Form Privacy

Understand the basics of FullStory privacy capabilities and feel confident utilizing them with our new FullStory Privacy 101 interactive course.


This feature is currently in beta and only available to certain customers. If you're interested in enabling this on your account, reach out to and let us know!

Form Privacy helps protect end user privacy by preventing FullStory from recording content entered by users in forms on your website or app. If you have form elements you would like to record without increasing your privacy risk you can use exceptions to unmask only what you need.

How Form Privacy Works

Form Privacy enables a set of six recording rules based on CSS selectors. We have more information about how CSS-based privacy rules work available here. In general though, Mask rules will prevent text values from being recorded while still recording end-user interactions like clicks and change events. Exclude rules, in contrast will prevent both text values and interactions from being recorded.



What inputs does Form Privacy effect?

Form Privacy introduces the following six rules:

Mask <input> elements. This tag specifies an input field where users can enter data on your site. This rule will broadly mask most form elements as well as things like search bars and login fields.

Mask <textarea> elements. Websites often use the textarea tag to provide multi-line text inputs for things like comments or reviews. The rule will mask all text within the textarea.

Mask <select> elements. This tag is used to create drop-down lists. This rule will apply to all options presented to the user within the list.

Mask [contenteditable]. This attribute, although not frequently used, specifies whether the content of an element is editable by end users. By masking elements with this attribute, we can prevent unintended recording of these elements.

Exclude <input type="radio">. Radio buttons are common form elements we exclude to prevent capturing text and interactions that could reveal unnecessary information to a viewer familiar with your site.

Exclude <input type="checkbox">. Similar to radio buttons, we exclude checkbox inputs to prevent viewers familiar with your site from seeing potentially sensitive information.

You can view these rules in FullStory under Settings > Recording and Privacy > Privacy. 


Note that you can still used masked elements when creating segments or other analytics. You can use their CSS Selectors or Named Elements for the masked items.

Unmask Specific Form Elements by Creating Exceptions

Admins on your account are able to unmask specific elements by using exceptions to the default rules. The approach allows all other form elements to remain private by default—including any form elements added later.

One example of an exception would be a search bar. These types of inputs rarely present a privacy risk and can provide valuable insights into end user actions. If your search bar has an id of "search-bar" then an admin can add an exception for the id like this:


This exception would unmask inputs with this id for all future sessions. This approach greatly minimizes risk by preventing all other input elements (even ones added in the future) from being recorded. By preventing unwanted data from being recorded, you're able to deploy faster and with less worry. Note that you can add multiple exceptions to a privacy rule.

What else should I consider when using Form Privacy?

Input fields are the most common places for personal information to appear on a website. Form Privacy alone does not guarantee that unwanted data is not recorded. It's important that unwanted information that may appear outside of form elements are manually masked or excluded. Common examples include usernames or email addresses, avatar images, payment and shipping confirmation pages, and username or password reset flows.


Need to get in touch with us?

The FullStory Team awaits your every question.

Contact us