Sensitive data

From ClickTale Wiki
Jump to: navigation, search

ClickTale can be configured not to record data that is typed in certain fields. There are several methods to record a page without recording sensitive data such as credit card information or other personal details.

Customers on the Enterprise subscription level have additional options to protect sensitive and private information. Please contact a ClickTale Integration Specialist via our contact us form or inquire with your Account Manager.

Please note that according to our Privacy policy, password fields are not recorded by default and no action is required to prevent their recording.

Selecting Keystroke Recording in the Project

The owner of a ClickTale account can select whether they want to record keystrokes or not to record, for any project.

  • To access this option, use either of these two ways:
1) Under the Project name, click the Advanced Settings link.

Advanced Projects.png

2) In the project, choose from the menu Project Settings > Advanced Settings.
Advanced Inproject.png

  • In the Advanced Settings screen, you can check the box for Record Keystrokes for this project. The default is not to record keystrokes.

Keystroke Selection.png

If you select the checkbox, you will be presented with a pop-up window that requires you to confirm that you are aware of your requirements and liabilities under the law and ClickTale's Terms of Use and that you will abide by them.


Keystroke Approve.png

  • Click SAVE to keep your new Advanced Settings.


The recommended (and easiest) way to prevent user input from being recorded in all fields on a given page is by using the function ClickTaleSetAllSensitive(). No parameters are needed.

The main advantage of this method over others is that it masks visitor input but retains the data for full Form Analytics functionality.

This function needs to be declared only once per page to disable input recording for the whole page.


While ClickTaleSetAllSensitive will mask visitor input for all fields on a given page, the ClickTaleSensitive class can be used to achieve the same masking selectively, by adding it to specific input element/s only.

This can be used in instances where fields such as credit card numbers, social security numbers and email addresses need to masked, while other input does not constitute PII and is of interest to the site owner.

Example of use: If you have an input element that looks like this:

<input id="CCNum" type="text">

change it to be:

<input id="CCNum" type="text" class="ClickTaleSensitive">

If you already have a class attribute defined on the input element just add ClickTaleSensitive separated by a space to the existing class value.

The characters that will be typed in the protected field will be masked on the client side. Only asterisks will be transferred and recorded. The masking is not done on the server which is less secure.


If you are unable to add the ClickTaleSensitive class attribute directly to an elements with HTML code you can consider doing it using JavaScript. This will allow you to mark nodes as sensitive in the same block of code where you execute your ClickTale command. Here is an example of possible usage:

var n=document.getElementById('sensitiveElementID');
if(n) n.className+=n.className?' ClickTaleSensitive':'ClickTaleSensitive';


The ClickTaleEventsMask variable allows you to customize the type of data that is recorded by ClickTale.
By default all options are enabled. Subtract the following values before the call to ClickTale() to disable various features:

  • ClickTaleEventsMask-=1 - Disables the recording of mouse movements (mousemove)
  • ClickTaleEventsMask-=2 - Disables the recording of low level mouse clicks (mouseup, mousedown)
  • ClickTaleEventsMask-=8 - Disables the recording of high level mouse clicks (click, context)
  • ClickTaleEventsMask-=4 - Disables the recording of key strokes (keydown, keyup, keypress)
  • ClickTaleEventsMask-=16 - Disables the recording of coordinate correction data
  • ClickTaleEventsMask-=32 - Disables the recording of client javascript errors

For example, ClickTale can be configured not to record any keyboard input by adding the following line in your bottom tracking code:


prior to the call to the ClickTale function ( if(typeof ClickTale=='function') ClickTale(PROJECTID,RECORDINGRATIO,"PARTITIONID");). When configured this way, the tracking script will not do any monitoring of keyboard events. The values used can be combined: For example: in order to block recording of key strokes AND client javascript errors a value of 36 could be used (4+32)


In addition to the ClickTaleEventMask you have the option to use ClickTaleExcludeBlock to block any sensitive data you display back to the visitor from being recorded. Please see the ClickTaleExcludeBlock wiki entry for more info on how to use this feature.

Preventing Auto-Refill Data In Playback

Sometimes when a visitor returns to a form he has previously filled, the information they entered is automatically filled in by the site server. This data might appear during playback (even if the ClickTaleEventsMask or the ClickTaleSensitive methods were employed). The simplest way to prevent this type of data from appearing in recordings is to identify the server-side code in charge of adding it to the page, and prevent that code from running if the page is accessed by the ClickTale bot (you can simply add a condition that if the user agent string is "ClickTale bot", not to run the auto-fill code).

Another option is to use ClickTaleExcludeBlock for the relevant form field in order to prevent it from being recorded completely, and use ClickTaleExcludeBlock’s alternative content feature to place an input field instead of the one masked. This option, however, is more complicated to execute for larger, more dynamic forms, and therefore less recommended.