Guides Tool check
Hotjar & GDPR: Session recording only with clear consent
Hotjar shows how visitors behave - via heat maps and session recordings. This is precisely what makes it sensitive in terms of data protection.
What Hotjar records
Hotjar creates heatmaps and records entire sessions – mouse movements, clicks and, in some cases, keystrokes.
This involves very detailed tracking of user behaviour. Without protective measures in place, personal or sensitive data may also be collected in the process.
Why it is particularly sensitive
Session recordings constitute a significant intrusion into privacy – the requirements regarding consent and data minimisation are correspondingly high.
Hotjar must not load before consent has been given. In addition, input fields must be masked to ensure that no plaintext data appears in the recordings.
Conditions for use
Consent prior to data collection, consistent input masking, an AV contract and transparency in the privacy policy.
- Load Hotjar only after active consent has been given.
- Mask inputs/fields (suppression).
- Data processing agreement with Hotjar + mention in the privacy policy.
Check your pages
Does Hotjar load before you give your consent?
The free BlueOcean Scan detects Hotjar and other recording/analytics tools that start before consent is given.
Let's take a quick look at your sites
In a 15-minute call you’ll see where your client sites stand — and how to secure them effortlessly.
FAQ
Is Hotjar GDPR compliant?
Only with explicit consent prior to processing, consistent masking of input data, a data processing agreement and a reference in the privacy policy.
Can Hotjar run without consent?
No. Session recording is particularly intrusive and requires prior consent.
How do I prevent sensitive data from being recorded?
By masking or suppressing form fields – and by ensuring that Hotjar is only loaded once consent has been given.