Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Contentsquare is a French digital experience analytics platform providing session recording, heatmaps, zone-based click analytics, AI-powered insights, and customer journey analysis. It records individual user interactions including mouse movements, clicks, scroll depth, and navigation paths. Under GDPR and CNIL guidelines, session recording and heatmap features constitute personal data processing requiring opt-in consent. Contentsquare is a leading player in experience analytics but carries significant GDPR compliance obligations due to the nature of behavioural recording.
Contentsquare is a French digital experience intelligence (DXI) platform headquartered in Paris. Since the 2021 acquisition of Hotjar, the product range covers session replay (DOM mutation recording with PII masking), zone based heatmaps, scroll maps, click maps, customer journey analytics, friction detection and integrated user surveys. Contentsquare is positioned as the European challenger to Quantum Metric and FullStory.
The Contentsquare tag (uxa.js) writes the following first party cookies on the publisher domain: _cs_id (pseudonymous visitor identifier, 13 months under the CNIL recommendation), _cs_s (session counter, 30 minutes), _cs_c (consent flag, 13 months) and _cs_ex (excluded user opt out, 13 months). Session replay data is captured as DOM mutations with masked input fields and transmitted to the Contentsquare ingestion endpoint. The replay payload may contain page URL, viewport, scroll position, mouse coordinates and form values when the masking is not configured properly.
Consent under GDPR art. 6(1)(a) and ePrivacy art. 5(3) is required before loading the Contentsquare tag. Session recording, heatmap and behaviour analytics are excluded from the CNIL analytics exemption because they capture detailed visitor behaviour that exceeds simple visit counting. The EDPB guidelines 2/2023 confirm that session recording requires informed and granular consent. The publisher must therefore gate the uxa.js tag behind the analytics or behaviour category of its CMP and never preload it.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Contentsquare offers an EU only cluster hosted on AWS Frankfurt and Ireland, which keeps raw replays and analytics inside the European Economic Area. Customer support, R&D and SRE access from Paris and Tel Aviv (Israel, adequacy decision of 2011). Contentsquare US Inc. is certified under the EU US Data Privacy Framework since 8 December 2023 and serves global customers that opt for the worldwide tier. The Contentsquare DPA includes the EU Standard Contractual Clauses (module 2) and an exhaustive list of sub processors.
Choose the EU cluster during onboarding to keep data inside the EEA. Mask every input, label and aria attribute that may contain personal data (CSS class cs-mask, attribute data-cs-mask, content security policy on names, emails, addresses, payment data, health data). Configure the replay sample rate proportionately to the legitimate need; the CNIL has fined organisations for excessive recording. Run a DPIA under GDPR art. 35 because session replay typically meets the systematic monitoring criterion. Document Contentsquare SAS and Contentsquare US Inc. in your records of processing (GDPR art. 30) and update the privacy notice.
Direct alternatives include Hotjar (same group), FullStory (US), Glassbox (Israel), Quantum Metric (US), Mouseflow (Denmark) and the open source Heatmap.js. For privacy first heatmap only options, Matomo Heatmaps and Plausible Web Vitals offer EU hosting without session replay.
Websites using Contentsquare must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended because Contentsquare captures session recordings, scroll heatmaps and interaction patterns that can constitute large scale behavioural monitoring. Document data masking, retention and the legal basis.
Sample consent text
We use Contentsquare, a French digital experience analytics platform, to understand how visitors use this site. Contentsquare records masked session replays, scroll and click heatmaps, and aggregated journey analytics. Your data is processed on the Contentsquare EU cluster (AWS Frankfurt and Ireland). When you visit our site, a cookie named _cs_id stores a pseudonymous identifier for up to 13 months. Contentsquare runs only after you accept the analytics or behaviour category in our cookie preferences, and you can withdraw your consent at any time.
Third-party domains contacted
contentsquare.netcontentsquare.comcontentsquare.comt.contentsquare.netuxa.iocs.contentsquare.netstatic.cdn.contentsquare.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _cs_id | First party (Contentsquare) | 13 months | Anonymous visitor identifier used to link sessions and replays. |
| _cs_id | persistent | 13 months | Contentsquare unique visitor identifier for session recording and behavioural analytics |
| _cs_s | First party (Contentsquare) | 30 minutes | Session cookie used to group page views into a single visit. |
| _cs_s | session | Session | Contentsquare session identifier grouping interactions within a single user session |
| _cs_ex | First party (Contentsquare) | 7 days | Cross domain identifier used when Contentsquare tracks multiple domains. |
| _cs_optout | First party (Contentsquare) | 13 months | Records that the visitor has opted out of Contentsquare tracking. |
| _cs_mk | First party (Contentsquare) | 7 days | Used by the marketing analytics module to attribute traffic sources. |
Contentsquare collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Yes. Contentsquare session recording, heatmaps, and behavioural analytics constitute personal data processing requiring opt-in consent under the ePrivacy Directive and CNIL guidelines. The Contentsquare tag must be blocked until analytics consent is given.
Contentsquare records mouse movements, click positions, scroll depth, navigation paths, page views, and time spent on page elements. Session recordings capture the full visual replay of individual user sessions. Heatmaps aggregate interaction data across all visitors.
By default, Contentsquare can capture form interactions. This must be configured with comprehensive input masking to prevent capture of names, emails, passwords, payment data, or any sensitive information. Enable masking for all text inputs as a baseline configuration.
Yes. Session recording of all website visitors at individual level constitutes large-scale systematic monitoring of individuals, which is one of the specific triggers for a mandatory DPIA under GDPR Article 35.
Consent (Art. 6(1)(a)) is required. The CNIL has specifically addressed session replay tools as requiring consent. Legitimate interest cannot justify recording individual user sessions across an entire website.
Enable comprehensive input masking. Exclude authenticated areas, payment pages, and sensitive content from recording. Set recording retention limits (30-90 days recommended). Restrict access to session recording features. Load only after analytics consent. Implement IP anonymisation.
Contentsquare is a French company but operates global infrastructure. Verify with Contentsquare whether your account is configured for EU data residency. Sign the Contentsquare DPA which addresses any transfer mechanisms required.
EU-based session recording alternatives include Hotjar (EU region available), Microsoft Clarity (free, but US-hosted requiring SCCs), and Lucky Orange (US). For pure EU residency without US transfers, Hotjar with EU region is the most established alternative.
First party cookies _cs_id (visitor identifier, 13 months), _cs_s (session, 30 minutes), _cs_ex (cross domain, 7 days), _cs_optout (opt out flag, 13 months) and _cs_mk (marketing attribution, 7 days).
Yes. Session replay, heatmaps and zoning are non essential analytics that process personal data through cookies. Prior consent under Art. 5(3) ePrivacy Directive is required. The CNIL specifically classifies session replay as a high impact technology that requires explicit consent.
Consent (Art. 6(1)(a) GDPR + Art. 5(3) ePrivacy Directive). Legitimate interest is not appropriate because of the granular behavioural data collected.
The core product runs on AWS in Ireland and Contentsquare offers an EU Sovereign region. The 2024 Heap integration may introduce US sub processors for product analytics; check the contract. Transfers are covered by EU SCCs and, where applicable, the EU US Data Privacy Framework.
A DPIA is recommended because session replay can produce large scale behavioural monitoring. Document the masking rules, retention period and the legal basis.
Sign the DPA, block the script behind your CMP, enable strict masking, limit retention (90 to 180 days), document the processing in your Article 30 record, perform a DPIA and review each connected module separately.
Hotjar (Contentsquare group, EU), Smartlook (Czech Republic), FullStory (US), Mouseflow (Denmark), Microsoft Clarity (US, free), LogRocket (US), Piwik PRO (EU, includes heatmaps) and Matomo Heatmap & Session Recording (EU).
List each Contentsquare cookie with purpose, retention and legal basis (consent). Mention the EU hosting, the masking rules and the link to Contentsquare's privacy policy.