Skip to main content
All guides
Critical KVKK m.5 · GDPR Art. 6 · Art. 9 risk · Session recording

Session recording (Hotjar, Clarity, Yandex) needs explicit consent

Hotjar, Microsoft Clarity and Yandex Webvisor record the visitor’s screen, mouse and keystrokes. Loading them before consent captures potentially sensitive input without a legal basis.

Why it matters

Session recording is high risk: recordings can sweep up data typed into forms — including special-category data (GDPR Art. 9). Because it is intrusive and non-essential, it needs explicit prior consent, and sensitive fields must be masked even after consent.

How to fix it

Load the recording script only from your consent accept callback. Enable input masking so passwords, emails and payment fields are never captured. If a visitor rejects, do not load the script at all.

// Only after explicit consent:
function onConsentAccepted() {
  (function(h,o,t,j,a,r){ /* Hotjar snippet */ })(window,document);
}

<!-- Mask sensitive inputs so they are never recorded -->
<input type="email" data-hj-suppress>
<input type="password" data-hj-suppress>

Does your site have this issue?

Run a free scan to find out in seconds.

Official sources

Links to primary legislation for reference. PrivaScan is not affiliated with these bodies; this is information, not legal advice.

Related guides

These guides cover automated checks for trackers, cookies and data flows. A full privacy review also needs legal input.