Ensuring Compliance with use of VWO Insights
Welcome to the VWO Compliance Guide for VWO Insights – Session recordings, a detailed resource designed to empower our valued customers with actionable steps for ensuring privacy and legal adherence when using VWO Insights for visitor user session recordings. As a responsible Data Processor, VWO is committed to providing support for your compliance efforts under data protection laws such as GDPR, CCPA, PIPEDA, and more. This guide covers essential information, offering an exhaustive compliance checklist, in-depth considerations, and additional details to help you navigate the complex legal landscape especially when it comes to visitor user session recordings.
We at VWO owe our growth to our customers and building their trust is our top priority. We understand the importance of data in today’s ever-evolving digital landscape and its significance to our customers’ operations and thus, keeping it secure and compliant is paramount to us.
Recent legal actions highlight the critical importance of meticulous compliance with privacy laws when employing session replay softwares. The main reason behind these lawsuits is not the “session replay software” but the lack of “legitimate grounds for processing of personal data” and non-adherence to privacy principles, typically article 5 and 6 of the GDPR if we talk about EU and UK. It is mandatory to have a legitimate ground for the processing of personal data and adherence to privacy principles while using session recordings. Consent is the legitimate ground in this case and it is mandatory for all data controllers to show all data subjects cookie notice, privacy notice and get consent from the data subject for these things.
To fortify your position and ensure the utmost protection for both your users and your organization, consider the following detailed guidelines:
1. Understand Your Role:
- Recognize your role as the Data Controller while VWO acts as the Data Processor.
- Understand the distinct responsibilities and obligations associated with each role.
2. Privacy Notice and Consent:
- Craft a detailed privacy notice on your website addressing the use of VWO Insights and session recording feature.
- Implement a robust consent mechanism ensuring users are informed and have the option to opt-in or opt-out of session recordings through cookie consent mechanism.
- Users/Visitors can also opt out directly from VWO website with just one single click, please refer https://vwo.com/opt-out/
3. VWO Terms and DPA:
- Thoroughly review and understand VWO’s Terms of Service (VWO Terms) and Data Protection Addendum (VWO DPA).
- Ensure your practices align with the contractual obligations outlined in these documents.
4. Default Anonymization Settings:
- By default, VWO anonymizes all key presses to avoid storing or transmitting any personal or sensitive data to VWO servers.
- For this, the Anonymize all key presses option in Recordings > Settings > Configuration is checked by default. VWO will anonymize the following fields to avoid transmitting your personal data through VWO servers: Password Three consecutive digits of phone numbers, credit card, social security, and CVV.
- Confirm that the “Anonymize all key presses” option in Recordings > Settings > Configuration is enabled.
- Understand the nuances of default anonymization, including the masking of sensitive information such as passwords and numeric sequences.
5. Anonymization of Non-Input Fields:
- Understand the impact of anonymization on different types of non-input data.
- Despite the default setting for anonymizing keystrokes, you can provide additional security to mask certain non-input fields where personal data could be visible. For example, order summary, Checkout page, and others. There are two ways to anonymize such non-input fields.
Anonymization can be done by the owner and admin of the account and whitelisting can only be done by the owner.
For complete details and procedures, refer KB article hosted at https://help.vwo.com/hc/en-us/articles/360019733813-How-to-secure-your-visitors-data-in-VWO-Session-Recordings-
6. Regular Review and Update:
- Establish a periodic review process for privacy practices and session recording configurations.
- Stay informed about updates to VWO features and adapt your configurations to align with evolving legal requirements.
- Establish a comprehensive review schedule, encompassing not only session recording configurations but also broader privacy practices.
- Engage you internal security and privacy teams to conduct thorough audits, ensuring a holistic approach to compliance.
- Clearly explain the benefits of session recordings and how they contribute to an improved user experience.
8. Consent and Cookies:
- Implement granular consent options, allowing users to choose the specific types of data they are comfortable sharing.
- Ensure compliance with applicable laws like PECR and GDPR by taking cookie consent for session recordings. Refer to the cookies stored by VWO (VWO Cookies) for detailed information.
- To comply with data protection policies, it is necessary to obtain visitor’s consent before deploying any cookies or trackers to process their data. For this, you may be using third-party consent management tools like OneTrust, Usercentrics etc. VWO communicates with cookie consent managers via callback when the visitor accepts or rejects the cookie, allowing you to run the SmartCode based on valid consent.
- For more details, please refer https://help.vwo.com/hc/en-us/articles/4402914949401-Executing-VWO-SmartCode-on-Valid-Consent
9. Limited Access:
- Implement robust access controls, ensuring that only individuals with a legitimate need can access and modify session recording configurations.
- Conduct regular access reviews to prevent unauthorized personnel from gaining access to sensitive data.
- All users in a VWO account are assigned an access level that determines the actions users can perform in the VWO account. As an account owner or administrator, you can change the access level of a user at any point in time. Refer https://help.vwo.com/hc/en-us/articles/360019594133-Modifying-the-Access-Permission-of-a-User ,for modifying / granting / revoking any user access permission.
By meticulously adhering to these procedures and guidelines and regularly reviewing and adapting your practices, you can ensure the responsible and compliant use of VWO Insights. This not only safeguards your users but also strengthens your organization’s credibility in the digital realm. Remember, your commitment to privacy is a testament to your organization’s dedication to user trust and legal integrity.
- This checklist and these procedures only act as a friendly guide and not as a legal advice to our clients. It is advisable client check with your in-house DPO/Compliance team/Attorney for the legal advices.
- Wingify and VWO team shall not be responsible for notifying any client about any update in the legal regime or any additions in their region-specific legal requirements.
- Wingify and VWO team shall not be liable in case of any non-adherence to regional/sectoral law of client’s jurisdiction by the client as this guide is generic in nature and not cover regional/sectoral compliance requirements.
- Showing privacy notice and taking user consent is the responsibility of VWO’s customer as the same is mentioned under 3.4 of the VWO terms hosted at VWO Terms and 2.2 of the VWO DPA hosted at VWO DPA