Use Pendo for Replay consent

Last updated:

Depending on your organization's policies and legal requirements, you might want to collect consent from your visitors before capturing their interactions with Session Replay. Pendo can help you accomplish this with guides and segments.

Note: If you’re already capturing visitors' consent, such as in a CRM or other third-party consent management tool, an Admin can add this consent as metadata in Settings > Data Mappings. If you choose to do this, skip Step 2 in this article and update your segment in Step 3 to instead use the appropriate visitor metadata value.

Step 1. Design the consent flow

Before you begin, ensure you understand your organization's policies and legal requirements. After you understand these requirements, consider the following guidelines:

  • Define your audience. Decide what makes your visitors eligible or ineligible for replay capturing.
  • Be clear and transparent. Clearly explain to visitors why their interactions are being captured and how their data will be used.
  • Make it easy to opt in or out. Provide clear options for visitors to consent or opt out of replay capturing.
  • Prioritize accessibility. Make sure that the guide is easily accessible and prominently displayed in your application.
  • Consider consent renewal needs. If your organization requires recollecting consent after a certain time period, repeat these steps to create a new guide and segment, then apply that new segment as your Session Replay audience.

Step 2. Create a guide

After you design the consent flow, create a guide that can serve as the consent mechanism.

  1. If you're not familiar with the steps required to create a new guide in Pendo, follow the instructions outlined in our Create a guide article.
  2. Add a poll to the end of your guide so that visitors can choose whether they opt in or out. For more information on polls, see Add guide content using building blocks.
  3. After you draft your guide, ensure that the guide functions as intended.
  4. We encourage you to get the language reviewed and approved by your legal or security team to ensure compliance with relevant regulations.

For example, here's one guide we used to allow visitors to opt out of replay capturing:

Guides_ReplayConsent.png

Tip: If you'd like to give your visitors the option to update their poll response later on, add this guide to your Resource Center using the Guide List module. This allows visitors to easily access the guide if they want to make changes to their response.

Step 3. Create a segment

After you create a guide, create a segment using rules that align with the consent flow you designed in Step 1 of this article. This ensures that visitors who provide consent through the guide are appropriately included or excluded from replay capturing.

We recommend creating this as a custom segment on the Replay Settings page so that it can't be edited from other places within Pendo. You must be an Admin to access this page.

  1. Navigate to Settings > Subscription Settings > Applications, open an app from the list, and then select the Replay Settings tab.
  2. Find the Replay capture settings section, select Everyone (or the name of the segment that's already been selected), then hover over Custom Segment and select the edit icon to open the segment builder.
  3. Add any combination of rules that meets your company's definition of whether the visitor is eligible for replay capturing.
    • For example, to connect the poll response in the guide you created in the previous step, select Poll Response from the first dropdown menu, select the name of the guide, poll, operator, poll response value, and time value from the subsequent dropdown menus.

      ReplaySettings_CustomSegment_ConsentGuide.png

    • You could also add any additional "OR" rules if you have other metadata you need to base eligibility off of, like region. Keep in mind that, while our API can return Google's remoteIP data point (with related country, region, latitude, and longitude) unless you block it, remoteIP might not be accurate and we don't recommend relying on it to meet your requirements.
    • For more information on segment rules, see Segments.
  4. When you're done adding rules, select Save Custom Segment. Select the blue checkbox next to the Custom Segment dropdown, and confirm your changes. Changes to your Session Replay audience can take up to 10 minutes to fully process.
  5. Validate the segment rules with your legal or security team, make any necessary changes, then apply this segment to the guide you created in the previous step. We recommend testing both the guide and segment with a smaller internal audience before pushing live to customers.

If a visitor consents to your guide and becomes eligible for replay capturing, their eligibility won’t change until they generate a page reload. This page reload can occur by refreshing their current page or navigating to a new page.

Step 4. Configure privacy settings and enable Replay

Before enabling Session Replay, it's essential to configure privacy settings to align with your organization's privacy standards and legal requirements.

  1. Configure privacy settings. See Session Replay privacy to learn how to choose the appropriate starting privacy configuration to mask sensitive data in replays and ensure compliance with privacy standards by refining privacy rules.
  2. Enable Replay. After you configure your privacy settings, follow the instructions in Enable Session Replay.

Before publishing your guide to your broader user base, ensure that replays function as expected and align with your company's privacy standards.

Step 5. Monitor and review replays

After Session Replay is turned on and capturing your visitors' interactions, it's crucial to regularly monitor and review replay activity to ensure ongoing alignment with privacy standards.

Here's how you can effectively manage and review replay activity:

  • Set up a schedule to monitor replay activity regularly, such as reviewing a sample of replays.
  • During your monitoring sessions, pay close attention to ensure that replays adhere to your organization's privacy standards and legal requirements. Review the masking of sensitive data, and ensure that privacy settings are applied correctly.
  • If needed, make use of the Do Not Process (GDPR) setting in the Details section of a visitor or account's details page. This setting allows you to prevent the collection of events for specific visitors or accounts, ensuring compliance with privacy regulations.
Was this article helpful?
0 out of 0 found this helpful