Is Hotjar GDPR-compliant?

At a glance

Hotjar is not GDPR compliant by default. It stores data in the EEA (a genuine advantage), but session recordings capture substantial personal data and consent is absolutely mandatory. Mask all form fields and any personally identifying content. Wire your consent banner to block Hotjar until users opt in.

Hotjar has done more than most analytics vendors to address GDPR concerns – EEA data storage, PII suppression tools, consent features, and GDPR-specific documentation are all better developed than the competition.

But Hotjar still isn’t compliant by default. The combination of cookies, session recordings, and the data these features collect means consent isn’t optional – it’s the foundation everything else needs to be built on.

What Hotjar collects

• Cookies: _hjSession_*, _hjSessionUser_* (session and user identification), and others. These are typically analytics-category cookies that require consent.
• Session recordings: A reproduction of the user’s interface – clicks, scrolls, mouse movements, and keystrokes. By default, text input fields are masked, but other personal data visible on screen (name in header, email in confirmation text) is not automatically masked.
• Heatmaps: Aggregated visualisations of click patterns and scroll depth, derived from session recording data.
• User feedback: Direct feedback widgets – surveys, polls, incoming feedback – which can capture personal data if users type it in.
• IP address: Used for geolocation. Hotjar does not store full IP addresses in processed data for EEA accounts – they’re dropped after geolocation resolution.

The EEA storage advantage

Hotjar (acquired by Contentsquare in 2021, though operationally largely unchanged) stores data for EEA users in European data centres. This is a meaningful compliance advantage over tools like Microsoft Clarity.

EU data storage means:

• No international transfer mechanism needed for the data storage itself
• Data doesn’t need to rely on the EU-US DPF or SCCs for its primary storage
• Reduced regulatory risk from the ongoing legal challenge to DPF

However: Contentsquare is headquartered in France with US presence, and US-based staff may access EEA data for support and operations. Review the DPA to understand what access controls and transfer mechanisms are in place.

Session recordings and privacy

Session recordings are the feature most closely scrutinised by data protection authorities when evaluating Hotjar compliance. When a recording plays back, it shows what a specific user did – their journey through your site, what they clicked, what they scrolled past, what they may have started to type. This is fundamentally different from aggregate analytics.

Regulators classify session recording data as a higher category of privacy risk than page-view analytics. This means:

• Consent is absolutely mandatory – you cannot rely on any exemption or alternative legal basis.
• Data minimisation applies more stringently – only record what you actually need; configure sampling rates accordingly.
• Retention limits matter – session recordings should have shorter retention periods than basic analytics data.

When consent is required, and not all users consent, your recording coverage drops. Depending on your market and banner design, opt-in rates for analytics cookies can range from 30% to 80%. This means you won’t record the full picture of user behaviour – only consenting users. Factor this into how you use the resulting data: recordings from consenting users may not represent all users equally.

Compliance steps: what you need to do

1. Block Hotjar until consent is given: The Hotjar tracking script must not load until the user has consented to analytics cookies. In your consent management platform, add Hotjar as a managed analytics script. In tag managers, gate the Hotjar tag behind an analytics consent trigger.
2. Configure content masking: Hotjar provides three masking modes: All text masked (most privacy-preserving), Basic suppression (default – masks form inputs but not other text), and No masking. For most deployments, enable masking on all form fields plus any HTML elements that display personal data – email addresses, names in account areas, order details. Use Hotjar’s element suppression feature to target specific elements on sensitive pages.
3. Exclude sensitive pages from recording: Use Hotjar’s page exclusion feature to prevent recording on pages where personal data is prominently displayed: account settings pages, order history, checkout flows, any authenticated pages with user-specific data. Record only the marketing site and informational pages unless you have a specific need and adequate masking configuration.
4. Set recording sample rate appropriately: Configure sampling to record only a percentage of sessions, not all of them. This limits data collection to what you actually need for UX analysis – you don’t need 100% of sessions to make good product decisions. Lower sampling rates also reduce the total volume of personal data you hold.
5. Handle DSARs and deletion: Hotjar provides a GDPR API for user deletion. When you receive an erasure request, submit a deletion request to Hotjar via the API for the relevant user. You’ll need to identify the Hotjar user identifier (stored in the _hjSessionUser cookie) associated with the individual requesting deletion. Keep records of deletion submissions.
6. Set data retention limits: Configure recording and data retention in Hotjar settings. Session recordings have significant storage implications, and most organisations gain little from recordings older than 90–180 days. Set a retention period aligned with your actual analytical needs and your documented data retention policy.
7. Sign a Data Processing Agreement: Hotjar provides a standard DPA within its terms. Accept the DPA through your Hotjar account settings – there should be an explicit acceptance step. Retain a record of acceptance with the date. Check sub-processor disclosures to understand what third parties Contentsquare/Hotjar uses.

Cookie categories for session replays

Categorising Hotjar in your cookie banner requires some thought. The tool functions as an analytics tool – but session recordings are more invasive than standard analytics. Most consent management platforms and compliance advisors categorise Hotjar under “Analytics” (not “Marketing”), but with the note that users should understand session recording is involved.

Consider having your analytics consent description mention session recordings explicitly: “Analytics cookies – we use these to measure how visitors use our site, including session recordings to understand interaction patterns.” Transparency is better than being technically accurate but practically uninformative. Another approach would be to split session replays off into their own distinct cookie category, so users understand exactly what they’re agreeing to.