Data Security & Privacy for Digital Experience Analytics

Suite
Customer Experience Strategy & Research
Product
Qualtrics
What's on this page

About Data Security and Privacy

Qualtrics complies with applicable data privacy laws in its role as a data controller of its own data and as a data processor of customer data.

Specifically, Qualtrics is GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) compliant and provides technology that enables our customers to be compliant as well. Qualtrics is committed to keeping customer data secure and providing capabilities to help customers adhere to any data privacy and security regulations they may be subject to.

While Qualtrics provides technology that enables our customers to adhere to data privacy and security regulations, Qualtrics customers should seek their own legal advice as to how to comply with the relevant local regulations. For more information, see Qualtrics & GDPR Compliance.

This support page discusses how users can adhere to applicable data privacy and security regulations while using Digital Experience Analytics, in particular explaining the tools available to manage customer data and consent within Session Capture (also called Session Replay).

If you have additional questions about regulations and compliance, please reach out to Account Services or Qualtrics Support by logging into your Customer Success Hub.

Session Capture Enablement

Session capture is disabled by default. Even if you already have the Qualtrics Javascript tag deployed on your live website for your Website Insights project, sessions will not automatically be captured. To begin capturing sessions, you need to enable session capture. See Session Capture for more information.

Data Encryption

Data encryption can be used to help maintain security of customer data. Customer data is encrypted in 2 ways within Digital Experience Analytics.

  • Encryption in motion: Session replay data is captured on the customer side within a web session and is encrypted before being sent to the Qualtrics servers.
  • Encryption at rest: Session replay data is encrypted before it is stored on the Qualtrics servers.

Data Masking

To avoid issues with data privacy, you can ensure sensitive information captured from your website users during a web session is masked. While using session replay, PII (Personal Identifiable Information) may be captured from your website users in several ways, including the following:

Attention: By default Qualtrics will not capture any PII from user input form fields. This data will only be added to session replay if it is explicitly configured by you or your team.
  • Users may fill out sensitive information on a form such as their name, phone, or credit card details.
  • Static fields on a page, such as a user’s account number, may reveal PII.
  • Visitor details that you or your team added while configuring session replay may capture PII.

All input form fields will automatically be masked by default, but you can also mask the specific parts of your website that may capture PII. See Masking for more information.

Attention: Masking is not retroactive. Once a session has been captured, existing data will not be hidden if new masking rules are added. The only way to remove this data is to delete any sessions that contain it.

IP Address

By default, Qualtrics will not capture the IP address of your users as part of session replay capture. The only way it will be captured is if you explicitly add it within visitor details.

One way to manage the user data you capture is by obtaining user consent before capturing any digital behaviors and user sessions. This setting is turned on by default in the Recording and consent section of session replay settings.

This option allows you to get consent from a user prior to recording their sessions. When this setting is selected, sessions will only be recorded when an API is called to start session replay. See Recording and Consent for more information.

Personal Data Requests

Many data protection regulations, such as GDPR, require enforcement of the rights of end users to their PII data. This may include the rights to access their data, have their data deleted, and more.

Within the Session Replay tab of your Website Insights project, you can access, filter for, and delete specific sessions as needed to comply with the relevant regulations. See Searching and Filtering User Sessions and Deleting User Sessions for more information.

Data Retention Policy

Qualtrics stores session recording data for 6 months and session metadata (such as frustration signals, time stamp, etc.) for 36 months. You cannot access session replays that are older than 6 months.

Digital Experience Analytics Legal FAQs

FAQs

How can we set up consent management?

How does consent work for other website analytics features such as heatmaps and funnels? Is it the same as or different from screen recordings? Do we need to ask for consent for these specific aspects?

How can we delete website visitor information if requested?

Can we turn off the collection of IP addresses?

What documentation is available for data security and privacy for Digital Experience Analytics?

How does masking work?

Is masking retroactive?

What are the users' options for the consent question? Just yes/no?

Is Digital Experience Analytics HIPAA compliant?

What is the location (city/state/country) where our Data and Personal Data will be stored?

Was this helpful?

The feedback you submit here is used only to help improve this page.

That's great! Thank you for your feedback!

Thank you for your feedback!