Consent and sensitive data



This brand-new API is a replacement for an old consent API. It is enabled by default in projects created after the 1th of April 2022. If your project was created prior to this date please refer to the migration guide. There is an ongoing transition period until the 1st of June 2022 in which you should migrate to the new API. After the period old API will no longer work and any call will show only a warning with a link to this documentation.

Project's consent version can be found in project detail (screenshot below).
Personal data collection settings changes from consent version 1 to consent version 2 can be seen at screenshot below.

Project detail with consent versionProject detail with consent version

Project detail with consent version

Personal data collection settings (consent v1 and consent v2)Personal data collection settings (consent v1 and consent v2)

Personal data collection settings (consent v1 and consent v2)

The section covers our API for handling sensitive data. It can be useful especially when you want to have control over which data is being recorded. Our WEB SDK is written with privacy-first in mind therefore we do not record any potentially sensitive data by default. This means that inputs, IP addresses, on-page emails and numbers are not recorded unless you enable it explicitly via record API.



By default, no sensitive data are recorded

You most likely need to get visitors' consent first before enabling recording sensitive data.

We divided sensitive data handling into four categories - form inputs, IP addresses, emails and numbers. Each category can be treated separately. This gives you a grained control over which data you want to be recorded. Please keep in mind that before enabling recording of any category you probably need to get consent from visitor first depending on which jurisdiction you are in. You can read more about it on our Terms of Service page.

Record API

The record API allows you to handle recording of form inputs, IP addresses, emails and numbers individually. Following subsections explain how to use it correctly.


Quick tip!

If you use Google Tag Manager for inserting Smartlook script then you can include this API call and any others there too. There is no need to do changes to your webpage source code.

Form inputs

The forms option covers all interactive form elements such as <input />, <select /> or <textarea />. These elements do not necessarily need to be within <form /> to be recorded. Sensitive inputs such as passwords are never recorded even if recording of forms is enabled. Instead, in recording we show typing animation to indicate user interaction with that particular field. If you have more elements you want to mask or not record at all you can always use our data attributes API.

To start recording form inputs on your website use record with { forms: true }.

smartlook('record', { forms: true })

To stop recording form inputs on your website use record with { forms: false }.

smartlook('record', { forms: false })

IP address

The IP address recording allows us to store customer IP address that can be used for example in filtering later on. Please note that once the IP address recording is enabled it cannot be stopped again.

Use record with { ips: true } attribute to start recording of IP address.

smartlook('record', { ips: true })


Use record with { emails: true } or { emails: false } attributes to start or stop recording of emails on the page.

smartlook('record', { emails: true })
smartlook('record', { emails: false })


Use record with { numbers: true } or { numbers: false } attributes to start or stop recording of all numbers. If numbers are not recorded we replace them with wildcards (*). This option is especially effective if you do not want to record telephone numbers, social numbers and so on.

smartlook('record', { numbers: true })
smartlook('record', { numbers: false })

Combining calls

All the calls can be combined. You can also specify only the subset of the fields. The fields that are not specified stay untouched.

smartlook('record', { forms: true, numbers: true, emails: false, ips: true })

Migration guide

If you use an old consent API then migration to the new record API is pretty seamless. Old consent API will be cut off on the 1rd of June 2022. Any calls to this API will only print warning to console.

As you can see in the example below there is no equivalent for consentAPI call in the new record API. Consent for identifying via API is implicitly given once you call identify API. Assuming you enabled identify API in project settings in our application.

Old calls:

smartlook('consentForms', 'consent given')
smartlook('consentIP','consent given')
smartlook('consentAPI', 'consent given')

New call:

smartlook('record', { forms: true, ips: true, api: true })

If you used to have numbers and emails recording enabled in your application you need to explicitly call it here now.

smartlook('record', { forms: true, emails: true, ips: true, numbers: true })

Did this page help you?