Hotjar and GDPR: cookies, session recordings and compliance

TL;DR

Hotjar is a behavioural analytics tool that sets tracking cookies on sites that include it. These cookies are not strictly necessary and require prior visitor consent under GDPR and the ePrivacy Directive. Without blocking the Hotjar script before consent, your site is non-compliant.

What is Hotjar and what cookies does it set?

Hotjar is a behavioural analytics platform offering heatmaps, session recordings, surveys, and conversion funnels. To work, Hotjar injects a JavaScript snippet that sets tracking cookies and collects behavioural data from visitors.

Hotjar cookies and their purpose

• _hjSessionUser_[siteId]: unique user identifier for the Hotjar session (365 days)
• _hjSession_[siteId]: current Hotjar session data (30 minutes)
• _hjFirstSeen: marks a user's first session (session)
• _hjAbsoluteSessionInProgress: detects the first page session (30 minutes)
• _hjIncludedInPageviewSample: determines if user is included in pageview sample (2 minutes)
• _hjIncludedInSessionSample: determines if user is included in session recording (2 minutes)

These cookies collect identifiable behavioural data (mouse movements, clicks, scrolls, video recordings). They fall under the analytics/behavioural category and require prior consent under ICO guidance and the GDPR.

Does Hotjar require GDPR consent?

Yes. Hotjar does not benefit from any analytics exemption. Unlike privacy-first tools operating without individual-level tracking, Hotjar collects individual session recordings that can indirectly identify visitors. Both the ICO and the EDPB confirm that this type of detailed behavioural analytics requires prior consent.

Any collection of detailed behavioural data at the individual level, even for internal analytics purposes, falls under the mandatory consent requirement.

What Hotjar actually collects

• Session recordings (video of user interactions)
• Heatmaps (click, scroll, and mouse movement zones)
• Form data (fields filled in, drop-offs)
• Surveys and feedback
• Conversion funnels and drop-off paths

Some of this data, particularly form recordings, can contain personal data if Hotjar is not configured to mask it.

How to configure Hotjar for GDPR compliance

Step 1: block the Hotjar script before consent

The first priority is blocking the Hotjar script until the user consents to the analytics/behavioural category. With a CMP like FlowConsent, this blocking is automatic: the script does not load when the banner first appears. See our guide on storing cookie consent proof for proper record-keeping.

Step 2: enable privacy settings in Hotjar

Hotjar offers several privacy settings to activate in the site configuration:

• Automatically suppress all form field content (text fields, passwords)
• Mask payment data and card numbers
• Remove IP address data (anonymisation)
• Enable data deletion after the defined retention period

Step 3: set a data retention period

In Hotjar settings, limit the retention period for recordings and heatmaps to what is strictly necessary. The ICO recommends not retaining behavioural analytics data for more than 13 months.

Step 4: update your privacy policy

The site's privacy policy must mention Hotjar as a data processor, describe the data collected, its purpose, retention period, and user rights (access, erasure, objection).

Common mistakes

Hotjar active from page load. The default installation loads Hotjar immediately. Without blocking, recordings start before any user interaction with the banner. Always make loading conditional on consent.

Lumping Hotjar into a generic 'statistics' category. Hotjar goes beyond simple statistics: it records individual sessions. Grouping it into a vague category without explicit mention of session recording falls short of the information obligation.

Forgetting to mask form fields. By default, Hotjar can record text field input. Personal data (names, addresses, card numbers) can appear in recordings. Enable automatic suppression in Hotjar settings.

Retaining recordings indefinitely. Hotjar stores recordings for up to 365 days by default. Set a shorter retention period aligned with the company's data retention policy.

Not listing Hotjar as a data processor. Hotjar Ltd. is a data processor under GDPR. A Data Processing Agreement (DPA) must be signed with Hotjar and referenced in the privacy policy.

Hotjar GDPR compliance checklist

1. The Hotjar script is blocked by default until user consent.
2. The analytics/behavioural category is explicitly presented in the banner.
3. The Hotjar description in the banner mentions session recordings.
4. Form field suppression is enabled in Hotjar.
5. Hotjar data retention is limited (maximum 13 months).
6. A DPA is signed with Hotjar and referenced in the privacy policy.
7. The privacy policy describes Hotjar data, its purpose, and user rights.
8. IP address anonymisation is enabled in Hotjar settings.
9. Consent records are stored with timestamp and banner version.
10. Configuration is reviewed after each major Hotjar update.

Conclusion

Hotjar is a valuable behavioural analytics tool, but its default integration violates GDPR. Compliance combines two actions: blocking the script via a CMP before consent, and enabling Hotjar's privacy settings to minimise data collection.

Check whether Hotjar and other analytics scripts are properly blocked on your site with the FlowConsent cookie scanner.