Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Microsoft Clarity is a free session recording and heatmap analytics tool from Microsoft. It records individual user sessions, tracks rage clicks and dead clicks, generates scroll heatmaps, and provides AI-powered summaries of user behaviour. Despite being free, Clarity's session recording capabilities carry the same GDPR obligations as paid alternatives like Hotjar or FullStory: consent is required before loading, comprehensive input masking is essential, and a DPIA is recommended. All data is processed on Microsoft Azure infrastructure in the US requiring SCCs.
Microsoft Clarity is a free session recording and heatmap analytics tool launched by Microsoft Corporation in 2020. It records visitor interactions, builds heatmaps and provides Insights (rage clicks, dead clicks, excessive scrolling). Because it is free, Clarity is widely deployed alongside or in place of paid tools like Hotjar.
A small clarity.js script is loaded on every page. It instruments the DOM, captures interactions and sends them to c.clarity.ms. Microsoft reconstructs the session replay on Azure, anonymises faces and passwords by default and exposes the data in the Clarity dashboard. The free plan has unlimited sessions but limited retention.
Clarity sets cookies _clck (user identifier, 12 months), _clsk (session ID, 1 day), CLID (cross site identifier on c.clarity.ms) plus operational cookies (MUID, ANONCHK, MR). It records URL, referrer, browser, screen, IP and DOM interactions. Sensitive fields are masked client side by default.
Clarity processes non essential identifiers and behavioural data through session replay. Prior consent is required under Art. 5(3) ePrivacy. The CNIL and DSK have specifically flagged session replay tools as requiring explicit consent.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Block clarity.js behind your CMP. Microsoft Clarity supports an explicit consent API (clarity(''consent'')) which you should call when the visitor accepts. Apply data-clarity-mask to any custom field that could contain personal data.
Data is processed by Microsoft Corporation on Azure with US data centres as default. Transfers rely on EU SCCs and Microsoft''s EU US Data Privacy Framework certification. Microsoft offers an EU Data Boundary for several services; verify the latest status for Clarity specifically.
Sign the Microsoft Online Services DPA, list Clarity in your Article 30 record, enable explicit consent mode via the clarity API, configure strict masking, document the masking rules and the US transfer in your privacy notice, and perform a DPIA before scaling.
Websites using Microsoft Clarity must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended because Clarity captures session recordings of European visitors. Document masking, retention and US sub processing on Azure.
Sample consent text
We use Microsoft Clarity (Redmond, USA) to record sessions and produce heatmaps for UX improvements. Sensitive fields are masked by default. By accepting analytics cookies, you allow this processing including the transfer to Microsoft Azure under the EU US Data Privacy Framework.
Third-party domains contacted
clarity.msclarity.msc.clarity.msc.bing.comwww.clarity.mswww.clarity.msbing.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _clck | persistent | 1 year | Microsoft Clarity user identifier for linking session recordings to individual visitor journeys |
| _clck | First party (Microsoft Clarity) | 12 months | Anonymous user identifier used by Clarity to recognise returning visitors. |
| _clsk | persistent | 1 day | Microsoft Clarity session grouping identifier combining page views within a single session recording |
| _clsk | First party (Microsoft Clarity) | 24 hours | Session cookie used by Clarity to group page views into a single session. |
| CLID | Third party (c.clarity.ms) | 12 months | Cross site identifier used by Clarity to link sessions to a Microsoft profile. |
| MUID | Third party (.bing.com) | 13 months | Microsoft Universal Identifier shared with Microsoft Advertising and Bing. |
| ANONCHK | Third party (c.clarity.ms) | 10 minutes | Anonymous check token used during ad clearinghouse calls. |
| MR | Third party (c.clarity.ms) | 7 days | Indicates whether the MUID cookie should be refreshed. |
Microsoft Clarity collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Yes. Clarity sets cookies for session recording and visitor identification. It must not load until analytics consent is obtained. Session recording of non-consenting users is a serious GDPR violation regardless of Clarity being free.
Clarity records mouse movements, click positions, scroll depth, page navigation, rage clicks, dead clicks, and JavaScript errors. It creates playable recordings of individual user sessions. By default it may capture text content in form fields unless masking is configured.
Yes, completely free with no session limits. This makes it attractive but does not reduce GDPR obligations. The same consent, masking, DPIA, and DPA requirements apply as to paid session recording tools.
Clarity sets _clck (user identifier, 1 year), _clsk (session grouping, 1 day), and CLID (client identifier). These require analytics consent under the ePrivacy Directive before Clarity loads.
Yes. All Clarity data is processed on Microsoft Azure infrastructure in the US. SCCs are required. Microsoft's Online Services Data Protection Addendum covers Clarity. Accept the DPA before using Clarity on EU-facing websites.
In Clarity Settings, go to Masking. Enable "Strict" masking to hide all text content in recordings. Alternatively, apply masking selectively using HTML attribute data-clarity-mask="true" on specific elements. Test masking by recording a session and verifying sensitive fields are masked.
Yes. Recording individual user sessions at scale constitutes large-scale systematic monitoring — a specific DPIA trigger under GDPR Article 35. Despite being free, Clarity triggers the same DPIA obligation as Hotjar, FullStory, and Contentsquare.
Hotjar (EU data region available), Lucky Orange (US but similar consent requirements), and Contentsquare (French, DPIA required) are alternatives. No session recording tool avoids GDPR consent requirements. For aggregate-only analysis, Plausible (EU, cookieless) or Matomo (self-hostable) are alternatives that don't require consent.
_clck (user identifier, 12 months), _clsk (session, 24 hours), CLID (cross site identifier on c.clarity.ms, 12 months), MUID (Microsoft Universal Identifier, 13 months), ANONCHK and MR (operational, short lived).
Yes. Clarity captures session recordings and stores tracking identifiers that are non essential. Prior consent under Art. 5(3) ePrivacy is required. Use the clarity('consent') API to align the SDK with the visitor's decision.
Consent (Art. 6(1)(a) GDPR + Art. 5(3) ePrivacy). Legitimate interest is not appropriate due to session recording and Microsoft profile linkage via MUID.
Yes. Microsoft Corporation processes Clarity data on Azure with default storage in US data centres. Transfers are covered by EU SCCs and the EU US Data Privacy Framework.
A DPIA is recommended because Clarity records sessions of European visitors and ties them to a Microsoft profile (MUID). Document the masking, retention and US sub processing.
Sign the Microsoft Online Services DPA, block clarity.js behind your CMP, use the explicit consent API, mask all input fields and any custom field with data-clarity-mask, set retention to the minimum and document Clarity in your Article 30 record.
Hotjar (EU, Contentsquare), Smartlook (Czech Republic), Mouseflow (Denmark), FullStory (US), LogRocket (US), Contentsquare itself, or open source self hosted OpenReplay.
List each Clarity cookie with purpose, retention and legal basis (consent). Mention Microsoft as processor, the US transfer with the EU US Data Privacy Framework and the masking applied.