New Relic Browser Agent and Data Protection – What Belongs in the Privacy Policy

The New Relic Browser Agent enables Real User Monitoring (RUM) and measures website performance from the end user's browser. The JavaScript integration collects technical data on load times, errors and user interactions. This guide documents what data protection information belongs in a privacy policy when New Relic Browser Monitoring is used.

A. Purpose and Function of the New Relic Browser Agent

The New Relic Browser Agent is a JavaScript code snippet that is embedded in the website (either directly in the <head> section or via APM agent) and continuously captures performance data. The tool focuses on frontend performance monitoring and measures:

• Page load times and resource load times
• Core Web Vitals: Largest Contentful Paint (LCP), First Input Delay (FID) and Cumulative Layout Shift (CLS)
• JavaScript errors in the user's browser
• AJAX and HTTP requests as well as their response times
• Page navigation (click paths) and user interactions
• Technical telemetry data such as device type, operating system, browser version

Scope: New Relic is a comprehensive observability platform with many products (APM, Infrastructure, Logs, Synthetics). This guide deals exclusively with the Browser Agent for website integration. Other New Relic functions require separate data protection documentation.

B. Mandatory Disclosures in the Privacy Policy

Under the General Data Protection Regulation (GDPR) and the Telemedia Act (TMG), website operators must transparently inform users about data processing. A privacy policy must contain the following information pursuant to Art. 13, 14 GDPR:

1. Controller (website operator) and processor (New Relic)
2. Purposes of data processing
3. Categories of personal data that are collected
4. Legal bases for the processing
5. Retention period and erasure policy
6. Data subject rights (access, rectification, erasure, data portability)
7. For third-country transfers: safeguards (Data Privacy Framework, Standard Contractual Clauses)

The information must be precise, comprehensible and not too generally formulated. Blanket statements such as "we use analytics tools" are not sufficient — concrete information on New Relic is required.

C. Provider

Controller (website operator):
You yourself (or your organisation)

Processor:
New Relic, Inc.
188 Spear Street, Suite 1200
San Francisco, CA 94105, USA

Data Protection Officer:
New Relic has a data protection officer (DPO) based in Germany, reachable at: Privacy@newrelic.com

Legal form:
New Relic is a US-based company (Delaware Corporation), but as a processor is subject to the GDPR and has established a data protection request mechanism.

Certifications:

• EU-U.S. Data Privacy Framework (DPF): New Relic is certified under the DPF initiative (replaces the previously invalidated Privacy Shield)
• Standard Contractual Clauses (SCCs 2021): Included in the Data Processing Addendum (DPA) as a fallback mechanism
• GDPR Compliance: New Relic is an EU-GDPR and UK-GDPR compliant processor

Data centres and data storage:
New Relic offers customers the choice between US data centres and EU data centres (Ireland). Customer data is stored in the region selected by the account holder. System operations data (billing, licences, internal monitoring) is hosted in the USA and replicated to the EU.

Privacy Policy:
https://newrelic.com/termsandconditions/privacy

D. Data Processing – Workflow

E. Data Collected

The Browser Agent collects the following categories of personal and technical data:

Web server log data:

• IP address of the user (New Relic states: used to determine the rough geographical location, but not used to identify the user; not logged long-term)
• Timestamp of the request (date and time)

Click paths and navigation:

• Visited pages and internal navigation paths
• Referrer URLs — without query string (New Relic disables the collection of URL parameters for data protection reasons)

Device and system information:

• Device type (desktop, tablet, smartphone)
• Operating system and version
• Screen resolution
• Browser information (type, version)

Rough location data:

• Geographical region (derived from IP address at a rough level)

Technical telemetry data (Core Web Vitals):

• Largest Contentful Paint (LCP): Time to render of the largest content element
• First Input Delay (FID): Delay between user interaction and browser response
• Cumulative Layout Shift (CLS): Unexpected visual shifts during page load
• General resource load times (CSS, images, scripts)

Error telemetry:

• JavaScript errors: Error messages, stack traces
• Network errors: Failed AJAX/HTTP requests

AJAX and HTTP request data:

• Request URLs, HTTP methods, response status codes
• Response times

Session management:

• Session ID: A unique identifier for a browser session (in modern browser agent versions ≥ 1220 via DOM Storage, not via cookies)
• Session timeout: 30 minutes of inactivity ends a session

Depending on configuration:

• Cookie data (if cookie collection is enabled in older agent versions)
• Additional custom data (if you explicitly send these to New Relic)

F. Purposes of Use

Function provision and error diagnosis:

• Real-time detection and remediation of technical errors and performance issues on your website
• Identification of faulty resources or slow API endpoints

General product improvement:

• Analysis and optimisation of website performance
• Monitoring of user experience (User Experience / Digital Experience)
• Needs-based further development and improvement of your website architecture

Security and anomaly detection:

• Detection of unusual patterns, bot activities or abuse indicators
• Protection against malfunctions and outage prevention

Internal analytics and reporting (limited):

• Aggregated statistics for internal business and optimisation purposes
• No creation of user profiles or behavioural profiling for external purposes

G. Legal Bases

Primary legal basis: Legitimate interest (Art. 6(1)(f) GDPR)

The use of New Relic Browser Agent is in most cases justified by legitimate interest if the following conditions are met:

1. No profiling: Data is used exclusively for technical performance analysis, not for the creation of user profiles or behavioural profiling
2. Minimal data collection: Only technically necessary data is collected (query strings, IP addresses for user identification are disabled)
3. Outweighing test: The interest in website security and optimisation outweighs the interests of users (since the data processing is rather involuntary and users are commonly informed about such tools)

Secondary legal bases (context-dependent):

• Contract performance (Art. 6(1)(b)): If, as a SaaS provider or e-commerce operator, you are contractually obliged to guarantee website availability
• Legal obligation (Art. 6(1)(c)): If industry-specific compliance requirements make performance monitoring mandatory
• Consent (Art. 6(1)(a)): If you consciously decide on a consent strategy (e.g. cookie banner with explicit opt-in for analytics)

Particularity: Cookie use and electronic privacy (TDDDG / ePrivacy Directive)

If the New Relic Browser Agent performs session tracking via cookies (older agent versions < 1220), additional justification under § 25 TDDDG (German Telemedia Act) or EU ePrivacy Directive (2002/58/EC) is required:

• For non-essential cookies: consent required (cookie banner with opt-in)
• For essential / functional cookies: consent not strictly required

Conclusion: Modern New Relic Browser Agent versions (≥ 1220) use DOM Storage instead of cookies and therefore do not require separate ePrivacy consent. However, documentation of the legal basis (legitimate interest or consent) in the privacy policy is mandatory.

H. Special Features and Notes

Data Processing Addendum (DPA) and processing on behalf:

New Relic and your website domain have automatically concluded a Data Processing Addendum (DPA) if you transfer personal data to New Relic. The DPA is not to be signed — it applies automatically to all GDPR-relevant data transfers. The DPA regulates:

• Scope and confidentiality of data processing
• Security measures (encryption, access control, data protection officer)
• Notification obligation in the event of personal data breaches (notification timeline)
• Sub-processors
• Audit and review rights

Link to the DPA:
Current DPA: https://newrelic.com/termsandconditions/dataprotection

Third-country transfer and international data flows:

The USA is considered a third country with regard to the GDPR. New Relic has implemented the following safeguards:

1. EU-U.S. Data Privacy Framework (DPF): New Relic is certified under DPF (replaces the invalidated Privacy Shield). This certification ensures an adequate level of data protection when transferring to New Relic in the USA.
2. Standard Contractual Clauses (SCCs, 2021 version): Integrated in the DPA as a fallback safeguard in case DPF is invalidated
3. EU data storage possible: With New Relic you can choose EU data storage (Ireland, one.eu.newrelic.com) to avoid third-country transfers

For EU data storage: Customer data remains in the EU; system operations data (billing) is nevertheless stored in the USA and replicated to the EU.

Recommendation: If you operate under strict GDPR compliance requirements, you should choose the EU data storage option and document this in your privacy policy.

Data obfuscation and sensitive data:

New Relic Browser Agent offers obfuscation rules to mask sensitive data. From Browser Agent v1216+ you can configure obfuscation selectors and replacements:

init: {
  obfuscate: [
    {
      regex: /password.*?=/gi,
      replacement: "password=***"
    },
    {
      regex: /ssn/gi,
      replacement: "XXX-XX-XXXX"
    }
  ]
}

Measures:

• MASK: Replaces all characters with Xes (e.g. form field values)
• HASH: Replaces sensitive data with SHA-256 hash value
• Check: You should configure that passwords, credit card numbers, social security numbers and other PII are not collected by New Relic

Session tracking and cookie management (Browser Agent ≥ 1220):

• Modern versions use DOM Storage (localStorage) instead of cookies
• Session ID: Stored locally in the browser and enables session continuity across tabs
• Session timeout: 30 minutes of inactivity ends the session
• No third-party cookies: Third-party cookies are deprecated and no longer used
• Control: You can enable/disable cookie collection in the browser app settings (Privacy Settings)

Data retention period and storage:

The retention period of data at New Relic is configurable in your New Relic account. Typically:

• Raw event data: 8–30 days (depending on plan)
• Aggregated metrics: up to 13 months
• You can set shorter retention periods or delete data manually

Recommendation for privacy policy: Document which retention periods you have specifically configured.

Visitor rights and data portability:

New Relic supports in accordance with GDPR requirements:

• Access requests (Art. 15): Users can request which data New Relic stores about them
• Erasure requests (Art. 17): New Relic can delete data on a user (e.g. via session ID)
• Data portability (Art. 20): Export of data in machine-readable format

Link for personal data obligations:
https://docs.newrelic.com/docs/security/security-privacy/data-privacy/new-relic-personal-data-requests/

I. Frequently Asked Questions on New Relic Browser Agent and Data Protection

J. Conclusion

The New Relic Browser Agent is a widely used and data-protection-friendly tool for website performance monitoring if the right precautions are taken. A transparently formulated privacy policy with concrete information on data types, purposes, legal bases and third-country transfers is mandatory — general formulations on "analytics tools" are insufficient.

Most important steps:

1. Choose legal basis: Legitimate interest or consent
2. Review configuration: Enable obfuscation for sensitive data, EU data storage if needed
3. Observe DPA: New Relic DPA is automatically valid — you do not need to actively sign
4. Document retention: Set and document concrete periods in your New Relic account
5. Adapt privacy policy: Insert specific information on New Relic Browser Agent (not generic)
6. Regular review: Especially in case of updates to New Relic or changes to data protection provisions

For this purpose, also use our Website Privacy Policy Generator to create an auditable, GDPR-compliant privacy policy.

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com