ConsentMark
Free Scan
Hotjar logo
Session RecordingHigh complexity

Hotjar

by Contentsquare (Hotjar)

All product names, logos, and trademarks are the property of their respective owners. Their inclusion here is for identification purposes only and does not imply endorsement by Obscurity Ltd.

Sets cookies
Yes
Sends PII
No
Cross-site tracking
No
Consent required
Session Recording
Transfer mechanism
EU data centres (AWS Ireland)
Cookies
_hjSessionUser_hjSession_hjClosedSurveyInvites

Overview

Behaviour analytics platform providing session recordings, heatmaps, and on-site surveys. Captures mouse movements, clicks, scrolls, and form inputs in real time. Now part of Contentsquare. Among the highest-risk analytics tags - session recordings can inadvertently capture sensitive personal data displayed on screen.

Detection capabilities

Signature count
6
Detection methods
network
Property types
hostnamepathnamewebsocket_event

Performance impact

Performance Impact

Script size
55 KB
Requests per page
6

Common mistakes

  • 1Not configuring input field suppression - passwords, card numbers, and personal details can be captured by default
  • 2Deploying without explicit consent, treating it as basic analytics when session recordings are more intrusive processing
  • 3Leaving default data retention periods that may exceed what is necessary for the stated purpose
  • 4Not informing users their sessions are recorded - violates GDPR transparency requirements (Articles 13/14)
  • 5Using on pages with sensitive data (health, financial) without a data protection impact assessment

Compliance considerations

Sets first-party cookies (_hj* cookies) and transmits session recording data to Hotjar servers.

Consent: Explicit consent typically required under ePrivacy - session recordings go beyond what is strictly necessary for providing the service. Categorise under a dedicated consent category.

Data capture: Records mouse movements, clicks, scrolls, and form inputs. Sensitive fields must be actively suppressed - default behaviour records all visible page content.

Privacy notice: Must explicitly mention session recording technology. A DPIA is recommended before deploying on pages handling sensitive data.

Data location: EU data centres (AWS Ireland) for EU customers - verify in your Hotjar DPA.

Related services

CrazyEgg

crazyegg

Session RecordingMedium risk

2 detection signatures

Fullstory

fullstory

Session RecordingLow risk

1 detection signature

Glassbox

glassbox

Session RecordingLow risk

1 detection signature

LogRocket

logrocket

Session RecordingLow risk

1 detection signature

Scan your site for Contentsquare (Hotjar)

Run a free Consentmark scan to see how Contentsquare (Hotjar) is loading on your site, whether it respects consent, and where governance gaps exist across your wider tag estate.

Start a free scan