Hotjar is one of the most widely deployed session replay and heatmap tools. It is embedded on millions of sites, often through a tag manager, without a corresponding review of what it captures or when it starts. Lokker validates whether your Hotjar implementation fires within the correct consent perimeter and whether masking is applied to the fields that carry the most risk.
Marketing and Analytics
Hotjar is a behavioral analytics platform that provides session recording, heatmaps, scroll maps, and on-site survey tools to help teams understand how visitors navigate web pages.
Trademark
Hotjar is a trademark of Hotjar Ltd.. Lokker is not affiliated with or endorsed by Hotjar Ltd..
Quick answer
Hotjar can be used in a GDPR-compliant way, but it requires deliberate configuration and consent gating. By default, Hotjar starts session recording as soon as the script loads, which means it can capture visitor activity before consent is given. For GDPR compliance, Hotjar must be blocked from loading until the user accepts analytics cookies, and opt-out signals including GPC must prevent recording entirely. Hotjar provides consent management documentation and supports a suppress recording API, but these features must be implemented and independently verified. Under CCPA, California users can opt out of data sale, and Hotjar offers data deletion and suppression mechanisms. Lokker validates whether Hotjar actually stops recording in reject and GPC states at the network layer, not just in the CMP configuration.
Risk and failure modes
Hotjar records the full visual representation of a visitor session. Without masking, that includes whatever is on the screen, including data a visitor has not submitted yet.
Hotjar captures what visitors type in form fields, not just the submitted values. Health questions, financial inputs, and contact information can all be captured in a Hotjar session recording before the visitor submits a form.
Logged-in sessions often display the user's name, account details, or order history. Hotjar records this content unless specific elements are explicitly suppressed.
Hotjar is frequently added through Google Tag Manager without a consent condition. When marketing adds it mid-campaign, the consent check often follows days or weeks later if at all.
Consent and configuration
Hotjar provides its own consent mode API and documentation for integration with CMP tools. Confirming that the integration works correctly on each page type, and that masking covers all sensitive fields, requires active testing rather than configuration review.
Hotjar's suppress recording API needs to be called before any session data is captured when the visitor has not yet consented.
Form fields containing health, financial, or authentication data need CSS-based or API-based suppression in addition to any CMP category assignment.
Hotjar surveys triggered to non-consenting visitors are a secondary risk that often receives less attention than recording suppression.
Regional compliance
European data protection authorities have issued guidance specifically addressing session replay tools, treating the captured data as personal data that requires opt-in consent under GDPR. Under California law as amended by the CPRA, opt-out rights and GPC recognition obligations apply to behavioral session data shared with third parties. In healthcare and financial contexts, additional sectoral regulations layer on top of general privacy law requirements, making session replay one of the most compliance-sensitive tool categories on most sites.
How Lokker helps
Lokker identifies Hotjar on your pages, tests whether it fires before or after consent, and flags page types where recording without masking creates material exposure.
Consent Validator runs the no-interaction, reject, and GPC flows and confirms whether Hotjar recording initializes, producing evidence of where the consent gate fails.
Explore Consent ValidatorPrivacy Edge detects Hotjar across your property portfolio, scores the session replay risk category for each site, and alerts when Hotjar appears on sensitive page types.
Explore Privacy EdgeExplore Lokker
Each product links to its full details so you can explore features, view a demo, and understand how it applies to your Hotjar deployment.
Validation
Tests whether Hotjar recording starts before consent and stops after opt-out.
Explore Consent ValidatorIntelligence
Detects Hotjar on sensitive page types and scores session replay risk across your portfolio.
Explore Privacy EdgeMarketing and Analytics
Privacy policy guidance
Our privacy policy disclosure guide explains what data Hotjar collects, how to describe it in a cookie notice or privacy policy, jurisdiction notes, and example language for discussion with counsel.
Frequently Asked Questions
Hotjar can be GDPR-compliant with correct configuration, but it is not compliant by default. Key requirements include: blocking Hotjar from loading until the user consents to analytics tracking, honoring opt-out and GPC signals to prevent session recording, configuring data retention to the minimum required period, and enabling IP anonymization. Hotjar processes data under a Data Processing Agreement (DPA) and supports EU data residency for recordings. Independent network-layer validation is needed to confirm these settings work in practice.
By default, Hotjar begins recording as soon as its script loads. Without explicit consent gating in your CMP or tag manager, Hotjar may capture visitor sessions before a user has accepted or rejected consent. This violates GDPR for European users, who require an opt-in before analytics data collection. The fix is to gate Hotjar's script load on consent acceptance and use Hotjar's suppress recording API or consent mode integration to stop recording when consent is not granted.
Hotjar collects session recordings of user activity including mouse movements, clicks, scrolls, and keypresses. By default, all text fields are masked, but if masking is not correctly configured, form inputs including names, email addresses, and health information can appear in recordings. Hotjar also collects IP addresses, browser identifiers, and device data. For healthcare organizations or any site handling sensitive data, session replay tools require careful configuration and consent management to avoid PHI exposure.
Next step
Lokker runs automated browser-level consent flows and scans the network layer to confirm whether Hotjar fires in states where it should not.