Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Crazy Egg is a US based heatmap, click tracking, scroll mapping and session recording tool developed by Crazy Egg Inc in Delaware. The JavaScript SDK loaded from script.crazyegg.com captures mouse movements, clicks, scrolls and form interactions, sets third party tracking cookies and sends data to AWS US regions. The Session Recordings feature lifts the tool from a basic analytics signal to a high risk session replay activity. EU operators must collect prior opt in consent under Article 5(3) of the ePrivacy Directive, sign the EU US Data Privacy Framework based DPA and, when recordings are enabled, run a DPIA.
Crazy Egg is a heatmap and conversion optimisation platform developed by Crazy Egg Inc in Delaware. The JavaScript SDK loaded from script.crazyegg.com instruments the page to capture mouse movements, clicks, scrolls and form interactions, which are aggregated into heatmap, scroll map and confetti reports in the Crazy Egg dashboard. The platform also offers a Session Recordings module that records full visitor sessions in the same way as a dedicated session replay tool, plus A/B testing and a survey module.
Crazy Egg processes the visitor IP, the User Agent, the device type, the page URL and a high frequency stream of interaction events (cursor position, click coordinates, scroll depth, form field interactions). The Session Recordings module additionally captures DOM mutations, masked form inputs and console traces. Crazy Egg sets first and third party cookies (is_returning, _ceir, _ceg.u, _ceg.s) on the crazyegg.com domain and on the operator domain to recognise visitors across pages and sessions.
Crazy Egg is not strictly necessary to the requested service. The SDK loads non essential code, sets non essential cookies and exports interaction data to a US processor. Article 5(3) of the ePrivacy Directive requires prior opt in consent and the GDPR adds transparency, granular control and right to withdraw. When the Session Recordings feature is enabled, the higher threshold of EDPB Guidelines 4/2019 on systematic monitoring on a large scale applies.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Crazy Egg Inc operates from the United States and processes data on AWS US regions. EEA visitor data is transferred to the US under the EU US Data Privacy Framework (Crazy Egg is self certified) and Standard Contractual Clauses, with a documented transfer impact assessment. No EU only data residency option is currently advertised, which should be considered for operators in regulated sectors and operators with strict no transfer policies.
Block the SDK until the visitor accepts analytics or performance cookies, mask all form inputs in the Crazy Egg configuration, exclude sensitive URLs from tracking, reduce the retention of heatmaps and recordings to the shortest period needed, sign the Crazy Egg Data Processing Addendum and run a DPIA when Session Recordings is enabled. Safer alternatives include Microsoft Clarity with EU residency, Hotjar with EU servers, Mouseflow with EU servers, Smartlook EU and self hosted Matomo Heatmaps or PostHog.
Websites using Crazy Egg must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended whenever Crazy Egg is used on EU facing properties and required when Session Recordings is enabled at scale. The DPIA must cover the consent flow, PII masking, the international transfer to the US, the retention of heatmaps and recordings, the residual risk from US authorities access and the safer alternatives evaluated (Microsoft Clarity with EU residency, Hotjar with EU servers, Matomo Heatmaps self hosted).
Sample consent text
We use Crazy Egg to generate aggregated heatmaps and scroll maps and, with your additional opt in, anonymised session recordings to improve our user experience. Crazy Egg processes your IP, User Agent and interaction events through Crazy Egg Inc in the United States. The tracking only starts after you accept analytics and performance cookies.
Third-party domains contacted
crazyegg.comscript.crazyegg.comcdn.crazyegg.comtracking.crazyegg.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| is_returning | http | 5 years | Identifies whether the visitor is returning, used by Crazy Egg to differentiate first time and returning visitors in the reports. |
| _ceir | http | 5 years | Crazy Egg interaction recorder cookie used to capture mouse movements, clicks and scrolls for heatmap rendering. |
| _ceg.u | http | 13 months | Anonymous Crazy Egg visitor identifier used to recognise the device across sessions. |
| _ceg.s | http | Session | Session identifier used by Crazy Egg to group interactions within a single visit and to power Session Recordings when enabled. |
Crazy Egg collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Crazy Egg sets first and third party cookies on the crazyegg.com domain and on the operator domain: is_returning (returning visitor flag), _ceir (Crazy Egg interaction recorder), _ceg.u (anonymous visitor identifier) and _ceg.s (session identifier). When Session Recordings is enabled, additional helper cookies tie the recording to the visitor.
Yes. The SDK loads non essential code, sets non essential cookies and sends interaction data to a US processor. Article 5(3) of the ePrivacy Directive requires prior opt in consent, and the GDPR adds transparency and right of withdrawal. The consent banner must list Crazy Egg in the analytics or performance category and block the SDK until consent.
The legal basis is Article 6(1)(a) GDPR (consent). Legitimate interest is not available because the processing involves systematic monitoring on a large scale, especially when Session Recordings is enabled. Consent must be granular and revocable, and the privacy policy must explain the processing.
Yes. Crazy Egg Inc operates from the United States and processes data on AWS US regions. Transfers rely on the EU US Data Privacy Framework (Crazy Egg is self certified) and Standard Contractual Clauses with a documented transfer impact assessment. No EU only data residency option is currently advertised.
It is recommended for any EU deployment and required when Session Recordings is enabled at scale. The DPIA must cover consent, PII masking, retention, US transfer and the safer alternatives evaluated, especially for operators in regulated sectors (health, finance, public administration).
Block the SDK until consent, mask form inputs in the Crazy Egg configuration, exclude sensitive URLs, reduce retention to the shortest period needed, sign the Crazy Egg DPA and disclose the processing in the privacy policy. Disable Session Recordings unless strictly necessary, and run a DPIA when it is enabled.
Microsoft Clarity with EU residency, Hotjar Heatmaps with EU servers, Mouseflow with EU servers, Smartlook EU, Contentsquare EU and self hosted Matomo Heatmaps or PostHog session replay. Operators with strict EU data residency requirements should prefer EU based or self hosted alternatives.
Document Crazy Egg Inc as a processor located in the United States, list the Crazy Egg cookies (is_returning, _ceir, _ceg.u, _ceg.s) with retention and purpose, describe the heatmap and Session Recordings processing, disclose the EU US Data Privacy Framework and Standard Contractual Clauses, and link to the Crazy Egg privacy notice.