Glassbox

Overview

Glassbox is a digital experience analytics platform specializing in session replay, heatmaps, form analytics, and conversion funnel analysis. The platform is heavily adopted in financial services, insurance, and retail sectors where understanding precise user journeys — including friction, errors, and abandonment — is critical for both optimization and regulatory compliance purposes.

Glassbox markets itself as a "compliant" session replay tool with built-in PII masking and financial services governance features. It is used by major banks, insurers, and retailers to capture complete digital sessions for customer service (replaying a customer's exact experience when they report an issue), UX research, and conversion optimization.

What This Script Does

Glassbox's script (*.glassboxdigital.io or client-specific domains) captures a comprehensive behavioral record of every user session:

Full session recording: The script instruments every DOM event — mouse movements, mouse clicks, touch events, scroll position changes, keyboard interactions (with configurable masking), focus and blur events on form fields, element visibility changes, and page transitions. These events are transmitted continuously to Glassbox's servers and reconstructed into pixel-accurate session replay recordings that allow analysts to watch exactly what a user did.

DOM capture and snapshot: Glassbox periodically captures DOM snapshots to reconstruct the visual state of the page at any point in the session. This includes rendered content, CSS styles, and element positions — enabling the session replay to show exactly what the user saw.

Form analytics: The script tracks form field interaction patterns — which fields users engage with, in what order, how long they spend on each, which fields trigger errors, and where users abandon forms. Even with masking rules applied to field values, the interaction metadata is captured. Form analytics data is particularly sensitive in financial services contexts.

Cookie and session identification: Glassbox sets first-party cookies (typically with names like _cls_s for session ID and _cls_v for visitor ID) under the implementing website's domain. These cookies assign persistent visitor identifiers that link sessions across multiple visits, building longitudinal behavioral profiles. Session duration is typically 30 minutes of inactivity; visitor cookies may persist for 13 months.

Error and performance capture: JavaScript exceptions, failed network requests (XHR/fetch failures), and Web Vitals performance metrics are captured alongside behavioral data, enabling correlation between technical errors and user frustration signals.

Data transmission: Behavioral events are batched and sent via XHR or Beacon API to Glassbox's collection endpoint. In cloud deployments, data goes to Glassbox's hosted infrastructure; enterprise deployments may use on-premise or private cloud configurations.

Consent & Compliance

Glassbox falls squarely in the analytics consent category with heightened sensitivity:

• GDPR / ePrivacy: Session replay constitutes collection of personal data under GDPR — mouse movements, click patterns, form interactions, and multi-session behavioral profiles tied to persistent cookie identifiers are personal data. The ePrivacy Directive requires prior opt-in consent for the persistent identification cookies Glassbox sets. Processing lawful basis under GDPR would require explicit consent (Article 6(1)(a)) given the detailed behavioral profiling involved.
• Financial services considerations: UK FCA, US CFPB, and EU banking regulators have shown increasing interest in session replay tools on financial services websites. The capture of interactions with sensitive financial forms (loan applications, account management) requires particularly careful data protection impact assessments (DPIAs).
• PII masking is not a consent substitute: Glassbox's PII masking features (auto-masking of form values, custom masking rules) reduce the risk of capturing sensitive data but do not eliminate the personal data classification of the behavioral record itself. Masked sessions still contain unique user journeys linked to persistent identifiers.
• CCPA/CPRA: The detailed behavioral profiles built by Glassbox constitute "personal information" under CCPA. Session replay data shared with Glassbox may qualify as a "sale" or "sharing" requiring opt-out rights.

Should You Block This Without Consent?

Yes. Glassbox captures detailed behavioral data including full session recordings, form interaction analytics, scroll and click patterns, and persistent visitor profiles built across multiple visits. This is non-essential analytics functionality with a significant personal data footprint. Explicit consent is required before loading Glassbox scripts, particularly on financial services, healthcare, or any site where users interact with sensitive information.