Is Microsoft Clarity GDPR-compliant?

At a glance

Microsoft Clarity is not GDPR compliant by default. Session recordings capture detailed personal data – effectively video of what users do on your site. Data goes to US servers with no EU residency option. You need consent, content masking, and a DPA.

Microsoft Clarity has become popular fast – largely because it’s free and offers heatmaps and session recordings without the complexity of paid tools like Hotjar. But popularity doesn’t equal compliance, and Clarity has some specific features that create heightened privacy concerns – session recordings in particular mean the compliance risk is more significant than a standard analytics tool.

What Microsoft Clarity collects

Cookies: _clsk (user session identifier), _clck (persistent identifier across visits), _cltk and related cookies.
Session recordings: pixel-level reproduction of the user’s interaction with your website – every click, scroll, mouse movement, and form interaction.
Heatmaps: aggregated data derived from session recordings, showing click patterns and scroll depth
User agent and device information.
IP address: used for geolocation; Clarity claims to not store the full IP, but the data is processed
Referrer and URL data

The session recording element is the critical concern. Standard analytics collects events and page views – abstractions of what users did. Session recording captures the visual content of what users saw on your site. If a user had their name displayed in the header, if a confirmation email appeared on screen, if they partially typed a search query – all of that appears in the recording.

Watch out

Whenever you implement screen recordings, always mask field inputs. Without masking, you may capture names, email addresses, phone numbers, and other data typed into forms. With masking off, your session recordings contain personal data you may not have intended to collect.

The advertising connection

Microsoft Clarity includes a connection to Microsoft Advertising – the Clarity data can be shared with Microsoft’s advertising platform, which creates concerns about the actual purpose of free data collection. If your users haven’t consented to advertising-related processing, this connection creates a secondary privacy issue beyond the analytics question.

Check your Clarity settings to understand what data sharing is enabled and with which Microsoft products.

Compliance steps: what you need to do

Block Clarity until consent is given: Microsoft Clarity’s script must be blocked from loading until the user consents. Use your consent management platform to gate the Clarity tag. Clarity should be categorised as “Analytics” in your cookie banner – not functional or strictly necessary.
Enable content masking: Clarity provides masking options to obscure specific elements in session recordings. At minimum: mask all form fields. Strongly consider masking any element that might display personal data – user names, email addresses, account details. Clarity offers auto-masking settings; apply the strictest masking policy your use case allows.
Disable or review advertising integrations: Review and disable data sharing with Microsoft Advertising if your users haven’t consented to marketing-related processing. This is a separate consent category from analytics.
Sign a Data Processing Agreement: Microsoft provides DPA documentation through the Microsoft Volume Licensing and Online Services Terms. Locate your DPA within your Microsoft agreement or through the Microsoft Trust Center. Confirm it covers Clarity specifically and your EU processing.
Block specific IPs where needed: If you need to prevent Clarity from recording sessions from employees or specific IP ranges, the IP blocking feature allows this. This is particularly relevant if employees work with personal data in your interface – you don’t want their work sessions in your recordings.
Handle international transfer risk: Microsoft Clarity has no EU data residency option – all data goes to US servers. If you’re operating where strict data residency is required (some German authorities have been particularly focused on this), this may be a fundamental obstacle. The EU-US DPF covers Microsoft, but it faces ongoing legal challenge.

The “it’s free” consideration

When a product is offered for free, it’s worth asking what the business model is. In Clarity’s case, Microsoft explicitly acknowledges the connection to its advertising ecosystem. This creates a question that goes beyond pure GDPR analysis: are your users implicitly paying with their behavioural data for advertising targeting purposes?

If you do use Clarity, be transparent in your privacy policy about this connection, and ensure that consent categories appropriately distinguish between “analytics” and “advertising” if the two are linked.

The 7 principles in detail

The 6 legal bases

Your users’ 8 rights

Website privacy policies

Data Protection Officers

The cookie law

Cookie categories

National differences in ePrivacy

Is Google Analytics 4 GDPR-compliant?

Is Adobe Analytics GDPR-compliant?