Yes. In the EU, EEA and UK, Hotjar generally requires consent before it can load, set cookies or collect full behavioral analytics data.
That is because Hotjar is not just a simple pageview counter. It is a behavioral analytics platform used for heatmaps, session recordings, click tracking, scroll tracking, surveys and feedback. In a typical implementation, it uses first-party cookies and records how people interact with a website.
Hotjar can be used in a privacy-conscious way, but it is not something you should treat as strictly necessary.
If your site serves visitors in Europe or the UK, the safest starting point is:
Do not load Hotjar until the visitor has given analytics consent.
This guide explains why Hotjar usually requires consent, which cookies it sets, what makes it different from Google Analytics and Microsoft Clarity, and how to configure it correctly.
Disclaimer: This article is general information, not legal advice. Consent requirements depend on your technologies, purposes, vendors and implementation.
Related guides
- Does Microsoft Clarity Require Consent?, a companion guide covering Clarity Consent Mode and cookies
- Does Google Analytics Require Consent?, covering GA4 consent requirements
- Google Consent Mode v2 Requirements, complete guide for websites and agencies
- GDPR Cookie Consent Requirements, complete guide for websites and businesses
Why This Question Matters
Many website owners install Hotjar because they want to understand user behavior.
That is reasonable.
Hotjar is useful because it helps answer questions such as:
- Where do visitors click?
- How far do they scroll?
- Where do they get stuck?
- Which form fields cause friction?
- Why do users abandon a page?
- What does a real user session look like?
Those insights can improve conversion rates, UX and product decisions.
The compliance issue is that Hotjar reaches deeper into user behavior than many people expect.
A session recording is not the same as an aggregate traffic chart. A heatmap is not the same as a simple pageview count. Hotjar is designed to observe interactions, reconstruct user journeys and help site owners understand behavior at a detailed level.
That does not make Hotjar bad.
It does mean consent and transparency matter.
What Hotjar Actually Does
Hotjar is a behavior analytics and user feedback tool.
Depending on how it is configured, it can collect or generate:
- Heatmaps
- Session recordings
- Click data
- Scroll data
- Mouse movement data
- Rage click and dead click signals
- Page interaction data
- Survey responses
- Feedback widget responses
- Funnel and conversion insights
- User attributes if the Identify API is used
Hotjar's own documentation says the Hotjar Tracking Code is responsible for collecting and sending data to your Hotjar account once installed on your site.
Source: What is the Hotjar Tracking Code?
Hotjar also says recordings start collecting data as soon as the tracking code is installed and session capture is enabled. Data is collected across pages where the tracking code is installed.
Source: How to Set Up Recordings
That is the key implementation point.
If the Hotjar script loads before consent, Hotjar may begin collecting data before the visitor has made a choice.
Does Hotjar Use Cookies?
Yes. Hotjar uses cookies when the Hotjar Tracking Code is installed on a website.
Hotjar explains that the cookies set by the Hotjar Tracking Code are first-party cookies. They are created by a script executed from the host domain.
Source: Cookies Set by the Hotjar Tracking Code
This matters because many people confuse first-party cookies with strictly necessary cookies.
They are not the same thing.
A first-party cookie is set on the website's own domain. That does not automatically make it exempt from consent. If the cookie is used for analytics, behavioral tracking or session recording, it is still typically non-essential.
Hotjar also states that it does not track or record users who have disabled cookies in their browser.
Source: Cookies Set by the Hotjar Tracking Code
Common Hotjar cookies include:
| Cookie | Typical purpose | Typical category |
|---|---|---|
_hjSessionUser_<site_id> | Persists the Hotjar user ID for the site and helps attribute behavior across visits | Analytics |
_hjSession_<site_id> | Holds current session data and helps connect page views into a session | Analytics |
_hjFirstSeen | Identifies a user's first session | Analytics |
_hjAbsoluteSessionInProgress | Detects the first pageview of a session | Analytics |
_hjIncludedInSessionSample_<site_id> | Determines whether a visitor is included in session data sampling | Analytics |
_hjRecordingEnabled | Indicates whether the current session is being recorded | Analytics |
_hjTLDTest | Helps Hotjar determine the most generic cookie path to use | Functional or analytics support |
Cookie names and lifetimes can vary depending on the Hotjar version and site configuration. The important point is that Hotjar Tracking Code cookies support behavioral analytics and session tracking.
Why Hotjar Usually Requires Consent
The clearest way to understand Hotjar consent is to separate cookie law from data protection law.
They overlap, but they answer different questions.
ePrivacy and UK PECR
The ePrivacy Directive and the UK's PECR rules focus on storing or accessing information on a user's device.
If a cookie or similar technology is not strictly necessary, prior consent is usually required before it is set or read.
Hotjar's Tracking Code cookies support heatmaps, recordings, session continuity and behavioral analytics. Those functions are useful for the website owner, but they are not usually necessary for providing the website service requested by the visitor.
That is why Hotjar should generally be blocked until analytics consent is granted.
The UK ICO explains that organisations using cookies and similar technologies must explain what they are used for and ensure users understand the consequences of allowing them.
Source: ICO cookies and similar technologies guidance
The CNIL also explains that publishers must generally inform users, obtain consent and provide a way to refuse before depositing or reading cookies or trackers, with limited exemptions for certain audience measurement tools under specific conditions.
Source: CNIL analytics guidance
Hotjar is usually difficult to place inside those narrow analytics exemptions because it can involve session recordings, heatmaps and detailed behavioral analysis.
GDPR and UK GDPR
GDPR becomes relevant because Hotjar may process personal data or data that can become personal data.
Depending on configuration, Hotjar may process:
- Behavioral activity
- Session recordings
- Clicks
- Scroll depth
- Device and browser information
- Survey responses
- Feedback submissions
- User attributes sent through the Identify API
- Personal data accidentally visible in page content if not suppressed
Hotjar says keyboard input is suppressed by default, but website owners can actively send personal data such as email address, user ID or purchase data through Hotjar's Identify API.
Source: Processing Personal Data in Hotjar
Hotjar also states that IP addresses can optionally be passed to Hotjar as a user attribute, and that this is subject to the same privacy requirements as other personal information, including requiring user consent and accepting Hotjar's Data Processing Agreement.
Source: Data Safety, Privacy and Security
This is why the answer is not just "Hotjar uses cookies".
The stronger answer is:
Hotjar usually requires consent because it combines non-essential cookies with behavioral analytics and, depending on configuration, personal data processing.
For a wider explanation of the ePrivacy and GDPR distinction, see our guide on GDPR Cookie Consent Requirements.
Hotjar Is Not Just Google Analytics with Recordings
Many teams classify Hotjar as analytics and move on.
That is broadly correct, but incomplete.
Hotjar is usually an analytics tool from a CMP categorization perspective. But it is a more sensitive type of analytics than simple aggregate measurement.
Google Analytics helps answer:
How many visitors came to this page and what did they do as events?
Hotjar helps answer:
What did individual users experience on the page?
That is why legal and privacy teams often treat Hotjar more carefully than basic traffic analytics.
| Question | Hotjar | Google Analytics |
|---|---|---|
| Main use | Behavior analytics and UX research | Traffic and event measurement |
| Common features | Heatmaps, recordings, feedback, surveys | Page views, events, conversions, audiences |
| Uses cookies | Yes, in typical setup | Yes, in typical setup |
| Tracks behavior | Yes | Yes, but usually less visually |
| Session recordings | Yes | No, not as a core GA feature |
| Consent required in EU/UK | Generally yes | Generally yes |
| CMP category | Analytics, sometimes Performance | Analytics |
| Strictly necessary | Usually no | Usually no |
Both tools generally require consent in consent-first jurisdictions.
The difference is that Hotjar's session recording and heatmap features make the privacy impact easier to see.
For a dedicated explanation, see our guide on Does Google Analytics Require Consent?
Hotjar vs Microsoft Clarity from a Consent Perspective
Hotjar and Microsoft Clarity are closer competitors.
Both can provide:
- Heatmaps
- Session recordings
- Click analysis
- Scroll analysis
- UX insights
Both can raise similar consent questions.
The practical difference is that Microsoft has recently formalized Clarity consent signaling through Clarity Consent Mode and Consent API v2. Hotjar's compliance model is more focused on blocking, privacy settings, suppression, user controls and correct CMP implementation.
From a website owner's perspective, the conclusion is similar:
- Do not load the tool before consent in EU and UK contexts.
- Classify it as analytics unless advertising or profiling use changes the purpose.
- Disclose session recordings clearly.
- Test whether cookies and recordings start before consent.
- Enable privacy settings to reduce unnecessary data capture.
For a dedicated comparison point, see our guide on Does Microsoft Clarity Require Consent?
Can Hotjar Be Used Without Consent?
In most EU and UK contexts, you should not rely on Hotjar without consent if the tracking code sets cookies or session recording starts before the user has made a choice.
Hotjar's own documentation states that Hotjar stores first-party cookies on the user's browser in order to process data about a visit to a website using Hotjar.
Source: Hotjar Privacy FAQs
It also states that Hotjar does not track or record users who have disabled cookies in their browser.
Source: Cookies Set by the Hotjar Tracking Code
Some implementations may reduce the privacy impact through configuration, sampling, suppression or limiting where recordings run. Those settings are useful, but they do not automatically remove the need for consent if cookies or non-essential tracking are still used.
A safer position is:
Hotjar may be configured to reduce privacy risk, but a standard Hotjar implementation should be consent-gated in Europe and the UK.
What About Hotjar Surveys and Feedback Widgets?
Hotjar is not only used for passive analytics.
It can also collect active user feedback through surveys and feedback widgets.
This creates a slightly different consent question.
If a visitor voluntarily submits a survey response or feedback message, that response may be treated differently from passive tracking. Hotjar notes that surveys still work with Do Not Track enabled because these widget responses are considered explicit submissions.
Source: How to Stop Hotjar From Collecting your Data
However, this does not mean every Hotjar feature can run without consent.
A feedback form submission is not the same as background session recording.
If you use both Hotjar recordings and Hotjar surveys, treat them separately:
| Feature | Consent consideration |
|---|---|
| Session recordings | Usually requires prior analytics consent |
| Heatmaps | Usually requires prior analytics consent |
| Passive click and scroll tracking | Usually requires prior analytics consent |
| Feedback widget | Depends on implementation and content |
| Survey response | Often based on explicit user submission, but still needs transparency |
The safest setup is to avoid loading the full Hotjar tracking script before consent unless you have verified exactly which features activate and whether cookies are set.
How to Use Hotjar Compliantly
Hotjar can be implemented responsibly, but the configuration matters.
Use this checklist.
1. Classify Hotjar as Analytics
In your CMP, Hotjar should usually be listed under Analytics or Performance.
Do not classify it as Strictly Necessary.
A good vendor description should mention session recordings and heatmaps, not just "analytics".
Example:
Hotjar helps us understand how visitors use our website through heatmaps, session recordings, click tracking and feedback tools. We use this information to improve usability and website performance.
2. Block Hotjar Before Consent
The Hotjar Tracking Code should not load until analytics consent has been granted.
This is especially important if session capture is enabled.
Hotjar says recordings start collecting data as soon as the tracking code is installed and session capture is enabled.
Source: How to Set Up Recordings
3. Control Hotjar Inside Google Tag Manager
If Hotjar is installed through Google Tag Manager, make sure the Hotjar tag does not fire until analytics consent is granted.
A common mistake is showing a cookie banner while GTM still fires Hotjar immediately.
The banner must control the tag.
If you use Google Consent Mode for other tools, remember that it does not automatically make every non-Google tool compliant unless your setup uses those consent states to control the tag.
For a deeper explanation of consent signaling, see our guide on Google Consent Mode v2 Requirements.
4. Suppress Sensitive Page Content
Hotjar provides suppression tools for text, images, videos and user input.
Hotjar says user input is suppressed by default, but page content and images may still need additional suppression depending on the site.
Source: How to Suppress Text, Images, Videos and User Input from Collected Data
Hotjar also notes that keyboard input and numbers embedded in page content are suppressed by default, but additional suppression may be needed to stop personal information from appearing in recordings.
Source: Troubleshooting FAQs for Recordings
Pay special attention to:
- Checkout pages
- Login pages
- Account pages
- Contact forms
- Health or financial forms
- Free text fields
- Search boxes
- Uploaded content
- Customer support pages
5. Avoid Sending Unnecessary Personal Data
Hotjar's Identify API can be used to send user attributes.
That can be powerful, but it also increases privacy risk.
Do not send email addresses, customer IDs, purchase data or other personal data to Hotjar unless you have a clear purpose, a lawful basis, proper disclosure and the necessary contractual terms.
Hotjar says the Identify API can actively send personal data such as email address, user ID or purchase data, and that this feature is optional.
Source: Processing Personal Data in Hotjar
6. Accept and Maintain the Data Processing Agreement
If Hotjar processes personal data on your behalf, you need appropriate contractual terms.
Hotjar's GDPR commitment page refers to the requirement for written agreements with vendors as part of GDPR compliance obligations.
Source: Hotjar's commitment to the GDPR
7. Update Your Privacy and Cookie Policy
Your privacy documentation should explain:
- That you use Hotjar
- Why you use it
- Which features are active
- Whether recordings are used
- What cookies may be set
- How long data is kept
- How users can withdraw consent
- How users can exercise privacy rights
Hotjar provides a sample wording resource for privacy policies, which you can use as a starting point and adapt to your actual setup.
Source: Hotjar sample wording for your privacy policy
8. Allow Consent Withdrawal
Users should be able to change their consent choice later.
Hotjar says it is the website owner's responsibility to allow users to withdraw consent in accordance with privacy laws.
Source: How to Stop Hotjar From Collecting your Data
Your CMP should provide a persistent way to reopen cookie settings and withdraw analytics consent.
9. Test the Implementation
After configuration, test the site in a clean browser session.
Before consent:
- Clear cookies.
- Open the site.
- Reject analytics cookies.
- Check whether Hotjar cookies are set.
- Check whether Hotjar network requests fire.
- Check whether recordings begin.
After consent:
- Grant analytics consent.
- Confirm the Hotjar tag loads.
- Confirm expected Hotjar cookies appear.
- Confirm recordings and heatmaps behave as expected.
Do not rely only on the CMP settings screen.
Verify what actually happens in the browser.
Common Hotjar Consent Mistakes
Mistake 1: Treating First-Party Cookies as Automatically Exempt
Hotjar's Tracking Code cookies are first-party cookies.
That does not make them strictly necessary.
If they are used for behavioral analytics, heatmaps or session recordings, they still generally require consent in Europe and the UK.
Mistake 2: Saying "Analytics" Without Mentioning Recordings
A vague cookie banner category such as "analytics" may not give users enough context if session recordings are active.
Tell users what Hotjar actually does.
Heatmaps and recordings should not be hidden behind generic wording.
Mistake 3: Loading Hotjar Through GTM Before Consent
This is one of the most common implementation failures.
If GTM fires the Hotjar tag immediately, the banner may be cosmetic rather than functional.
Mistake 4: Forgetting to Suppress Sensitive Content
Default suppression is helpful, but it does not remove the need to review your site.
Pages with account data, health information, financial information or free text fields need special care.
Mistake 5: Using the Identify API Too Broadly
Sending user attributes to Hotjar can turn a relatively low-risk analytics setup into a more privacy-sensitive one.
Only send what you actually need.
Mistake 6: Not Checking Recordings After Launch
Privacy settings can look correct in theory while recordings still capture information you did not intend to collect.
Review sample recordings after implementation.
Recommended Cookie Policy Wording
You should adapt this wording to your actual setup and legal review.
A clear description could look like this:
We use Hotjar to understand how visitors interact with our website. Hotjar helps us analyse clicks, scrolling, page behaviour, heatmaps and session recordings so we can improve usability and website performance. Hotjar may set analytics cookies when you give analytics consent. We use suppression settings to avoid collecting sensitive information in recordings. You can withdraw your consent at any time through our cookie settings.
If you use Hotjar surveys or feedback widgets, add:
We may also use Hotjar surveys or feedback tools to collect voluntary feedback that you choose to submit.
If you use the Identify API, add a more specific explanation of what user attributes are shared and why.
Hotjar Consent Checklist
Use this before going live.
| Requirement | Status |
|---|---|
| Hotjar listed in the CMP | To verify |
| Hotjar categorized as Analytics or Performance | To verify |
| Banner explains heatmaps and recordings | To verify |
| Hotjar blocked before analytics consent | To verify |
| GTM tag does not fire before consent | To verify |
_hjSessionUser and _hjSession cookies absent before consent | To verify |
| Sensitive fields suppressed | To verify |
| High-risk pages excluded or masked | To verify |
| Identify API reviewed | To verify |
| Data Processing Agreement in place | To verify |
| Privacy policy updated | To verify |
| Consent withdrawal available | To verify |
| Browser testing completed | To verify |
Frequently Asked Questions
Yes, generally. In the EU, EEA and UK, Hotjar usually requires consent before setting cookies or collecting full behavioral analytics data because it is not strictly necessary for providing the website service.
Hotjar can be used in a GDPR-compliant way, but compliance depends on how you implement it. You need the right consent setup, privacy disclosures, suppression settings, data processing terms and internal controls.
Hotjar says the cookies set by the Hotjar Tracking Code are first-party cookies because they are created by a script executed from the host domain.
Usually no. Hotjar cookies support analytics, heatmaps, recordings and user behavior analysis. Those functions are useful for website owners, but they are not normally essential for the website to function.
Common Hotjar cookies include _hjSessionUser_<site_id>, _hjSession_<site_id>, _hjFirstSeen, _hjAbsoluteSessionInProgress, _hjIncludedInSessionSample_<site_id> and _hjRecordingEnabled.
Cookie names can vary depending on configuration and product version.
It can, depending on configuration and page content. Hotjar suppresses user input by default, but page content, images and custom user attributes may require additional controls. Website owners should review suppression settings and avoid sending unnecessary personal data.
Hotjar says user keyboard input is suppressed by default, but website owners can configure some fields differently and may need additional suppression for page content or images.
Source: How to Suppress Text, Images, Videos and User Input from Collected Data
For EU and UK visitors, you should not rely on Hotjar without a consent mechanism if the tracking code sets cookies or records behavior before consent.
A cookie banner alone is not enough. The banner must actually control whether Hotjar loads.
Usually Analytics. If you connect Hotjar data with advertising, profiling or user-level targeting, review whether Marketing or Advertising consent is also required.
Hotjar says it does not track or record users who have disabled cookies in their browser.
Often, yes. Both tools require careful consent handling, but Hotjar's session recordings and heatmaps can capture more detailed behavioral context than standard traffic analytics.
Conclusion
Hotjar is a valuable tool for improving websites, but it should not be treated as consent-free analytics.
In the EU, EEA and UK, Hotjar generally requires prior consent before the tracking code loads, sets cookies or starts collecting full behavioral analytics data.
The reason is practical and legal.
Hotjar uses first-party cookies, supports session recordings, creates heatmaps and analyses how visitors interact with a website. Those activities are useful, but they are not usually strictly necessary for the visitor.
A good Hotjar setup should:
- Classify Hotjar as Analytics.
- Block Hotjar before analytics consent.
- Prevent GTM or other tag managers from firing it too early.
- Clearly disclose heatmaps and session recordings.
- Suppress sensitive content.
- Avoid unnecessary user attributes.
- Keep a Data Processing Agreement in place.
- Allow users to withdraw consent.
- Verify the setup in the browser.
The most important point is simple:
A cookie banner does not make Hotjar compliant unless it actually controls when Hotjar loads.
Concentio can automatically detect Hotjar, classify it as an analytics tracker and block it until consent is granted.