Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Hotjar Incoming Feedback is an embedded smiley or emoji widget that lets visitors rate pages and leave free text comments. It uses Hotjar identifiers to associate ratings with sessions and devices, which makes it a non essential cookie tool that requires prior consent in the EU and the UK.
Hotjar Incoming Feedback is the always on widget from the Hotjar Insights suite (now part of Contentsquare) that lets visitors rate a page through a smiley or emoji scale, then optionally leave a comment, attach a screenshot and share an email address. The widget loads as a JavaScript snippet from Hotjar domains and writes the response to your Hotjar workspace. Although it is marketed as a lightweight tool, it shares the same Hotjar identifier with Heatmaps, Recordings and Surveys when those are active on the same site, which links the feedback to a visitor profile.
Once initialised, the widget drops several first party cookies in the visitor browser, including _hjSessionUser_* (one year), _hjSession_* (30 minutes), _hjFirstSeen, _hjIncludedInSessionSample_* and _hjAbsoluteSessionInProgress. These identifiers, together with the user agent, IP address and page URL, are sent to in.hotjar.com and static.hotjar.com. Even if the visitor never opens the widget, the Hotjar script generally executes on every page load and sets identifiers, which is the trigger for ePrivacy and GDPR obligations.
The Hotjar identifier is personal data because it singles out a device across sessions, and the optional email plus free text answer often qualify as personal data too. Article 5(3) of the ePrivacy Directive requires prior informed consent before storing or reading information on a terminal, and Article 6(1)(a) GDPR is the natural legal basis. Several EU regulators, including the CNIL and the Italian Garante, have published guidance treating Hotjar style tools as requiring opt in consent rather than legitimate interest.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
In the European Economic Area and the United Kingdom, you must block the Hotjar script until consent is captured. Use a CMP that maps the widget to the analytics or feedback purpose, suppress sensitive form fields with the Hotjar suppress class, anonymise IP addresses, and disable user attributes that would carry CRM identifiers. Provide a clear way to withdraw consent that immediately removes the cookies. Avoid combining feedback responses with logged in user data unless a separate explicit consent has been collected.
Hotjar processes EU data in Dublin but Contentsquare and its sub processors operate from the United States and other countries. Confirm in your records of processing that Standard Contractual Clauses are in place, that the recipient is certified under the EU US Data Privacy Framework where applicable, and that you have run a transfer impact assessment. Document supplementary measures such as pseudonymisation of identifiers and short retention of screenshots.
List _hjSessionUser_*, _hjSession_*, _hjFirstSeen and the related identifiers in your cookie policy with their purpose and duration, expose Hotjar as a third party recipient in your privacy notice, and align retention with the workspace setting (default 365 days). Train product teams to apply the data suppression class to forms, run periodic checks with browser dev tools to confirm the script does not fire before consent, and re prompt users when retention or sub processors change.
Websites using Hotjar Incoming Feedback must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended whenever Incoming Feedback is combined with other Hotjar tools such as Heatmaps, Recordings or Surveys, because shared identifiers enable behavioural profiling. Document the data flow to Contentsquare and US sub processors, the retention of feedback and screenshots, the legal basis for transfers, and the measures taken to suppress sensitive fields. EDPB guidance on tracking technologies and CNIL recommendations on cookies should be referenced.
Sample consent text
We use Hotjar Incoming Feedback to collect optional ratings and comments about this page. With your consent, Hotjar sets cookies and identifiers that may be transferred to the United States. You can accept, refuse or change your choice at any time in the cookie preferences.
Third-party domains contacted
static.hotjar.comscript.hotjar.comin.hotjar.comvars.hotjar.cominsights.hotjar.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _hjSessionUser_* | first_party | 1 year | Persistent Hotjar user identifier shared across the Hotjar suite, used to recognise the visitor between sessions and to associate feedback with a device. |
| _hjSession_* | first_party | 30 minutes | Short lived Hotjar session identifier used to group feedback events within a single browsing session. |
| _hjFirstSeen | first_party | Session | Marks the first session of a visitor on the site so the widget can distinguish new users from returning ones. |
| _hjIncludedInSessionSample_* | first_party | 2 minutes | Indicates whether the visitor is included in the daily session quota for the workspace, used by the widget to throttle data collection. |
| _hjAbsoluteSessionInProgress | first_party | 30 minutes | Tracks whether the unique page view session is in progress, used by Hotjar internal counters. |
Hotjar Incoming Feedback collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Yes. The widget shares the standard Hotjar cookie set, including _hjSessionUser_* with a one year lifetime, _hjSession_* for 30 minutes, _hjFirstSeen, _hjIncludedInSessionSample_* and _hjAbsoluteSessionInProgress. They are first party in your domain but the data is transmitted to Hotjar servers.
Yes. Because the script writes identifiers to the visitor terminal and sends them to a third party, ePrivacy Article 5(3) and Article 6(1)(a) GDPR apply. The widget must remain blocked until the visitor accepts the analytics or feedback purpose in your consent banner.
No. EU regulators including the CNIL consider that tools sharing a cross site identifier and processing free text answers cannot rely on legitimate interest. Consent under Article 6(1)(a) GDPR is the recommended basis, and it is also required by ePrivacy.
Hotjar EU traffic is hosted in Dublin, but Contentsquare and its sub processors may access data from the United States and other countries. Standard Contractual Clauses and the EU US Data Privacy Framework are the main transfer tools, plus pseudonymisation and access controls as supplementary measures.
A DPIA is advisable when Incoming Feedback is combined with Recordings or Heatmaps, when feedback is collected on sensitive journeys such as health or finance, or when screenshots may capture personal data. Document the purposes, the volume of feedback, the retention and the transfer impact assessment.
Block the Hotjar snippet by category in your tag manager, gate it behind consent, configure the suppress class on personal form fields, anonymise IP, set a short retention and disable optional features such as user attributes unless they are necessary.
EU based feedback tools such as Mopinion, Survicate EU, Userback EU plans or self hosted scripts can reduce or remove third country transfers. Static feedback forms tied to your existing analytics can also be enough for simple smiley ratings.
List the widget under the analytics or feedback purpose, name Contentsquare and Hotjar as joint or independent processors, describe the cookies and their durations, indicate the United States as a possible recipient country, and link to the Hotjar privacy policy.