Smartlook

Overview

Smartlook is a session recording, heatmap, and event analytics platform used by product teams and UX researchers to understand how real users interact with web interfaces. Acquired by Cisco in 2023, Smartlook integrates with web apps and mobile apps (iOS, Android, React Native, Flutter), capturing replays of individual user sessions alongside aggregated interaction maps. The tool is widely deployed on SaaS products, e-commerce stores, and marketing sites where teams want to diagnose usability problems or identify conversion drop-off points.

Session recordings capture the full rendered state of the browser DOM throughout a visit, including mouse movements, clicks, scroll behavior, keyboard input (with masking available for sensitive fields), and navigation between pages. Heatmaps aggregate interaction data from many sessions to show hot and cold zones across a page.

What This Script Does

Script loading: Smartlook injects a primary JavaScript snippet from rec.smartlook.com/recorder.js or web-sdk.smartlook.com, typically via a small initialization tag embedded in the site's <head>. The snippet is keyed to a project API key that links recordings to the customer's Smartlook account.

Cookies and storage:

• SL_C_23361dd035530_SID — First-party session cookie, session duration, identifies the current recording session and links page views into a single replay.
• SL_C_23361dd035530_KEY — First-party persistent cookie, up to 2 years, stores an anonymized visitor identifier used to stitch returning visitor sessions into a user journey timeline.
• SL_GWPT_Show_Hide_tmp / localStorage entries — Used to manage recording state and suppress duplicate initializations.

Data collected per session:

• Full DOM snapshot at page load and incremental mutations (MutationObserver-based) for replay reconstruction
• Mouse pointer coordinates and velocity (mousemove events at ~50ms sampling rate)
• Click targets, scroll depth, and rage-click detection
• Network request URLs (not response bodies) for error correlation
• JavaScript console errors and exceptions
• Custom events tagged via smartlook.track() calls by the site operator
• Device and browser metadata: user agent, viewport size, screen resolution, language, referrer URL, and timezone

Data masking: Smartlook supports input field masking via CSS classes (sl-hide, sl-mask) and global masking modes. Sensitive form fields should be masked before deployment to avoid recording personal data.

Data transmission: Recording data streams to manager.smartlook.com and associated API endpoints. Recordings are processed and stored in Smartlook's cloud infrastructure (AWS-hosted, EU region available).

Consent & Compliance

Smartlook falls under the analytics consent category.

• GDPR/ePrivacy: Session recording requires explicit prior consent under Article 5(3) ePrivacy (cookies) and GDPR (behavioral profiling). Recordings may inadvertently capture personal data on screen (names, addresses, order details) even with input masking, heightening the disclosure obligation. Smartlook acts as a data processor; a Data Processing Agreement is available and required for GDPR compliance.
• CCPA/CPRA: The persistent visitor identifier (SL_C_23361dd035530_KEY) and behavioral session data constitute personal information under CCPA. Businesses must disclose session recording in their privacy policy and honor opt-out requests.
• Sensitive data risk: Without thorough masking configuration, recordings may capture health information, financial data, or other sensitive categories if users enter such data on recorded pages.

Should You Block This Without Consent?

Yes. Smartlook sets persistent visitor identification cookies and captures detailed session replay data including behavioral patterns across visits. These are non-essential analytics functions that require explicit consent before the recording script initializes.