Form input captured by autocapture
Heap autocapture records user interactions with form fields, including the text entered. Health, financial, and authentication form fields need explicit suppression to prevent that data from reaching Heap.
Marketing and Analytics
Heap captures everything by default. Consent defines what it is permitted to capture.
Heap's autocapture model is its core value proposition: no manual event tracking setup. It is also its core privacy challenge. Autocapture means Heap collects data before teams have defined what should and should not be captured. Without consent gating and careful event suppression, Heap can capture form fields, sensitive page interactions, and personal data from visitors who have not consented.
Marketing and Analytics
Heap
Heap is a behavioral analytics platform that autocaptures all user interactions including clicks, form inputs, and page views, allowing teams to retroactively define events for analysis without instrumenting them in advance.
Trademark
Heap is a trademark of Contentsquare SAS. Lokker is not affiliated with or endorsed by Contentsquare SAS.
Risk and failure modes
Autocapture collects more than teams typically realize
Heap's autocapture approach means the privacy review needs to happen after deployment, not before. By the time a team reviews what Heap is capturing, it has already been collecting data.
No default consent gate in base configuration
Heap's base configuration fires on page load without checking for consent. The consent gate needs to be added through the active CMP or tag manager, and verified to work correctly.
Consent and configuration
Autocapture tools require explicit suppression configuration
Because Heap captures everything by default, the consent work involves both gating initialization and suppressing specific element types after initialization. Both layers need to be tested.
Heap initialization should be blocked until the applicable consent category is accepted.
Heap's event sanitization and property redaction features should be used to suppress PII-bearing elements even in the consented state.
Heap session recording features, if enabled, carry the same masking requirements as dedicated session replay tools.
Regional compliance
Autocapture collects personal data under most interpretations
Behavioral interaction data linked to a session identifier is personal data under GDPR. Autocapture tools that collect this data before consent has a particularly low tolerance for error in European jurisdictions. California law as amended by the CPRA introduces opt-out rights covering both sale and sharing of behavioral data with analytics vendors, and may require treating autocaptured session data as sensitive personal information in certain contexts.
How Lokker helps
How Lokker validates Heap consent and data collection
Lokker tests whether Heap initializes before consent, whether it stops after rejection, and whether autocapture is reaching Heap servers in states where it should not.
Autocapture tool consent testing
Consent Validator tests each consent state and reports whether Heap initialization and autocapture events fire in pre-consent and opt-out states.
Explore Consent ValidatorAnalytics tool detection and scoring
Privacy Edge detects Heap across your properties and scores it in the analytics tracker category, flagging deployments without consent conditions.
Explore Privacy EdgeExplore Lokker
Products that address Heap privacy risk
Each product links to its full details so you can explore features, view a demo, and understand how it applies to your Heap deployment.
Validation
Consent Validator
Validates Heap autocapture consent state behavior.
Explore Consent ValidatorIntelligence
Privacy Edge
Detects Heap across all properties and flags deployments without consent conditions.
Explore Privacy EdgeMarketing and Analytics
Other marketing and analytics tools
Next step
Validate Heap consent behavior across your portfolio
Lokker runs automated browser-level consent flows and scans the network layer to confirm whether Heap fires in states where it should not.