Session recording (Hotjar, Clarity, Yandex) needs explicit consent
Hotjar, Microsoft Clarity and Yandex Webvisor record the visitor’s screen, mouse and keystrokes. Loading them before consent captures potentially sensitive input without a legal basis.
Why it matters
Session recording is high risk: recordings can sweep up data typed into forms — including special-category data (GDPR Art. 9). Because it is intrusive and non-essential, it needs explicit prior consent, and sensitive fields must be masked even after consent.
How to fix it
Load the recording script only from your consent accept callback. Enable input masking so passwords, emails and payment fields are never captured. If a visitor rejects, do not load the script at all.
// Only after explicit consent:
function onConsentAccepted() {
(function(h,o,t,j,a,r){ /* Hotjar snippet */ })(window,document);
}
<!-- Mask sensitive inputs so they are never recorded -->
<input type="email" data-hj-suppress>
<input type="password" data-hj-suppress>
Official sources
- KVKK — Law No. 6698 (official full text, mevzuat.gov.tr)
- KVKK — Kişisel Verileri Koruma Kurumu (Turkish DPA)
- GDPR — full regulation, article by article
- ePrivacy Directive 2002/58/EC — cookies, Art. 5(3)
- EDPB — guidelines on consent & cookies
Links to primary legislation for reference. PrivaScan is not affiliated with these bodies; this is information, not legal advice.
Related guides
- Stop Google Analytics from loading before consent (KVKK/GDPR) KVKK m.5 · GDPR Art. 6 · ePrivacy Art. 5(3)
- Gate Google Tag Manager behind consent KVKK m.5 · GDPR Art. 6 · ePrivacy Art. 5(3)
- Load the Meta (Facebook) Pixel only after consent KVKK m.5 · GDPR Art. 6 · Art. 26 (joint controller)
- Self-host Google Fonts to stop leaking visitor IPs KVKK m.9 · GDPR Chapter V (transfers)
These guides cover automated checks for trackers, cookies and data flows. A full privacy review also needs legal input.