Skip to main content
Skip to article
  • Qualtrics Platform
    Qualtrics Platform
  • Customer Journey Optimizer
    Customer Journey Optimizer
  • XM Discover
    XM Discover
  • Qualtrics Social Connect
    Qualtrics Social Connect

Data Security & Privacy for Digital Experience Analytics

Was this helpful?


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The feedback you submit here is used only to help improve this page.

That’s great! Thank you for your feedback!

Thank you for your feedback!

About Data Security and Privacy

Qualtrics complies with applicable data privacy laws in its role as a data controller of its own data and as a data processor of customer data.

Specifically, Qualtrics is GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) compliant and provides technology that enables our customers to be compliant as well. Qualtrics is committed to keeping customer data secure and providing capabilities to help customers adhere to any data privacy and security regulations they may be subject to.

While Qualtrics provides technology that enables our customers to adhere to data privacy and security regulations, Qualtrics customers should seek their own legal advice as to how to comply with the relevant local regulations. For more information, see Qualtrics & GDPR Compliance.

This support page discusses how users can adhere to applicable data privacy and security regulations while using Digital Experience Analytics, in particular explaining the tools available to manage customer data and consent within Session Replay.

If you have additional questions about regulations and compliance, please reach out to your XM Success Manager or contact Qualtrics Support by logging into your Customer Success Hub.

Session Replay Enablement

Session replay is disabled by default. Even if you already have the Qualtrics Javascript tag deployed on your live website for your Website Insights project, sessions will not automatically be captured. To begin capturing sessions, you need to enable session replay within the Settings tab. See Session Replay Section for more information.

Data Encryption

Data encryption can be used to help maintain security of customer data. Customer data is encrypted in 2 ways within Digital Experience Analytics.

  • Encryption in motion: Session replay data is captured on the customer side within a web session and is encrypted before being sent to the Qualtrics servers.
  • Encryption at rest: Session replay data is encrypted before it is stored on the Qualtrics servers.

Data Masking

To avoid issues with data privacy, you can ensure sensitive information captured from your website users during a web session is masked. While using session replay, PII (Personal Identifiable Information) may be captured from your website users in several ways, including the following:

Attention: By default Qualtrics will not capture any PII from user input form fields. This data will only be added to session replay if it is explicitly configured by you or your team.
  • Users may fill out sensitive information on a form such as their name, phone, or credit card details.
  • Static fields on a page, such as a user’s account number, may reveal PII.
  • Visitor details that you or your team added while configuring session replay may capture PII.

All input form fields will automatically be masked by default, but you can also mask the specific parts of your website that may capture PII. See Masking for more information.

Attention: Masking is not retroactive. Once a session has been captured, existing data will not be hidden if new masking rules are added. The only way to remove this data is to delete any sessions that contain it.

IP Address

By default, Qualtrics will not capture the IP address of your users as part of session replay capture. The only way it will be captured is if you explicitly add it within visitor details.

One way to manage the user data you capture is by obtaining user consent before capturing any digital behaviors and user sessions. This setting is turned on by default in the Recording and consent section of session replay settings.

This option allows you to get consent from a user prior to recording their sessions. When this setting is selected, sessions will only be recorded when an API is called to start session replay. See Recording and Consent for more information.

Personal Data Requests

Many data protection regulations, such as GDPR, require enforcement of the rights of end users to their PII data. This may include the rights to access their data, have their data deleted, and more.

Within the Session Replay tab of your Website Insights project, you can access, filter for, and delete specific sessions as needed to comply with the relevant regulations. See Searching and Filtering User Sessions and Deleting User Sessions for more information.