Microsoft Clarity is a free session replay and heatmap tool with massive adoption. Because it is free and easy to install, many organizations deploy it without thorough compliance review. Like all session replay tools, it requires a valid legal basis, accurate policy disclosure, and technical enforcement of consent.
Last reviewed by Lokker Privacy Engineering
Not legal advice
The example language on this page is provided for educational purposes only. It is not legal advice and does not create an attorney-client relationship. Privacy laws vary by jurisdiction, sector, and the specific technologies you deploy. Always have a qualified privacy counsel or attorney review your privacy policy language to ensure it accurately reflects your actual data practices and complies with applicable law. Policy text alone does not make you compliant: your technical controls must match what the policy describes.
Data collection
This is what your privacy policy needs to describe. Be specific: vague references to "usage data" or "technical information" are not sufficient in most jurisdictions.
Session replay: mouse movements, clicks, scrolls, and page interactions
DOM snapshots for visual session reconstruction
Keyboard input with automatic masking of password and payment fields
Page URLs and navigation sequences
Device type, browser, operating system, and screen size
Clarity-specific identifiers stored in CLID and MUID cookies
JavaScript errors and performance metrics
Microsoft Advertising identifiers when connected to Microsoft Advertising campaigns
Processing purposes
Privacy laws require you to specify the purpose for each category of data processing. These are the purposes typically associated with Microsoft Clarity.
Understanding how visitors navigate and interact with the website
Identifying usability issues, rage clicks, and dead clicks
Heatmap analysis of engagement hotspots
Diagnosing and reproducing user-reported issues
Measuring scroll depth and content engagement
Jurisdiction notes
These are representative notes, not exhaustive legal guidance. Laws continue to evolve and your counsel should review the current requirements for each jurisdiction where your visitors reside.
United States
Clarity session data constitutes personal information under the CCPA when linked to an identifiable user. The MUID cookie is a Microsoft advertising identifier that may be used across Microsoft properties. If Clarity is connected to Microsoft Advertising, the processing may constitute a "sale" or "sharing" for advertising purposes under the CPRA. CIPA wiretapping claims have been asserted against session replay tools broadly, and Clarity is no exception.
EU and UK (GDPR)
Microsoft Clarity requires consent as a non-essential analytics tool under the GDPR. Microsoft Ireland Operations Limited processes Clarity data for EU visitors. Standard Contractual Clauses cover data transfers to Microsoft Corp. in the United States. Your policy must describe Clarity as a data processor and state the legal basis for session recording. If Clarity is connected to Microsoft Advertising, the advertising processing requires separate consent.
Example language
The examples below are starting points for discussion with legal counsel. They are not approved or jurisdiction-complete language. Your policy must accurately reflect your actual technical configuration and comply with the laws of the jurisdictions where your visitors reside.
Analytics or session replay table row
Microsoft Clarity (Microsoft Corporation): Captures session replays, heatmaps, and behavioral analytics to understand how visitors interact with our website. Applies automatic masking to password and payment fields. Stores visitor identifiers in the CLID and MUID cookies. Category: Analytics and performance.
Full session replay and analytics disclosure paragraph
We use Microsoft Clarity, a behavioral analytics and session replay tool provided by Microsoft Corporation (and, for EU visitors, Microsoft Ireland Operations Limited). Clarity records mouse movements, clicks, scroll behavior, and navigation paths during your visits to help us understand how users experience our website. These recordings are used to identify usability issues, analyze engagement patterns, and improve the website experience. Clarity automatically applies masking to password fields and certain sensitive input types, and we have configured additional masking rules for fields containing personal information. Clarity stores a unique visitor identifier in the CLID and MUID cookies. Where consent is required by applicable law, Clarity will only activate after you have provided consent through our consent management platform.
Configuration checklist
An accurate policy is only useful if the technical controls behind it work correctly. These are the configuration points to verify for Microsoft Clarity.
Assign Microsoft Clarity to the "Analytics" or "Performance" category. Do not mark it as Strictly Necessary.
In opt-in markets (EU, UK), Clarity must not initialize before consent is received. Clarity's initialization sends a request to www.clarity.ms; test whether this request occurs before the CMP has recorded a decision.
Review Clarity's masking configuration against your DOM. Default masking covers password fields and elements with data-clarity-mask attributes, but custom form components and dynamically rendered PII may require explicit masking rules.
If Clarity is connected to Microsoft Advertising, the advertising consent category must also be satisfied before Microsoft advertising identifiers are processed. Clarity and Microsoft Advertising share the MUID cookie.
Use Consent Validator to verify that no Clarity requests occur in the reject state and that session recording does not begin before explicit consent is given.
Policy vs practice
These are common gaps between Microsoft Clarity privacy policy language and what actually happens in the browser. Checking only inside each SaaS admin (CMP, tag manager, or vendor console) rarely answers whether the full stack works together. Lokker tests from the outside: consent state, tag firing, and network requests viewed as one system.
What the policy says
Policies describe Microsoft Clarity as a free analytics tool that automatically protects sensitive data through built-in masking.
Policies treat Clarity as purely an analytics tool, without disclosing its connection to Microsoft Advertising identifiers.
Policies state that Clarity requires consent and loads only after the visitor accepts analytics cookies.
What Lokker validates
Clarity's automatic masking covers specific HTML input types but not all sensitive DOM content. Lokker checks whether Clarity initializes before consent and flags pages where sensitive content visible in the DOM may be captured in recordings.
The MUID cookie is a Microsoft-wide advertising identifier. If Clarity is connected to Microsoft Advertising, behavioral data from session recordings may contribute to advertising targeting. Lokker identifies whether Microsoft Advertising requests accompany Clarity initialization.
Lokker tests whether Clarity's request to www.clarity.ms occurs before consent is recorded in the no-interaction state. Pre-consent initialization is a common failure even when the policy describes Clarity as consent-gated.
Consent Validator tests your site from the outside, not inside each vendor admin. It runs automated flows across accept, reject, no-interaction, and GPC states and checks whether Microsoft Clarity loads through your CMP and tag manager, whether consent signals are honored, and whether any call to that vendor still occurs when the visitor has opted out.
Questions
References
Regulatory guidance, enforcement decisions, and legal cases referenced on this page.
Regulatory guidance
European Data Protection Board
California Legislature
Explore further
Same category
Validate technical compliance
Confirm whether Microsoft Clarity initializes before consent and whether session recording actually stops when visitors decline analytics cookies.