Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Microsoft Clarity is a free session recording and heatmap analytics tool from Microsoft. It records individual user sessions, tracks rage clicks and dead clicks, generates scroll heatmaps, and provides AI-powered summaries of user behaviour. Despite being free, Clarity's session recording capabilities carry the same GDPR obligations as paid alternatives like Hotjar or FullStory: consent is required before loading, comprehensive input masking is essential, and a DPIA is recommended. All data is processed on Microsoft Azure infrastructure in the US requiring SCCs.
Microsoft Clarity is a free behavioural analytics tool provided by Microsoft that offers session recording (watching individual user sessions as video-like replays), click heatmaps, scroll heatmaps, rage click detection, dead click detection, and AI-powered session summaries. It is designed to help website owners understand user behaviour and identify usability issues. Despite being completely free, Clarity provides capabilities comparable to paid tools like Hotjar and FullStory.
Microsoft Clarity''s GDPR obligations are identical to those of paid session recording tools. Being free does not reduce compliance requirements. The CNIL and European DPAs have specifically addressed session replay tools as requiring consent and comprehensive data masking. Consent must be obtained before Clarity loads. Recording sessions of non-consenting users is a serious GDPR violation regardless of the tool''s cost.
Microsoft Clarity provides masking options to prevent capture of sensitive data. Enable automatic text masking to hide all text content in recordings (Strict masking). Configure element-level masking for input fields. Exclude sensitive pages (login, payment, health data) from recording entirely. By default, Clarity''s masking is not comprehensive — you must actively configure it.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
All Clarity data is processed on Microsoft Azure infrastructure in the US. SCCs are required. Microsoft''s Online Services Data Protection Addendum (DPA) covers Clarity as part of the Microsoft Online Services terms. Sign or accept the Microsoft DPA before using Clarity on EU-facing websites.
Block Clarity via CMP until analytics consent is obtained. Configure strict masking for all text content. Exclude login, payment, and sensitive pages. Conduct a DPIA before deployment. Sign the Microsoft Online Services DPA. Add Clarity to your cookie policy and privacy policy disclosing session recording, US transfer, and SCCs. Set session recording retention to the minimum available.
Websites using Microsoft Clarity must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for Microsoft Clarity deployments. Recording individual user sessions constitutes large-scale systematic monitoring of website visitors — a specific DPIA trigger under GDPR Article 35. Despite being free, Clarity carries the same DPIA obligations as paid session recording tools.
Sample consent text
We use Microsoft Clarity to analyse how visitors use this website through session recordings and heatmaps. This involves recording your mouse movements, clicks, and scrolling behaviour, and transferring data to Microsoft in the US. You can decline this analysis below.
Third-party domains contacted
clarity.msc.bing.comwww.clarity.msCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _clck | persistent | 1 year | Microsoft Clarity user identifier for linking session recordings to individual visitor journeys |
| _clsk | persistent | 1 day | Microsoft Clarity session grouping identifier combining page views within a single session recording |
Microsoft Clarity collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Yes. Clarity sets cookies for session recording and visitor identification. It must not load until analytics consent is obtained. Session recording of non-consenting users is a serious GDPR violation regardless of Clarity being free.
Clarity records mouse movements, click positions, scroll depth, page navigation, rage clicks, dead clicks, and JavaScript errors. It creates playable recordings of individual user sessions. By default it may capture text content in form fields unless masking is configured.
Yes, completely free with no session limits. This makes it attractive but does not reduce GDPR obligations. The same consent, masking, DPIA, and DPA requirements apply as to paid session recording tools.
Clarity sets _clck (user identifier, 1 year), _clsk (session grouping, 1 day), and CLID (client identifier). These require analytics consent under the ePrivacy Directive before Clarity loads.
Yes. All Clarity data is processed on Microsoft Azure infrastructure in the US. SCCs are required. Microsoft's Online Services Data Protection Addendum covers Clarity. Accept the DPA before using Clarity on EU-facing websites.
In Clarity Settings, go to Masking. Enable "Strict" masking to hide all text content in recordings. Alternatively, apply masking selectively using HTML attribute data-clarity-mask="true" on specific elements. Test masking by recording a session and verifying sensitive fields are masked.
Yes. Recording individual user sessions at scale constitutes large-scale systematic monitoring — a specific DPIA trigger under GDPR Article 35. Despite being free, Clarity triggers the same DPIA obligation as Hotjar, FullStory, and Contentsquare.
Hotjar (EU data region available), Lucky Orange (US but similar consent requirements), and Contentsquare (French, DPIA required) are alternatives. No session recording tool avoids GDPR consent requirements. For aggregate-only analysis, Plausible (EU, cookieless) or Matomo (self-hostable) are alternatives that don't require consent.