Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Clicktale is a session replay, heatmap and behavioural analytics platform now integrated into Contentsquare following the 2019 acquisition. It records mouse movements, scrolls, form interactions and full visual replays of user sessions to help product teams understand digital experience. Because it captures behavioural data that can include sensitive form content, it is classified as a high risk analytics technology under the GDPR and requires user consent in the European Union.
Clicktale is a digital experience analytics platform created in Israel in 2006 and acquired by Contentsquare in 2019. The platform delivers session replay, mouse heatmaps, scroll maps, click maps, conversion funnels and form analytics. The Clicktale tag is progressively migrating to the Contentsquare Experience Analytics tag, with both legacy and unified integrations still seen in the wild on European websites.
Clicktale collects mouse coordinates, click events, scroll depth, viewport size, page URLs, referrer, User Agent, device type, browser, time on page, form field interactions (with optional masking) and a persistent visitor identifier stored in cookies. IP address is collected for geolocation and abuse detection. Session replays are reconstructed from DOM mutations rather than video, which still constitutes processing of personal data when combined with the visitor identifier.
Session replay falls under Article 5(3) ePrivacy because it relies on cookies and on reading information from the user terminal. It is also subject to the full set of GDPR obligations (lawful basis, transparency, data minimisation, security). EDPB and several national authorities (CNIL, ICO, AEPD, Garante) have explicitly classified session replay as high risk processing requiring prior informed consent, with an obligation to mask all sensitive inputs by default.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Consent is the lawful basis (Art. 6(1)(a) GDPR) and must be obtained before any tag fires. The Clicktale tag must therefore be gated behind your consent management platform. Data may be processed on Contentsquare EU infrastructure (Paris, Frankfurt) or US infrastructure (depending on contract); the US route requires Standard Contractual Clauses under Art. 46(2)(c) GDPR and a Transfer Impact Assessment.
A DPIA under Art. 35 GDPR is normally required for session replay deployments. Compliance checklist: gate the tag behind the CMP, configure aggressive input masking (treat all inputs as sensitive by default), exclude account, payment and authentication pages, set short retention periods, sign the Contentsquare Data Processing Addendum, select the EU region where possible, and update your privacy notice with a dedicated entry on session replay, including the controller and processor relationship and the user right to object.
Websites using Clicktale (Contentsquare) must obtain user consent under GDPR regulations.
DPIA considerations
Clicktale records mouse activity, clicks, scrolls, page navigation, form interactions and reconstructs full session replays of the user journey. Key DPIA considerations: (1) session recording is treated by EU regulators as high risk processing because it can inadvertently capture personal or sensitive form data (Art. 9 GDPR); (2) IP addresses and persistent visitor identifiers are collected, qualifying as personal data; (3) data may be transferred to Contentsquare US infrastructure unless the EU region is selected, triggering SCC and TIA obligations; (4) the technology can capture inputs the user did not intend to share, raising fairness and data minimisation concerns (Art. 5(1)(c) GDPR); (5) input masking and exclusion rules are mandatory technical safeguards but must be configured rigorously; a DPIA is normally required for any large scale or sensitive context deployment under Art. 35 GDPR.
Sample consent text
We use Clicktale, a Contentsquare service, to record anonymised replays of your visit, including mouse movements, clicks and scrolls. Sensitive form fields such as passwords and payment information are automatically masked. This data is used to improve the user experience and is processed by Contentsquare SAS in the European Union or by Contentsquare Inc. in the United States. You can withdraw your consent at any time through our cookie settings.
Third-party domains contacted
cdn.clicktale.netcollect.clicktale.nets.clicktale.nett.contentsquare.netd.contentsquare.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| WRUID | HTTP first party cookie | 12 months | Persistent Clicktale visitor identifier used to recognise returning visitors and stitch their sessions across visits. |
| WRUIDTIME | HTTP first party cookie | Session | Stores the timestamp of the visitor identifier creation, used internally for replay continuity. |
| _cs_id | HTTP first party cookie | 13 months | Contentsquare Experience Analytics visitor identifier used after the migration from the legacy Clicktale tag. |
| _cs_s | HTTP first party cookie | 30 minutes | Contentsquare session level cookie storing the current session metadata, used to reconstruct continuous replays. |
| _cs_c | HTTP first party cookie | 13 months | Stores the Contentsquare consent state synchronised with the cookie banner choices. |
Clicktale (Contentsquare) collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Clicktale sets a persistent first party visitor cookie (WRUID or similar, up to 12 months) and session level cookies for replay continuity. Migrated tags may use the _cs_id, _cs_s and _cs_c cookies from Contentsquare Experience Analytics. All Clicktale cookies fall under Art. 5(3) ePrivacy and require consent.
Yes. Session replay is treated as high risk analytics by EU regulators, and all Clicktale cookies are non essential. Prior informed consent under Art. 5(3) ePrivacy and Art. 6(1)(a) GDPR is required before the tag fires.
Consent (Art. 6(1)(a) GDPR). Legitimate interest is generally not accepted for session replay because of the volume of data collected and the risk of capturing sensitive form content.
Possibly. Contentsquare operates EU and US data centers. EU customers should request EU only processing in the contract. Any residual US transfer is governed by Standard Contractual Clauses (Art. 46(2)(c) GDPR) and requires a Transfer Impact Assessment.
Yes, in practice. Session replay appears on the CNIL, AEPD and Garante DPIA lists. A formal Art. 35 GDPR assessment must address the risk of capturing sensitive content, mitigation through input masking, retention periods and user rights.
Gate the tag behind your CMP, treat all inputs as sensitive by default, exclude authenticated, payment and account pages, set short retention, sign the Contentsquare DPA, choose the EU region, and document the processing in your RoPA with a clear privacy notice section.
Alternatives include Contentsquare Experience Analytics (unified successor), Hotjar, Mouseflow, FullStory, LogRocket, Smartlook and OpenReplay (open source self hosted). All commercial session replay tools raise similar legal questions; OpenReplay offers full data residency control.
Add a dedicated entry for Clicktale (or Contentsquare Experience Analytics) listing the cookies, the data categories, the processor (Contentsquare SAS or Inc.), the retention period, the data transfer mechanism and a direct opt out via your consent management platform.