictly necessary monitoring, or Preferences to choose.
Third-party domains contacted
dynatrace.comcdn.dynatrace.comlive.dynatrace.combizops.dynatrace.comruxit.comjs-cdn.dynatrace.comsprig.dynatrace.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| dtCookie | first_party | session | Session correlation cookie linking RUM beacons of the same browser session for performance and error monitoring |
| rxVisitor | first_party | 1 year | Persistent visitor identifier used to recognise returning visitors across sessions for RUM analytics |
| rxvt | first_party | 30 minutes | Session timeout marker used to detect when a RUM session ends and a new one begins |
| dtPC | first_party | session | Page context identifier used to correlate user actions and resources with the current page view |
| dtLatC | first_party | session | Latency cookie used to measure the round trip time between browser and backend for performance analysis |
| dtSa | first_party | session | Session attributes cookie carrying RUM specific tags such as application and tenant identifiers |
Dynatrace RUM places tracking cookies for advertising — comply with GDPR using FlowConsent.
By default Dynatrace sets dtCookie (session correlation), rxVisitor (persistent visitor id), rxvt (session expiry), dtPC (page context), dtLatC (latency) and dtSa (session attributes). Exact names depend on the OneAgent version and tenant configuration. Cookieless mode removes most of them but limits session correlation.
Yes for the default configuration, for session replay, user action capture and any profile enrichment. The script reads and writes cookies on the device, so Article 5(3) ePrivacy applies. The agent should remain blocked until the user grants consent in your Consent Management Platform.
Consent under Article 6(1)(a) GDPR is the safe basis for full RUM. Legitimate interest under Article 6(1)(f) GDPR is sometimes argued for strictly anonymised performance monitoring without session replay or persistent identifiers, but it requires a documented balancing test and is contested.
It depends on the tenant region you select. An EU SaaS tenant keeps data in Frankfurt or Ireland. US, APAC, AU tenants and Dynatrace Managed deployments may transfer personal data to the United States or other regions under Standard Contractual Clauses and the EU US Data Privacy Framework.
A DPIA is strongly recommended when session replay, user action capture or large scale monitoring of employees or consumers is enabled. Assess data categories, retention, tenant location, the role of session replay and the risk of re identification through visitor id and behavioural signals.
Choose an EU tenant, enable IP masking, mask input fields in session replay, exclude sensitive pages, shorten retention, integrate the agent with your Consent Management Platform so it only loads after consent, sign a Data Processing Agreement and list cookies and domains in your cookie policy.
Alternatives include New Relic Browser, Datadog RUM, Splunk RUM, Akamai mPulse, Sentry, Raygun, Quantum Metric, Catchpoint and ContentSquare. Each has its own data model, hosting regions and pricing, so the privacy assessment and DPIA should be redone for any replacement.
List the dtCookie, rxVisitor, rxvt, dtPC, dtLatC and dtSa cookies with purpose and duration, mention the relevant Dynatrace domains (dynatrace.com, live.dynatrace.com, ruxit.com), state the tenant region, the legal basis, the retention period and how users can withdraw consent.