Form field data captured in replays
Clarity captures keyboard input by default. Without explicit masking on form fields, health information, financial details, passwords, and other sensitive inputs appear in session recordings.
Marketing and Analytics
Microsoft Clarity records what visitors do. Consent and masking determine what it captures.
Microsoft Clarity is a free session replay and heatmap tool with broad adoption across marketing and product teams. Its low barrier to entry means it often gets deployed without the same privacy review as paid alternatives. Session replay tools capture keyboard input, form fields, and sensitive page content if masking is not configured correctly. Lokker tests whether Clarity fires within your consent perimeter and whether it collects data it should not.
Marketing and Analytics
Microsoft Clarity
Microsoft Clarity is a free behavioral analytics tool that records user sessions, generates heatmaps, and surfaces session replays to help teams understand how visitors interact with web pages.
Trademark
Microsoft Clarity is a trademark of Microsoft Corporation. Lokker is not affiliated with or endorsed by Microsoft Corporation.
Risk and failure modes
Session replay tools carry elevated privacy risk
Session replay captures a representation of user interaction, which can include sensitive content if masking is not applied correctly. The default Clarity configuration does not mask all potential PII.
Healthcare and financial site risk
Sites with health-related content face HIPAA considerations when session replay tools record page visits. Clarity on a healthcare site with no masking and no consent gate is a high-priority finding.
Recording starts before consent
Clarity begins recording on page load by default. In opt-in jurisdictions, that first interaction occurs before any consent decision, capturing behavioral data without a valid legal basis.
Shared sessions with Microsoft
Clarity session data is stored and processed by Microsoft. This data transfer has its own legal basis requirements, particularly for organizations with EU-to-US data transfer restrictions.
Consent and configuration
Session replay consent requires more than a category assignment
Assigning Clarity to an Analytics or Marketing consent category is a starting point. Confirming that the recording does not start until that category is accepted, and that masking suppresses all sensitive content, requires testing with the specific form types and page templates your site uses.
Clarity should not initialize or begin recording until an explicit consent signal for behavioral tracking or session replay has been received.
All form fields should be masked or excluded from recording by default, with any exceptions documented and reviewed.
Health, financial, and authentication pages should have additional masking applied beyond the default Clarity configuration.
Regional compliance
Opt-in markets require session replay to wait for consent
In GDPR jurisdictions, session replay tools require explicit opt-in consent as behavioral data captured from an identified session is personal data under most interpretations. Under California law as amended by the CPRA, opt-out rights and GPC recognition apply to behavioral session data shared with third parties. Healthcare sites face HIPAA considerations that apply regardless of jurisdiction. Each framework needs its own Clarity consent and masking configuration.
How Lokker helps
How Lokker validates Microsoft Clarity in your consent and masking setup
Lokker tests whether Clarity fires before consent is given, identifies pages where Clarity is present without masking on sensitive fields, and confirms that opt-out states stop Clarity from recording.
Session replay consent state testing
Consent Validator checks whether Clarity initializes in the no-interaction state, and whether it stops after a reject or GPC signal.
Explore Consent ValidatorClarity presence on sensitive pages
Privacy Edge detects Clarity on healthcare, financial, and authentication pages where recording without masking creates the highest risk exposure.
Explore Privacy EdgeExplore Lokker
Products that address Microsoft Clarity privacy risk
Each product links to its full details so you can explore features, view a demo, and understand how it applies to your Microsoft Clarity deployment.
Validation
Consent Validator
Tests whether Clarity recording starts before consent and stops after opt-out.
Explore Consent ValidatorIntelligence
Privacy Edge
Detects Clarity on sensitive page types and scores the privacy risk by property.
Explore Privacy EdgeMarketing and Analytics
Other marketing and analytics tools
Next step
Validate Microsoft Clarity consent behavior across your portfolio
Lokker runs automated browser-level consent flows and scans the network layer to confirm whether Microsoft Clarity fires in states where it should not.