Skip to main content
All guides
Critical KVKK m.5 · m.9 · GDPR Art. 6 · Chapter V (transfers) · Session recording

Microsoft Clarity records sessions before consent (KVKK/GDPR)

Microsoft Clarity records the visitor’s screen, clicks, scrolls and keystrokes to build heatmaps and session replays, and sends that data to Microsoft. Loading it on page load captures behaviour — and possibly form input — before any legal basis exists.

Why it matters

Session recording is high risk: replays can capture whatever a visitor types into forms, including special-category data (GDPR Art. 9). It is intrusive and non-essential, so it needs explicit prior consent (KVKK Art. 5 / GDPR Art. 6). Clarity also sends data to Microsoft in the US, engaging cross-border transfer rules. A tag that fires on load fails all of these at once.

How to fix it

Never initialise Clarity on page load. Call it only from your consent banner’s accept callback, and mask sensitive fields so passwords, emails and payment inputs are never captured even after consent. If the visitor rejects, do not load clarity.ms at all.

<!-- Do NOT load on page load. Only inside the Accept handler: -->
function onConsentAccepted() {
  (function(c,l,a,r,i,t,y){
    c[a]=c[a]||function(){(c[a].q=c[a].q||[]).push(arguments)};
    t=l.createElement(r);t.async=1;t.src="https://www.clarity.ms/tag/"+i;
    y=l.getElementsByTagName(r)[0];y.parentNode.insertBefore(t,y);
  })(window,document,"clarity","script","YOUR_CLARITY_ID");
}

<!-- Mask sensitive inputs (also set masking to Strict in the Clarity dashboard) -->
<input type="email" data-clarity-mask="true">
<input type="password" data-clarity-mask="true">

Does your site have this issue?

Run a free scan to find out in seconds.

Official sources

Links to primary legislation for reference. PrivaScan is not affiliated with these bodies; this is information, not legal advice.

Related guides

These guides cover automated checks for trackers, cookies and data flows. A full privacy review also needs legal input.