Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Microsoft Clarity is a free behavioral analytics tool from Microsoft that combines heatmaps, scroll maps and full session recordings to visualize how users interact with a website. Because it captures granular user behavior and shares identifiers with Microsoft advertising, it is a high risk processing activity under GDPR.
Microsoft Clarity is a free behavioral analytics product launched by Microsoft in 2020 and hosted on the clarity.ms and c.clarity.ms domains. It is operated by Microsoft Corporation from Azure data centers in the United States, with optional European storage available for some workloads. Clarity is positioned as a no cost alternative to commercial heatmap and session replay tools such as Hotjar, FullStory or Mouseflow.
The product is loaded through a small JavaScript snippet that streams interaction events back to Microsoft: mouse movements, clicks, scroll depth, rage clicks, dead clicks, JavaScript errors, page transitions and the full DOM needed to replay each user session. It produces three main outputs for site owners: heatmaps, scroll maps and individual session recordings. Because Clarity is the short brand name used by Microsoft itself, the slug clarity in cookie databases refers to the Microsoft product rather than the unrelated Adobe or Apache projects sharing the word.
Clarity sets several first party cookies on the publisher domain plus shared identifiers on Microsoft owned domains. The main ones are: _clck (persistent Clarity user identifier, retained for one year), _clsk (per session identifier connecting events within a single session, expires after one day), CLID (Clarity unique identifier set on c.clarity.ms, retained for one year), MUID (Microsoft User Identifier shared with Bing, Bing Ads and other Microsoft properties, retained for one year and 24 days) and ANONCHK (used to validate the MUID, retained for 10 minutes).
The MUID cookie is the most sensitive from a privacy standpoint because it is shared across the Microsoft advertising ecosystem. When a visitor later browses a site that uses Microsoft Advertising or Bing, Microsoft can correlate the two visits. This single sign on style identifier turns Clarity from a closed analytics loop into a node of a larger advertising graph, which has direct implications for the legal basis assessment.
Under Article 5(3) of the ePrivacy Directive, storing or reading information on a user terminal is only allowed with prior consent unless the cookie is strictly necessary to deliver a service explicitly requested by the user. Clarity cookies do not qualify as strictly necessary: they are deployed for behavioral analytics, product optimization and advertising correlation. Consent must therefore be obtained before any Clarity script executes.
GDPR raises the stakes further because session recording reconstructs what a visitor saw and did, including any unmasked text typed into forms. European supervisory authorities, including the French CNIL and the Italian Garante, have repeatedly flagged session replay as a high risk activity that frequently requires a Data Protection Impact Assessment under Article 35. The combination of granular behavioral data, US transfers and advertising identifiers means controllers must rely on explicit, opt in consent under Article 6(1)(a) and cannot fall back on legitimate interest.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Clarity data is processed by Microsoft Corporation in the United States. Since July 2023, Microsoft is self certified under the EU US Data Privacy Framework, which the European Commission has recognized as providing an adequate level of protection under GDPR Article 45. Transfers to certified Microsoft entities therefore no longer require Standard Contractual Clauses or supplementary measures by default.
Controllers should still document the transfer in their Article 30 record, monitor the DPF status (an ongoing legal challenge before the CJEU could affect adequacy), and use the EU data residency option in Clarity where available to reduce exposure. The Schrems II analysis is simpler today than in 2022, but it has not disappeared, especially for UK and Swiss controllers whose extensions of the DPF rely on parallel adequacy decisions.
Clarity offers three masking modes: Strict (all text masked by default), Balanced (default, masks form fields and obvious sensitive areas) and Relaxed (no masking, not recommended for EU traffic). Strict mode is strongly advised for sites handling health, financial, authentication or special category data. Publishers can also flag specific elements with data clarity mask or data clarity unmask attributes for fine grained control, and exclude entire pages from recording.
A DPIA should be considered whenever Clarity is deployed on authenticated areas, checkout flows, health portals, employee facing tools or any site processing data of children. The DPIA should describe the volume of recordings, retention defaults (up to 13 months), masking configuration, complementary tools sharing the MUID and the residual risk to data subjects, including the possibility of reconstruction of personal data from replay.
A compliant Clarity deployment in the EU follows a clear pattern: block the Clarity script until explicit consent is collected through a Consent Management Platform compliant with EDPB guidelines on dark patterns; map Clarity to the analytics or marketing purpose depending on whether the MUID enriches advertising flows; enable Strict masking; restrict recording to non sensitive pages; sign or accept the Microsoft Data Protection Addendum and document the DPF reliance in the transfer register.
Privacy notices should explicitly name Microsoft Clarity, describe heatmap and session recording functionality, list the cookies set, mention US transfers under the DPF and link to Microsoft''s privacy statement and the user opt out. Where session recording risk cannot be mitigated to an acceptable level, controllers should consider alternatives such as Plausible or simple Matomo heatmaps without replay, or Hotjar with EU hosting, which offer narrower data flows than Clarity.
Websites using Clarity must obtain user consent under GDPR regulations.
DPIA considerations
Microsoft Clarity captures session recordings, mouse movements, clicks, scroll behavior and form interactions. This level of detail constitutes systematic monitoring of user behavior and, depending on context (volume of users, sensitive pages, special category data exposure), can trigger Article 35 GDPR DPIA requirements. Risk factors to evaluate: (1) replay of forms or authenticated areas where personal data, payment details or special categories could be reconstructed; (2) combination with Microsoft Advertising via the MUID identifier, enabling cross site profiling; (3) US data transfers despite the DPF; (4) data retention defaults (Clarity retains for up to 13 months). Mitigation requires aggressive text masking, sensitive field exclusion, IP anonymization, EU data residency where available and clear documentation in the Article 30 register.
Sample consent text
We use Microsoft Clarity, a behavioral analytics tool from Microsoft, to understand how visitors interact with our site through heatmaps and anonymized session recordings. Clarity sets cookies (_clck, _clsk, MUID) and transfers data to Microsoft servers in the United States under the EU US Data Privacy Framework. Sensitive fields are masked. You can accept or refuse at any time in cookie preferences.
Third-party domains contacted
clarity.msc.clarity.mswww.clarity.msbing.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _clck | analytics | 1 year | Clarity user ID, persists across sessions to recognize returning visitors |
| _clsk | analytics | 1 day | Clarity session ID, ties events within a single session for session replay tracking |
| MUID | marketing | 1 year and 24 days | Microsoft User Identifier, shared with Bing and Microsoft Advertising for cross site identification |
| CLID | analytics | 1 year | Clarity unique identifier set on c.clarity.ms to deduplicate users across publisher sites |
| ANONCHK | analytics | 10 minutes | Validates the MUID and synchronizes telemetry with Microsoft endpoints |
Clarity collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Clarity sets first party cookies on your own domain (_clck for a persistent Clarity user ID for one year, _clsk for a per session ID expiring after one day) and shared identifiers on Microsoft domains (CLID on c.clarity.ms for one year, MUID on bing.com and clarity.ms for one year and 24 days, ANONCHK for 10 minutes). The MUID is the same cookie used by Microsoft Advertising and Bing, which means Clarity data can be correlated with Microsoft's broader advertising graph.
Yes. Under Article 5(3) of the ePrivacy Directive, Clarity cookies are not strictly necessary and require prior, freely given, specific, informed and unambiguous consent. Because Clarity also performs session recording and shares the MUID with Microsoft Advertising, European authorities treat it as analytics with marketing implications, so the consent must be explicit opt in. The script must not load before consent is collected.
The only realistic legal basis is consent under Article 6(1)(a) GDPR. Legitimate interest (Article 6(1)(f)) is not suitable because Clarity captures granular behavioral data, performs session recording and shares identifiers with Microsoft's advertising ecosystem, which a reasonable user would not expect. The consent recorded by your Consent Management Platform must cover both the cookie placement (ePrivacy) and the subsequent processing of personal data (GDPR).
Yes, under conditions. Microsoft Corporation is self certified under the EU US Data Privacy Framework since July 2023, and the European Commission has issued an adequacy decision recognizing the DPF under Article 45 GDPR. Transfers to certified Microsoft entities no longer require Standard Contractual Clauses by default. You should still document the transfer in your Article 30 record, monitor the DPF (a CJEU challenge is pending) and use EU data residency in Clarity where available.
Frequently yes, because Clarity performs session recording, which authorities including the CNIL and the Italian Garante treat as high risk processing. A DPIA under Article 35 GDPR is recommended whenever Clarity is deployed on authenticated areas, checkout flows, health portals, employee facing tools or sites processing data of children. The DPIA should document masking configuration, retention (default up to 13 months), the role of the MUID and residual risk of reconstruction of personal data from replays.
Block the Clarity script until explicit opt in consent is collected through a CMP that respects EDPB guidelines on dark patterns. Enable Strict masking so all text is hidden by default, mark sensitive fields with data clarity mask, exclude authenticated and payment pages from recording, anonymize IPs, accept the Microsoft Data Protection Addendum, document the DPF in your transfer register and mention Clarity by name in the privacy notice with a link to Microsoft's privacy statement and opt out.
For sites that do not need session replay, Plausible Analytics and simple Matomo configurations (without heatmaps or replay) are cookieless or consent light options hosted in the EU. If you need heatmaps, Matomo Heatmaps and Hotjar with EU hosting offer narrower data flows than Clarity because they do not share advertising identifiers. Server side tools such as Fathom, Pirsch or self hosted Umami are also relevant when session replay is not required.
Add a dedicated entry naming Microsoft Clarity as a behavioral analytics tool operated by Microsoft Corporation. List the cookies set (_clck, _clsk, CLID, MUID, ANONCHK) with their durations and purposes. Disclose session recording with the masking mode you have configured. State that data is transferred to the United States under the EU US Data Privacy Framework. Link to Microsoft's privacy statement and to the user opt out, and explain how to withdraw consent at any time.