> It is allowed, contrary to eg the EU, where this is not allowed.

Its allows in most of the EU apart from germany where there are strict limits.

however you can still record what your users are doing for purposes of detecting fraud. This is where it differs from the USA, where they can do anything because they have no data protection laws.