Microsoft Clarity records sessions before consent (KVKK/GDPR)
Microsoft Clarity records the visitor’s screen, clicks, scrolls and keystrokes to build heatmaps and session replays, and sends that data to Microsoft. Loading it on page load captures behaviour — and possibly form input — before any legal basis exists.
Why it matters
Session recording is high risk: replays can capture whatever a visitor types into forms, including special-category data (GDPR Art. 9). It is intrusive and non-essential, so it needs explicit prior consent (KVKK Art. 5 / GDPR Art. 6). Clarity also sends data to Microsoft in the US, engaging cross-border transfer rules. A tag that fires on load fails all of these at once.
How to fix it
Never initialise Clarity on page load. Call it only from your consent banner’s accept callback, and mask sensitive fields so passwords, emails and payment inputs are never captured even after consent. If the visitor rejects, do not load clarity.ms at all.
<!-- Do NOT load on page load. Only inside the Accept handler: -->
function onConsentAccepted() {
(function(c,l,a,r,i,t,y){
c[a]=c[a]||function(){(c[a].q=c[a].q||[]).push(arguments)};
t=l.createElement(r);t.async=1;t.src="https://www.clarity.ms/tag/"+i;
y=l.getElementsByTagName(r)[0];y.parentNode.insertBefore(t,y);
})(window,document,"clarity","script","YOUR_CLARITY_ID");
}
<!-- Mask sensitive inputs (also set masking to Strict in the Clarity dashboard) -->
<input type="email" data-clarity-mask="true">
<input type="password" data-clarity-mask="true">
Official sources
- KVKK — Law No. 6698 (official full text, mevzuat.gov.tr)
- KVKK — Kişisel Verileri Koruma Kurumu (Turkish DPA)
- GDPR — full regulation, article by article
- ePrivacy Directive 2002/58/EC — cookies, Art. 5(3)
- EDPB — guidelines on consent & cookies
Links to primary legislation for reference. PrivaScan is not affiliated with these bodies; this is information, not legal advice.
Related guides
- Stop Google Analytics from loading before consent (KVKK/GDPR) KVKK m.5 · GDPR Art. 6 · ePrivacy Art. 5(3)
- Gate Google Tag Manager behind consent KVKK m.5 · GDPR Art. 6 · ePrivacy Art. 5(3)
- Load the Meta (Facebook) Pixel only after consent KVKK m.5 · GDPR Art. 6 · Art. 26 (joint controller)
- Session recording (Hotjar, Clarity, Yandex) needs explicit consent KVKK m.5 · GDPR Art. 6 · Art. 9 risk
These guides cover automated checks for trackers, cookies and data flows. A full privacy review also needs legal input.