Hotjar logo
Disclosure Guide

How to disclose Hotjar in your privacy policy

Hotjar captures a visual record of what visitors do on your site including mouse movement, clicks, scrolling, and typed content. Privacy policies must reflect the sensitivity of session replay data, the limitations of masking, and the conditions under which recording starts.

Last reviewed by Lokker Privacy Engineering

Not legal advice

The example language on this page is provided for educational purposes only. It is not legal advice and does not create an attorney-client relationship. Privacy laws vary by jurisdiction, sector, and the specific technologies you deploy. Always have a qualified privacy counsel or attorney review your privacy policy language to ensure it accurately reflects your actual data practices and complies with applicable law. Policy text alone does not make you compliant: your technical controls must match what the policy describes.

Data collection

What data Hotjar typically collects

This is what your privacy policy needs to describe. Be specific: vague references to "usage data" or "technical information" are not sufficient in most jurisdictions.

  • Mouse movements, clicks, and scroll patterns

  • DOM snapshots enabling visual replay of the page as the visitor experienced it

  • Keyboard input with dynamic masking (specific masking behavior depends on configuration)

  • Page URLs and navigation paths within the session

  • Referring source and UTM parameters

  • Browser type, device type, and viewport size

  • IP address (Hotjar truncates this)

  • Hotjar-specific identifiers stored in _hjid and _hjSession cookies

  • User attributes if passed via Hotjar identify API

Processing purposes

Purposes to describe in your policy

Privacy laws require you to specify the purpose for each category of data processing. These are the purposes typically associated with Hotjar.

  • Understanding user experience and identifying usability issues

  • Analyzing conversion funnels and drop-off points

  • Optimizing page layouts and content placement

  • Gathering qualitative feedback through surveys and polls

  • Product improvement and customer experience research

Jurisdiction notes

US and EU compliance considerations

These are representative notes, not exhaustive legal guidance. Laws continue to evolve and your counsel should review the current requirements for each jurisdiction where your visitors reside.

United States

Under the CCPA, session replay data linked to an identifiable visitor constitutes personal information. Under the CPRA, behavioral inferences drawn from session recordings may also qualify. If Hotjar data is shared with third parties for advertising or profiling purposes, opt-out rights apply. Multiple states have enacted wiretapping statutes that courts are applying to session replay tools: CIPA in California and similar statutes elsewhere have been used to allege that session recording without consent constitutes unauthorized interception of electronic communications.

EU and UK (GDPR)

Hotjar requires explicit consent under the GDPR as a non-essential analytics and behavior tracking tool. Hotjar offers EU data residency and is headquartered in Malta (EU), which simplifies data transfer compliance for EU-based organizations. Your policy must describe Hotjar as a data processor acting under a data processing agreement, state the legal basis for processing (typically consent), and describe the types of data captured.

Example language

Illustrative policy language for Hotjar

The examples below are starting points for discussion with legal counsel. They are not approved or jurisdiction-complete language. Your policy must accurately reflect your actual technical configuration and comply with the laws of the jurisdictions where your visitors reside.

Analytics or session replay table row

Hotjar (Hotjar Ltd.): Records visitor sessions including mouse movements, clicks, and scroll behavior to help us understand how visitors use our website. Also provides heatmap and funnel analysis. Stores a unique visitor identifier in the _hjid cookie. EU data residency available. Category: Analytics and performance.

Full session replay and analytics disclosure paragraph

We use Hotjar, a product analytics and user experience research tool provided by Hotjar Ltd. (Malta), to understand how visitors interact with our website. Hotjar uses session recording technology to capture mouse movements, clicks, scroll behavior, and navigation paths. It also provides heatmap analysis and visitor feedback tools. Session recordings may include the content visible on screen at the time of your visit. Hotjar applies dynamic masking to input fields and certain sensitive content by default, but some page content may be captured in recordings depending on site configuration. Hotjar stores a unique visitor identifier in the _hjid cookie. Hotjar processes data in accordance with a data processing agreement and provides EU-based data storage options. Session recordings are used solely for internal analysis to improve website usability and are not shared with third parties for advertising purposes. Where consent is required by applicable law, Hotjar will only run after you have provided consent through our consent management platform.

Configuration checklist

CMP and tag manager checklist

An accurate policy is only useful if the technical controls behind it work correctly. These are the configuration points to verify for Hotjar.

  1. 1

    Categorize Hotjar under "Analytics" or "User Experience Research," not "Strictly Necessary."

  2. 2

    In opt-in markets (EU, UK), Hotjar must not initialize before consent is received. Test this with Consent Validator: Hotjar's initialization sends a request to static.hotjar.com and vars.hotjar.com before recording begins.

  3. 3

    In California and other states where session replay wiretapping claims have been brought, consider whether an all-party consent disclosure is required at session start.

  4. 4

    Review Hotjar's masking configuration before going live. Default masking may not cover all PII visible in your specific DOM. Custom masking rules should be applied to email fields, health-related content, and payment information.

  5. 5

    If Hotjar's identify API is used to link recordings to named users, update your policy to reflect that session data may be associated with authenticated user profiles.

Policy vs practice

What policies say versus what Lokker validates

These are common gaps between Hotjar privacy policy language and what actually happens in the browser. Checking only inside each SaaS admin (CMP, tag manager, or vendor console) rarely answers whether the full stack works together. Lokker tests from the outside: consent state, tag firing, and network requests viewed as one system.

What the policy says

  • Policies often describe Hotjar as capturing only "anonymized" user interaction data for experience research.

  • Policies state that Hotjar only runs after the visitor accepts analytics or performance cookies.

  • Policies describe Hotjar as compliant with GDPR through EU data storage and a data processing agreement.

  • Policies make no mention of California wiretapping law (CIPA) in relation to Hotjar session recording.

What Lokker validates

  • Hotjar records visible on-screen text if masking is not explicitly configured. Lokker checks whether Hotjar requests are made and, for sites with sensitive DOM content, flags the risk that unmasked PII or health data may be captured in recordings.

  • Lokker confirms whether Hotjar initialization requests to static.hotjar.com and vars.hotjar.com occur in the no-consent and reject states. These requests mark the start of Hotjar's session tracking, before any recording begins.

  • EU data residency reduces transfer risk but does not replace the consent requirement. Lokker validates whether Hotjar fires before a GDPR-required opt-in and whether the CMP blocking is technically enforced, not just documented.

  • Courts have applied CIPA to session replay tools as real-time interception of electronic communications. Lokker helps establish whether consent was obtained before recording started, which is the central question in these claims.

Consent Validator tests your site from the outside, not inside each vendor admin. It runs automated flows across accept, reject, no-interaction, and GPC states and checks whether Hotjar loads through your CMP and tag manager, whether consent signals are honored, and whether any call to that vendor still occurs when the visitor has opted out.

Questions

Hotjar privacy policy FAQ

Does Hotjar session recording require consent under the GDPR?
Yes. Hotjar session recording is not an essential function of website operation and requires a valid legal basis under the GDPR. Most sites use consent as the legal basis, which means Hotjar must not initialize before the visitor has explicitly opted in. Technical implementation should be validated with Consent Validator to confirm that no Hotjar requests are made in the reject or no-interaction state.
Can Hotjar capture passwords or payment information?
Hotjar applies automatic suppression to input fields with type="password" and fields with autocomplete values suggesting payment data. However, dynamically rendered content, multi-step form flows, and custom input components may not be suppressed automatically. Organizations should review their Hotjar masking configuration and apply explicit suppress attributes to any field that could capture sensitive data.
What is the CIPA risk of using Hotjar?
The California Invasion of Privacy Act (CIPA) requires all parties to a communication to consent to interception. Courts have applied CIPA to session replay tools on the theory that recording visitor interactions constitutes real-time interception of electronic communications. Multiple lawsuits have been filed against websites deploying session replay tools without adequate disclosure at the start of the session. Your privacy policy disclosure and consent mechanism must be clear, timely, and technically honored.
Is Hotjar GDPR compliant if I use EU data storage?
Hotjar's EU data storage option reduces cross-border transfer complexity for EU-based organizations. However, data residency alone does not make a deployment GDPR compliant. You still need a valid legal basis (typically consent), a data processing agreement with Hotjar, accurate privacy policy disclosure, and technical enforcement of consent through your CMP. Compliance requires all of these elements, not just EU storage.

References

Sources and citations

Regulatory guidance, enforcement decisions, and legal cases referenced on this page.

Related litigation

  • Calhoun v. Google LLC (Session Replay/CIPA)

    N.D. Cal., 2022

Explore further

Related resources on Hotjar

Consent and risk: Hotjar

Privacy stack topic guide

Compare alternatives

Tool comparison guide

Related law guidance

vppa

Related law guidance

ccpa-cpra

Same category

Related disclosure guides

FullStory logo

FullStory

How to disclose in your privacy policy

Microsoft Clarity logo

Microsoft Clarity

How to disclose in your privacy policy

Validate technical compliance

Confirm that Hotjar fires only when it should

Confirm whether Hotjar initializes before consent is given and whether session recording actually stops when visitors opt out.

See Consent Validator All disclosure guides