Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
FullStory is a US-based digital experience intelligence platform that captures complete session recordings of every user interaction — mouse movements, clicks, scrolls, rage clicks, and navigation paths. It provides heatmaps, funnel analysis, and AI-powered search across all recorded sessions. Under GDPR and CNIL guidelines, session recording at individual level is high-risk processing requiring mandatory consent, comprehensive input masking, and ideally a DPIA. FullStory offers EU data residency for enterprise customers.
FullStory is a digital experience intelligence platform that captures a pixel-perfect replay of every user session — recording the complete DOM state at every moment so teams can replay exactly what any individual user saw and did on their website or application. It provides session search and filtering, funnel analysis across recorded sessions, error detection, rage click tracking, heatmaps, and AI-powered insights that surface behavioural patterns across millions of sessions. FullStory is used by enterprise product, UX, and customer experience teams.
FullStory captures every interaction of every user by default. Unlike sampling-based tools, it aims for complete session capture. This means FullStory creates an individual-level behavioural record for every single visitor, constituting large-scale systematic monitoring under GDPR. The CNIL and multiple European DPAs have specifically flagged session replay tools as requiring consent, careful masking, and in many cases a DPIA.
FullStory provides privacy controls including element exclusion (fs-exclude class), text masking (fs-mask), and page exclusion. Configure these comprehensively: exclude all text input fields by default, mask all personally identifiable content, exclude authenticated user areas and payment pages, and apply fs-unmask only to explicitly approved non-sensitive elements. The default FullStory configuration is not GDPR-safe without these protections applied.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
FullStory offers EU data residency for enterprise customers. For standard deployments, all session recordings are processed on US infrastructure requiring SCCs. Sign the FullStory DPA and SCCs. Request EU data residency if processing large volumes of EU user sessions. Disclose FullStory in your privacy policy and cookie banner.
Conduct a DPIA before deployment. Block FullStory via CMP until consent. Configure fs-exclude on all input fields and sensitive elements. Exclude authenticated pages and payment flows. Sign DPA and SCCs. Apply recording retention limits. Implement FullStory User Privacy API for erasure requests. Consider EU data residency for enterprise deployments.
Websites using FullStory must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is strongly recommended for FullStory deployments. Session recording all website or app users at individual level constitutes large-scale systematic monitoring — one of the explicit DPIA triggers under GDPR Article 35. Complete the DPIA before go-live and document data masking measures.
Sample consent text
We use FullStory to record and analyse how you use this website or application. This includes recording your mouse movements, clicks, and navigation. You can decline this recording below without affecting your ability to use our service.
Third-party domains contacted
fullstory.comrs.fullstory.comedge.fullstory.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| fs_uid | persistent | 1 year | FullStory user session identifier enabling individual session recording and replay |
| _fs_ses.prv | session | Session | FullStory session tracking cookie grouping interactions within a single recorded session |
FullStory collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Yes. FullStory records every user session and sets tracking cookies. This is high-risk processing requiring opt-in consent before the FullStory script loads. Block FullStory via your CMP until analytics consent is explicitly given.
FullStory captures mouse movements, click positions, scroll depth, text input interactions (unless masked), page navigation, and rage clicks. It creates a complete visual replay of the user's session in the DOM at the time.
Add the fs-exclude CSS class to all sensitive elements. Use fs-mask on text content. Apply _fs_run_in_iframe: false for embedded content. Exclude sensitive pages entirely. Test using FullStory's privacy tab in the Live Sessions tool to verify masking works correctly.
Yes. Recording all users at individual session level constitutes large-scale systematic monitoring — a specific DPIA trigger under GDPR Article 35. Complete the DPIA before deploying FullStory on any EU-facing product.
Yes, for enterprise customers. Contact FullStory to enable EU data residency. Standard deployments use US infrastructure requiring SCCs. Request EU residency if your compliance requirements mandate EU-only processing.
Consent only. The CNIL specifically requires consent for session replay tools. Legitimate interest cannot justify recording every individual user session across an entire website or application.
Use the FullStory User Privacy API to delete sessions associated with a specific user identity. Submit deletion requests programmatically. FullStory processes requests and removes sessions from its systems. Document all deletions for compliance records.
Hotjar (EU region available), Microsoft Clarity (US, requires SCCs), and Contentsquare (French, DPIA required) are the main alternatives. All session replay tools require consent and careful masking — FullStory's advantage is its depth of search and analysis capabilities.