Hotjar

Hotjar

Session recording and behavioral analytics tool widely used by product and UX teams. Hotjar captures heatmaps, scroll maps, and full session replays. Sets cookies to identify returning users and records clicks, taps, and mouse movements across the page.

Back to Vendor Library

Overview

Hotjar is a behavioral analytics and user feedback platform used by product and UX teams to understand how visitors interact with websites. It provides heatmaps, scroll maps, session recordings, and on-site surveys. Hotjar is one of the most widely deployed analytics tools and processes significant volumes of user interaction data.

What This Script Does

  • Session recording: Captures full session replays including mouse movements, clicks, taps, scrolling behavior, and DOM changes. Records what users see and do on every page during a session.
  • Heatmaps and scroll maps: Aggregates click, tap, and scroll position data across all visitors to generate visual heatmaps showing interaction hotspots.
  • Form analytics: Tracks form field interactions including time spent per field, drop-off points, and refill rates.
  • User feedback: Renders on-site survey widgets, feedback polls, and incoming feedback buttons.
  • Cookies set:
    • _hjSessionUser_* — persistent cookie (365 days) that assigns a unique Hotjar User ID to identify returning visitors
    • _hjSession_* — session cookie that tracks the current session
    • _hjIncludedInSessionSample — controls session recording sampling
    • _hjAbsoluteSessionInProgress — detects the first pageview of a session
    • _hjFirstSeen — identifies new vs. returning visitors
  • Network requests: Sends recorded session data, heatmap coordinates, and survey responses to Hotjar's servers (*.hotjar.com). Data is transmitted continuously during a session.
  • DOM observation: Uses MutationObserver to track DOM changes in real time for accurate session replay rendering.
  • Keystrokes: By default, Hotjar suppresses keystroke recording in input fields, but this can be configured per-site. When suppression is disabled, typed content is captured.

Consent & Compliance

  • Consent category: Analytics
  • GDPR/ePrivacy: Hotjar sets persistent cookies that identify returning visitors and captures detailed behavioral data. Requires explicit opt-in consent under both the ePrivacy Directive (cookie consent) and GDPR (processing of personal data). Hotjar acts as a data processor; a Data Processing Agreement (DPA) is available and should be signed.
  • CCPA: Session recordings, heatmap data, and visitor identification constitute personal information. Must be disclosed in your privacy policy. Honor opt-out requests.
  • Data residency: Hotjar processes data in the EU (Ireland), which simplifies GDPR compliance but does not eliminate the consent requirement.
  • Sensitive data risks: Session recordings may inadvertently capture sensitive information displayed on screen (personal details, financial data, health information). Configure Hotjar's suppression rules to mask sensitive page elements.

Should You Block This Without Consent?

Yes. Hotjar sets persistent identification cookies, records detailed user sessions including mouse movements and clicks, and transmits this behavioral data to external servers. It is firmly in the analytics consent category and must not load until the user has granted consent. This applies even though Hotjar is not used for advertising — the depth of behavioral data collected requires informed consent under GDPR and ePrivacy.

Visit website

Consent Categories

Analytics

Also Known As

hotjar GDPRhotjar cookiessession recording consenthotjar heatmap privacyhotjar trackingHotjar compliance

Industries

Computers Electronics and Technology

Tracked Domains (1)

hotjar.comAnalytics

Frequently Asked Questions

Is consent required before loading Hotjar on my site?

Yes. Hotjar sets persistent identification cookies, records full session replays of mouse movements and clicks, and transmits detailed behavioral data externally. This requires explicit opt-in consent under GDPR and ePrivacy, regardless of the fact that Hotjar is used for UX analysis rather than advertising.

What cookies and data does Hotjar collect?

Hotjar sets _hjSessionUser_* (365-day visitor ID), _hjSession_* (current session tracker), _hjIncludedInSessionSample (recording sampling flag), and _hjFirstSeen (new vs. returning). It records mouse movements, clicks, scrolls, and form interactions, streaming session replay data continuously to hotjar.com during each session.

How does ConsentStack manage Hotjar on my site?

ConsentStack blocks the Hotjar script until the visitor grants analytics consent. Once consent is given, ConsentStack releases the script and Hotjar begins recording. If consent is later withdrawn, ConsentStack suppresses Hotjar on subsequent page loads. Consent records with timestamps are stored for GDPR audit purposes.

Related Vendors

Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Google Analytics
Google Analytics
Google Analytics is the world's most widely deployed web analytics platform. Scripts track page views, sessions, user demographics, traffic sources, and conversion events. Drops cookies to identify returning visitors and attribute user journeys across sessions.
Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Microsoft
Microsoft
Runs Clarity (session recording and heatmaps), the Microsoft Advertising UET tag (conversion tracking), and Bing's remarketing pixel. Clarity injects a recording script that captures mouse movements, clicks, and rage clicks. The UET tag fires conversion events to tie ad clicks to on-site actions across Microsoft's ad network.
Microsoft Dynamics 365
Microsoft Dynamics 365
Microsoft Dynamics 365 is a suite of CRM and ERP applications that integrates with websites through tracking scripts and embedded forms. Web tracking code captures visitor behavior, page views, and form submissions to build customer profiles and score leads. Sets cookies to identify returning visitors and attribute marketing touchpoints across sessions.
LinkedIn Insight Tag
LinkedIn Insight Tag
LinkedIn Insight Tag is a JavaScript tracking pixel for LinkedIn's advertising and analytics platform. The tag fires on every page view to collect URL, referrer, IP address, and device data for conversion tracking, website demographics reporting, and retargeting audience building. Sets cookies to identify LinkedIn members across advertiser websites.

Manage consent for Hotjar

ConsentStack automatically detects and manages Hotjar trackers so your site stays compliant with global privacy regulations.

Get started