Consent and sensitive data



The new API is a replacement for an old consent API. By default, the new API is enabled in all projects created after April 1, 2022. If you created your project prior to this date, refer to the migration guide to migrate to the new API. The previous API is discontinued and shows a warning with a link to the documentation. Old projects were automatically migrated to the new API.

Project's consent version can be found in project detail (screenshot below).
Personal data collection settings changes from consent version 1 to consent version 2 can be seen at screenshot below.

Project detail showing Consent versionProject detail showing Consent version

Project detail showing Consent version

Personal data collection settings (consent v1 and consent v2)Personal data collection settings (consent v1 and consent v2)

Personal data collection settings (consent v1 and consent v2)

Because privacy is of the utmost priority to us and to you, Smartlook offers the Privacy API for handling sensitive data. The Privacy API is useful when you want to have control over which data is being recorded. The Smartlook WEB SDK is written with privacy-first in mind. Privacy-first means that no potentially sensitive data is recorded by default. Some data that is considered sensitive is form inputs, IP addresses, on-page emails, and numbers are not recorded unless you explicitly enable it via the record API.



By default, no sensitive data is recorded

Remember that you will most likely need to get visitor consent before enabling the recording of sensitive data.

We divided sensitive data handling into four categories - form inputs, IP addresses, email addresses, and numbers. Each category can be treated separately. This gives you granular control over which data you want to be recorded. Please keep in mind that before enabling the recording of any data category, you most likely need to get consent from your visitors, depending on which jurisdiction you are in. You can read more about it in our Terms of Service.

Record API

The Record API allows you to handle recording of form inputs, IP addresses, email addresses, and numbers individually. We will go over each of the data categories in the following subsections.


Quick tip!

If you use Google Tag Manager to insert the Smartlook script, then you can include this API call and any others also. There is no need to make changes to your website source code.

Form inputs

The forms option covers all interactive form elements such as <input />, <select /> or <textarea />. These elements do not necessarily need to be within <form /> to be recorded. Sensitive inputs such as passwords are never recorded, even if the recording of forms is enabled. Instead, in the session recording, we show a typing animation to indicate user interaction with that field. If you have more elements you want to mask or not record at all, you can always use our Privacy API.

To start recording form inputs on your website, use record with { forms: true }:

smartlook('record', { forms: true })

To stop recording form inputs, use record with { forms: false }:

smartlook('record', { forms: false })

IP address

Recording of IP addresses allows Smartlook to store customer IP addresses that can be used in filtering later. Please note that once IP address recording is enabled it cannot be disabled.

To record IP addresses, use record with { ips: true }:

smartlook('record', { ips: true })


To start or stop recording email addresses, use record with { emails: true } or { emails: false }:

smartlook('record', { emails: true })
smartlook('record', { emails: false })


If numbers are not recorded, Smartlook replaces them with wildcards (*). This option is especially effective if you do not want to record telephone numbers, identity numbers, etc.

To start or stop recording numbers, use record with { numbers: true } or { numbers: false }:

smartlook('record', { numbers: true })
smartlook('record', { numbers: false })

Combining calls

All of the previously mentioned calls can be combined. You can also specify only the subset of the fields. Fields that are not specified remain in the default state.

smartlook('record', { forms: true, numbers: true, emails: false, ips: true })

Migration guide

If you use the old Consent API, migration to the new Record API will be seamless. The older consent API no longer works as of June 1, 2022. Any calls to this API return a warning to console.

As you can see in the example below, there is no equivalent for the consentAPI call in the new Record API. If you enable the Identify API in your project settings, consent for identifying via API is implicitly given once you call identify API.

Calls from the previous Consent API:

smartlook('consentForms', 'consent given')
smartlook('consentIP','consent given')
smartlook('consentAPI', 'consent given')

Call from the new Record API:

smartlook('record', { forms: true, ips: true, api: true })

If you previously enabled the recording of numbers and email addresses, you need to explicitly call it in the Record API:

smartlook('record', { forms: true, emails: true, ips: true, numbers: true })

Did this page help you?