How to Check if Hotjar is GDPR Compliant
Learn the nuances of session recording, heatmaps, anonymization features, and how to verify that your Hotjar setup respects user consent under the GDPR.
Introduction to Hotjar and User Privacy
Hotjar is an incredibly popular behavior analytics tool that provides heatmaps, session recordings, and surveys. While it is immensely valuable for UX designers and marketers to understand how users interact with a site, its core functionality—recording user screens and keystrokes—raises significant privacy concerns under the General Data Protection Regulation (GDPR).
Hotjar has taken major steps to be "privacy by design," such as automatically suppressing keystrokes in password fields and offering features to blur numbers and email addresses on the screen. However, simply using Hotjar's anonymization features does not automatically make your website GDPR compliant.
Because Hotjar relies on dropping cookies to track users across pages and stitch sessions together, it is classified as an **Analytics** tool. Therefore, you must block the Hotjar script from loading until the user has explicitly consented to analytics cookies via your cookie banner.
The Cookies Behind Hotjar
To understand why Hotjar requires consent, we must look at the data it stores on the user's device. Hotjar sets several cookies to function properly:
| Cookie Name | Duration | Purpose | GDPR Category |
|---|---|---|---|
| _hjSessionUser_<id> | 365 days | Ensures data from subsequent visits is attributed to the same user ID. | Analytics |
| _hjSession_<id> | 30 minutes | Holds current session data to keep recordings unified across pages. | Analytics |
| _hjIncludedInSessionSample | 2 minutes | Determines if a user is included in the data sampling limit. | Analytics |
Dropping these identifiers without prior consent is a direct violation of the ePrivacy Directive and the GDPR. They are not strictly necessary for the site to function, even if the data is highly anonymized on Hotjar's servers.
How to Manually Check Your Hotjar Setup
You can manually verify your Hotjar implementation to ensure it respects user consent. Here is the standard manual auditing process:
- Start Clean: Open a new Incognito or Private browsing window. Do not click anything on the cookie banner yet.
- Open Developer Tools: Press
F12or right-click and "Inspect". Go to the "Application" tab (Chrome) or "Storage" tab (Firefox). - Check for Early Cookies: Look under "Cookies" for your domain. If you see
_hjSessionUser_or any other Hotjar cookies present before you accepted cookies, your site is not compliant. - Check Local Storage: Hotjar also utilizes
localStorageandsessionStorage. Check these panels for any keys beginning with_hj. None should be present pre-consent. - Network Activity: Switch to the "Network" tab, filter by
hotjar, and refresh. No scripts fromstatic.hotjar.comor tracking pings toin.hotjar.comshould occur before consent. - Verify Post-Consent: Finally, click "Accept" on your banner. You should now see the Hotjar scripts load, the web sockets open for recording, and the cookies drop into storage.
If you find Hotjar firing early, you will need to adjust your Google Tag Manager triggers or your CMP's script blocking mechanism to ensure the Hotjar tag only fires on an "Analytics Consent Granted" event.
Automating the Audit with ConsentScope
Manual testing across multiple pages and browsers is tedious. If you want to ensure your site is completely compliant instantly, **ConsentScope** is the tool for the job.
ConsentScope is a specialized Chrome extension that does the heavy lifting of GDPR auditing for you. Instead of hunting through network tabs, you simply browse your site and let the extension report its findings.
- Complete Storage Auditing: ConsentScope scans not just cookies, but also
localStorageandsessionStorage—catching the exact places where Hotjar hides its tracking data. - Pre-Consent Alerts: If Hotjar fires a single network request or drops a session cookie before the user clicks "Accept", ConsentScope immediately flags it as a violation.
- Script Categorization: The extension recognizes the Hotjar script automatically and maps it to the "Analytics" category, helping you understand exactly what you need to block.
- Generate PDF Reports: Found an issue? Export a clean PDF report to send to your development team or clients to prove the violation.
ConsentScope is the fastest, most reliable way to guarantee that powerful tools like Hotjar are only used when legally permissible.
Conclusion
Hotjar is a phenomenal tool for optimizing user experience, but it requires strict adherence to privacy laws. Anonymizing data on the backend is fantastic, but it does not bypass the legal requirement to gain consent before dropping tracking cookies on a user's device.
Ensure your CMP is correctly configured, and use automated tools like ConsentScope to continuously monitor your site. By doing so, you can build a great user experience while maintaining the trust of your users and staying clear of GDPR fines.