Loading tutorials…
Loading tutorials…
Hotjar is GDPR-capable, not GDPR-default. The out-of-the-box install processes EU user data without consent, captures PII in recordings, and may not have your DPA on file. This is the cleanup that keeps you out of regulator trouble.
Who this is forOperators running Hotjar with any EU traffic — that's basically every B2C site with paid social, every B2B SaaS targeting Europe, and every ecommerce store shipping internationally. GDPR fines start at €10,000 and scale to €20M / 4% of global revenue.
What you'll need
Step 1
GDPR requires a Data Processing Agreement (DPA) between your business (controller) and Hotjar (processor). Hotjar provides one — but you have to actually accept it.
Open Hotjar → Settings → Account Settings → Legal Documents.
Find the Data Processing Agreement (DPA). On Hotjar Business and above, it's pre-signed by Hotjar and you click "Accept" to countersign. On Free and Plus, the DPA is part of the Terms of Service you agreed to at signup.
Confirm the date of acceptance is recorded. Hotjar will show "DPA accepted on YYYY-MM-DD" once signed.
If your business is in the EU or you have EU users, the DPA is mandatory. Without it, you're processing EU personal data without a legal basis — direct GDPR violation under Article 28.
Download a copy of the signed DPA. Store it in your compliance folder. If a regulator audits you, this is the first document they'll ask for.
Step 2
Default Hotjar captures everything users type. Mandatory: suppress all inputs by default. Also: mark PII-rendering DOM elements with data-hj-suppress.
Open Settings → Sites & Organizations → click your site → Privacy & Security.
Toggle Suppress text on all inputs to ON. This replaces typed input (credit cards, emails, names, addresses) with asterisks in all recordings.
For DOM elements that render PII outside of input fields (e.g., logged-in user header showing "Hi Jane Doe", order summary with shipping address), add the data-hj-suppress attribute to those elements in your HTML.
For entire blocks containing PII, apply data-hj-suppress on the parent — the masking cascades to child elements automatically.
Verify: open a recent recording, scrub to a form-fill moment, confirm asterisks appear where PII should be masked. Repeat on a logged-in account page. If PII shows, fix it before processing more sessions.
Add a manual review pass to your QA checklist after any deploy that adds new forms or new PII-rendering components — these are the most common compliance regressions.
Step 3
Hotjar captures user IP by default. For GDPR-aligned operation, anonymize IP addresses so they can't be used to re-identify users.
Open Settings → Sites & Organizations → click your site → Privacy & Security.
Toggle Anonymize visitor IP addresses to ON. Hotjar will truncate the last octet of IPv4 addresses (XXX.XXX.XXX.0) and zero-out the last 80 bits of IPv6.
This makes the IP non-identifiable while still being useful for general geographic insights (country / region level).
Caveat: anonymization happens before storage but Hotjar still receives the full IP momentarily. For strict interpretations (which some regulators take), you may need server-side IP masking at your CDN/proxy layer before the request reaches Hotjar. Cloudflare and Akamai both support this.
For most operators, Hotjar's built-in anonymization is sufficient under GDPR's "reasonable measures" standard. Document this decision in your DPIA if you have one.
Step 4
Hotjar must NOT collect data from EU users until they've consented. Your consent banner needs to gate Hotjar accordingly.
GDPR requires opt-in consent for analytics tracking of EU users. Default Hotjar fires on page load — before any consent decision. This is the most common compliance violation.
Fix: install Hotjar via your consent banner provider, not directly in <head>. OneTrust, Cookiebot, Cookieyes, and Iubenda all support category-based script loading — set Hotjar to load only after the user accepts the "Analytics" or "Statistics" cookie category.
OneTrust example: instead of pasting the Hotjar snippet directly, add it to a OneTrust Cookie Category (e.g., "Performance Cookies"). OneTrust will inject the snippet only after consent.
Custom consent banner: gate the Hotjar snippet behind a consent-check function. Don't fire hj() calls until consent is granted. Pseudocode: if (getConsent("analytics") === true) { loadHotjarSnippet(); }
For users who reject consent: Hotjar should not load at all. No fallback "anonymous" tracking — that's still processing personal data under EU law.
For users in non-GDPR regions (US, most of Asia): you can default Hotjar to ON. Region-aware consent banners handle this — Hotjar loads automatically for US visitors, requires consent for EU visitors.
Step 5
Users must be able to revoke consent or opt out at any time. Hotjar provides an opt-out API; expose it in your Privacy Policy and footer.
Hotjar exposes a global opt-out function: window.hj("optOut") sets a cookie that disables all Hotjar tracking for the user in their browser.
Add a "Stop tracking" link in your Privacy Policy or cookie settings page. The link calls hj("optOut") on click. Recommended copy: "Click here to opt out of session recording and heatmap tracking."
Alternative: integrate the opt-out into your consent banner's "Manage cookies" view. Most banner providers handle this automatically — if a user revokes consent for analytics, hj("optOut") fires.
Document the opt-out in your Privacy Policy alongside Hotjar's data usage disclosure.
Verify: in a clean browser, navigate to your opt-out link, click it, then visit the site. Open DevTools Console and type window.hj.optedOut — should return true. Visit Hotjar Recordings — no new session should appear from this browser.
Step 6
GDPR Article 13 requires you to disclose every third-party processor and what data they handle. Your Privacy Policy needs a Hotjar section.
Add a section to your Privacy Policy titled "Analytics and Behavior Tracking" or similar.
Disclose: the use of Hotjar as a processor, what data Hotjar collects (page views, clicks, mouse movements, scrolls, form interactions with PII masked), what Hotjar does with it (provides analytics and heatmaps for our use), where the data is stored (Ireland, AWS), and the retention period (365 days on most plans).
Include a link to Hotjar's Privacy Policy (https://www.hotjar.com/legal/policies/privacy/) so users can review their processing terms.
Disclose the legal basis: consent (for EU users via your consent banner) or legitimate interest (for US users — though some legal opinions argue consent is safer everywhere).
Include the user's right to access, delete, or restrict processing. Hotjar provides a data-deletion API endpoint — link to your data-rights request process.
If you use a Privacy Policy generator (Iubenda, Termly, Cookiebot), most have a Hotjar template you can drop in. Verify the language matches your actual setup.
Step 7
GDPR compliance drifts. New features add new tracking; team changes lose institutional knowledge. Audit yearly to catch drift.
Calendar an annual GDPR audit (recommend Q1 each year so it precedes the spring marketing push).
Audit checklist: (1) DPA on file and dated? (2) PII suppression still enabled? (3) Consent banner still gating Hotjar correctly? (4) Opt-out mechanism still working? (5) Privacy Policy current? (6) Any new PII-rendering DOM elements added that lack data-hj-suppress? (7) IP anonymization still on?
Pull a sample of 10 recent recordings and review for PII leakage. New feature deploys are the #1 source of compliance regression.
Update your Records of Processing Activities (ROPA) if you maintain one. Hotjar should be listed as a processor with the categories of data they handle.
Document the audit results in your compliance folder. If a regulator audits you, they want to see proof of ongoing diligence, not just initial setup.
Common mistakes
Going live without PII suppression
What goes wrong: Recordings capture credit card fields, addresses, emails, full names. Under GDPR Article 32 (security of processing), this is a violation. Fines start at €10,000 and scale to €20M / 4% of global revenue. Even with no fine, you have a notifiable breach if data is exposed.
How to avoid: Enable Suppress text on all inputs BEFORE going live. Add data-hj-suppress to PII DOM elements. Audit the first 10 recordings to verify masking.
Loading Hotjar before consent on EU users
What goes wrong: Hotjar fires on page load. EU users have not yet consented. You're processing personal data without a legal basis under Article 6. Direct GDPR violation — likely fine €20K-200K for a small business, much more for enterprise. Norwegian DPA fined Disqus €2.5M for exactly this pattern.
How to avoid: Install Hotjar via your consent banner provider with category-based script gating. Only load Hotjar after the user accepts analytics cookies. For users who reject: don't load Hotjar at all.
No DPA on file
What goes wrong: Without a Data Processing Agreement with Hotjar, you have no legal basis to transfer EU user data to them. Article 28 violation. Even if a user complains and Hotjar handled the data correctly, the lack of DPA is your liability — fines on the controller (you), not the processor. Typical fine range for small operators: €10,000-€100,000 plus mandatory remediation.
How to avoid: Sign the DPA in Hotjar → Settings → Legal Documents. Free/Plus users: the DPA is part of TOS but you should still download and archive a copy.
Pre-checked consent boxes
What goes wrong: Banner shows "Accept all" pre-selected, or uses "by using this site you agree" phrasing without explicit consent. Under GDPR (Planet49 case), pre-ticked consent is invalid. Every recording captured under that consent is processed unlawfully. Fines for invalid consent banners typically range €20,000-€500,000 per the French CNIL's recent enforcement actions.
How to avoid: Use a banner with unchecked defaults and explicit Accept/Reject buttons. OneTrust, Cookiebot, Cookieyes all default to compliant configurations.
Privacy Policy doesn't mention Hotjar
What goes wrong: Article 13/14 requires disclosure of every processor. If your Privacy Policy doesn't name Hotjar specifically, users haven't been informed. Regulators treat this as a transparency violation. €10K-100K typical fine for a small operator.
How to avoid: Add a Hotjar section to your Privacy Policy. Include what data is collected, retention, storage location, and link to Hotjar's policy. Most Privacy Policy generators have a Hotjar template.
No opt-out mechanism for users
What goes wrong: Users have the right to withdraw consent at any time (Article 7(3)). If your site offers no way to opt out, users can't exercise that right. Compounds any existing compliance issue — and complaints from users-trying-to-opt-out are the #1 trigger for regulator investigation. Fines for non-compliance with withdrawal rights typically start at €15,000 and compound with any other GDPR violation found during the audit.
How to avoid: Add a "Stop tracking" link in your Privacy Policy and footer that calls hj("optOut"). Integrate with your cookie banner so revoking consent fires the opt-out automatically.
Recap
Done — what's next
How to set up Hotjar Session Recordings the right way
Read the next tutorial
Hand it off
GDPR fines start at €10,000. A specialist audit costs $80-200. The math isn't close — if you have any uncertainty about your Hotjar compliance, the audit is cheap insurance. A vetted CRO + compliance specialist on EverestX can audit and fix in one afternoon, then add it to an ongoing CRO engagement at $14-16/hr.
See specialist rates
Under GDPR Article 3, if you offer goods or services to EU users (even just having a website accessible from the EU may not be enough — actively targeting EU customers is the threshold), GDPR applies. Most US sites with any paid social spend reach EU users and should comply. Plus, California (CCPA), Virginia, Colorado, and others have similar laws — the patterns are converging.
A user complains to their local Data Protection Authority. The DPA reviews. If they find violations, they issue an "administrative fine" — typically €10K-200K for small businesses, scaling to €20M / 4% of global revenue for enterprise. They also often require remediation (you must fix the violation) and may issue public reprimands. The reputational hit usually exceeds the fine for smaller operators.
Both require the same configuration work for GDPR compliance — DPA, PII suppression, consent gating, opt-out, Privacy Policy disclosure. Clarity is free, which doesn't change the legal obligations. The work is the same; neither tool is compliant out of the box.
Hotjar's primary data storage is in Ireland (AWS EU-West-1). Some auxiliary processing happens in the US. Hotjar relies on Standard Contractual Clauses (SCCs) for any US transfers — covered in the DPA. For maximum strictness, some EU operators choose Clarity (also EU-hosted) or FullStory (offers EU residency tiers).
Hotjar provides a data-deletion API. From your data-rights workflow, submit the user's identifier (the same one you push via hj("identify", userId)) to Hotjar's deletion endpoint. Hotjar deletes all matching session data within 30 days. Document the deletion in your data-rights log.
Healthcare in the US (HIPAA): Hotjar can be configured for HIPAA on Business+ with a BAA — contact Hotjar sales. Financial services (PCI DSS): credit card fields must be suppressed (always do this anyway), and Hotjar must not be in scope for PCI — usually achieved by ensuring recordings don't capture card data via input suppression. For highest-risk regulated industries, FullStory or an enterprise specialist consultation is recommended.
Hotjar
Hotjar's recordings are the most powerful feature in the tool — and the most-wasted. The difference is filter discipline. This is the setup that turns 1,000 recordings/week into 5 useful insights, not 1,000 hours of "someday I'll watch these."
Hotjar
Hotjar isn't hard to install — it's hard to install in a way that won't burn through your monthly session quota in week one. This is the setup that prevents the rebuild most teams do at month two.
Hotjar
Clarity is free. Hotjar costs $0-400+/mo. FullStory costs $300-$1,500+/mo. Each claims to do the same thing. This is the honest comparison — where each tool actually wins, and which one fits your stack.
Hotjar
DIY Hotjar is a great idea — until it isn't. This is the honest framework: when the cost of unwatched recordings and unanalyzed surveys exceeds the cost of hiring help, and how to tell which side you're on.