Third-party web-analytics firms have long recorded session-replay data — collecting data on every keystroke, cursor movement, and other minute interaction between users and websites. These web-session recordings usually happen surreptitiously, with minimal if any disclosure to or consent from users.
As with virtually all creepy marketing tactics, session-replay scripts present a compliance risk under GDPR (which will be in effect by the time you read this). Princeton University researchers recently published a blog series analyzing data-collection abuses by popular user-tracking analytics firms — including unmasked and imperfectly masked transmission of personally identifying information (PII) in plaintext (including names, dates of birth, social security numbers, telephone numbers, email addresses, physical addresses, and even credit-card information) — and the inadvertent collection and transmission of user passwords.
These slipshod data-stewardship practices have obvious privacy and security implications — to say nothing of compliance with GDPR and other data-protection regulatory schemes. More problematic, however, is the inherent nature, reach, and power of web-session recording data.
“[T]ext typed into forms is collected before the user submits the form, and precise mouse movements are saved, all without any visual indication to the user,” writes Princeton University doctoral student Steven Englehardt. “This data can’t reasonably be expected to be kept anonymous. In fact, some companies allow publishers to explicitly link recordings to a user’s real identity.”
And this is where hidden GDPR trouble lies for tracking firms and website operators alike.
Behavioral biometrics: How do you do?
In security, there are three traditional types of authentication factors for uniquely identifying an individual:
- Something you know — a password, a PIN, a combination, or the answer to a “secret question” (if your mother’s maiden name or your high-school mascot were ever a secret)
- Something you have — a security token, a smart card, an ID card or document, etc.
- Something you are — unique physiological biometric data, such as a fingerprint, a voiceprint, an iris, or a face.
There is a fourth factor* that is often left on the authentication sidelines: Something you do. Also known as behavioral biometrics, authentication based upon “something you do” is determined by how someone completes a given pattern or otherwise performs a given task. Automated data analytics long ago (in modern-tech terms) advanced to the point of being able to identify a person simply by the speed, rhythm, and general manner with which they type in their password, move their cursor, and otherwise interact with an interface or a network.
While behavioral biometrics do not get as much attention and are not as widely deployed as the “big three” authentication factors, they are old enough and prolific enough to have gotten the attention of European lawmakers. GDPR specifically defines biometrics as including both physiological biometric data and behavioral biometric data.
Behavioral biometrics and GDPR
This is important because of the way in which GDPR governs biometric data. Specifically, GDPR expressly bans (with some exceptions, most of which are of little to no general concern to marketers) the processing of “biometric data for the purpose of uniquely identifying a natural person”. While Recital 51 of GDPR clarifies that — as far as GDPR itself is concerned — biometric data may be incidentally collected and processed for non-identification purposes (for instance, just because a human face represents a biometric print does not necessarily mean that the mere processing of images of human faces for purposes having nothing to do with facial recognition is wholesale verboten), Article 9 of GDPR** explicitly dictates that individual EU member-states retain the power to regulate biometric-data processing even more strictly than GDPR requires.
Even in situations where the processing of biometric data is allowed, such data processors may be required to conduct a risk-impact assessment and/or implement enhanced safeguards of said data because of its unique impact on the rights and freedoms of data subjects.
All of this is to say that, where biometrically identifying data is concerned, marketers and others need to tread lightly.
More to the point, session-replay scripts may represent a ticking GDPR time bomb to the extent that they gather behavioral data (to say nothing of other latent GDPR violations). Whether the use of these scripts is to identify (or maintain/market the ability to identify) individual users by their keystroke cadences and cursor movements, or the collection of that behavioral data is incidentally collected and maintained with individuals’ other (already mishandled) PII as part of individual user records, firms that collect this behavioral data and their website-operator clients could well be found by European regulators to be processing “biometric data for the purpose of uniquely identifying a natural person” — in violation of GDPR.
To wit, session replay allows marketers the opportunity to uniquely and surreptitiously identify users by what they do and how they do it — and cross-correlate these behavioral biometrics with other PII collected via web forms. When abused in this fashion, session replay is pretty sleazy stuff. And, as I’ve written earlier, the fundamental precept of GDPR is that you’re going to have to stop doing sleazy marketer stuff. Consequently, analytics firms best clean up their act, and marketing teams who care about GDPR compliance would be well advised to audit their third-party partners.
*Some security experts additionally consider a fifth authentication factor: Somewhere you are (e.g., an IP address, GPS coordinates, etc). This consideration is beyond the scope of this article.
**Whereas articles are actual binding clauses, the recitals of a regulation are non-binding explanatory notes to aid in interpreting it.
Joe Stanganelli is an attorney, consultant, writer, and speaker. This article is provided for informational, educational, and/or entertainment purposes only. Neither this nor other articles here constitute legal advice or the creation, implication, or affirmation of an attorney-client relationship. For actual legal advice, personally consult with an attorney licensed to practice in your jurisdiction.