Why Hotjar Cookies Require Consent
Hotjar captures how visitors interact with your website. It records mouse movements, clicks, scroll depth, and form interactions, then presents the data as heatmaps and session replays. To do this, Hotjar places several first-party cookies on the visitor's browser.
None of these cookies are strictly necessary for your website to function. A visitor who never triggers the Hotjar script can still browse, purchase, and submit forms without any loss of functionality. That distinction matters because Article 5(3) of the ePrivacy Directive requires prior consent before storing or accessing information on a user's device, unless the storage is strictly necessary to provide a service the user has explicitly requested.
The same principle applies under the GDPR, where consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes or implied agreement through continued browsing do not qualify.
Hotjar Cookies: What Gets Set and Why
Hotjar's tracking code creates cookies scoped to your top-level domain, including subdomains. All are first-party cookies, which means your cookie scanner will attribute them to your own domain rather than to hotjar.com.
The table below lists the main cookies Hotjar sets through its tracking snippet.
| Cookie Name | Purpose | Duration | Category |
|---|---|---|---|
_hjSessionUser_{site_id} | Persists a unique user ID for the site, linking behaviour across visits | 365 days | Analytics |
_hjSession_{site_id} | Holds current session data so pageviews within one visit are grouped | 30 minutes | Analytics |
_hjAbsoluteSessionInProgress | Detects the first pageview of a session for sampling purposes | 30 minutes | Analytics |
_hjIncludedInSessionSample_{site_id} | Indicates whether the visitor is included in the session recording sample | 30 minutes | Analytics |
_hjFirstSeen | Identifies the first session of a new user | 30 minutes | Analytics |
_hjViewportId | Stores viewport dimensions for rendering heatmaps | Session | Analytics |
Every cookie in this list serves an analytics or behavioural tracking purpose. None qualify as strictly necessary under any EU data protection authority's published guidance.
Legal Basis: Consent, Not Legitimate Interest
Some site owners attempt to load Hotjar under a legitimate interest basis, arguing that understanding user behaviour is a reasonable business need. Data protection authorities have consistently rejected this approach for tracking technologies that store information on the user's device.
The CNIL's enforcement actions make the position clear. In multiple decisions since 2022, the French authority has fined organisations for loading analytics cookies without prior consent, regardless of the controller's claimed legitimate interest. The ePrivacy Directive's consent requirement under Article 5(3) operates independently of the GDPR's six legal bases - there is no legitimate interest exception for placing cookies.
Hotjar's own documentation acknowledges this. The platform recommends the opt-in procedure and states that the checkbox to activate Hotjar cookies must not be pre-selected.
Session Recordings and Personal Data
Session recordings raise particular privacy concerns because they capture the visitor's entire interaction with a page. Hotjar suppresses keystrokes by default, which prevents typed passwords and credit card numbers from reaching Hotjar's servers. Sensitive form fields are masked automatically.
That default suppression does not eliminate all personal data from recordings. Screen content can still reveal names, email addresses, phone numbers, and other identifiers visible on the page. If your site displays user profiles, order confirmations, or account dashboards, session recordings will capture that content unless you manually apply suppression CSS classes.
Under GDPR consent requirements, you must inform visitors about what data the recording captures. Your cookie banner's description of Hotjar should mention session recordings specifically, not just "analytics" in vague terms.
Data Processing Agreement with Hotjar
When you use Hotjar, you act as the data controller. Hotjar Ltd operates as the data processor. Article 28 of the GDPR requires a data processing agreement (DPA) between controller and processor before any processing begins.
Hotjar provides a standard DPA that includes EU and UK Standard Contractual Clauses. The agreement covers data storage within the EEA, subprocessor management, and data deletion obligations. You can access and sign this DPA from your Hotjar account settings.
Having a DPA in place does not replace consent. The DPA governs the relationship between you and Hotjar as processor. Consent governs the relationship between you and your visitors. Both are required.
How to Load Hotjar Only After Consent
The standard Hotjar installation places a JavaScript snippet in your site's <head> section. Without modification, this snippet fires on every page load and sets cookies immediately. To comply with consent requirements, you need to prevent the script from executing until the visitor grants permission.
Using a Tag Manager
If you run Google Tag Manager, configure the Hotjar tag to fire only on a consent-granted trigger. With Google Consent Mode v2, you can map Hotjar to the analytics_storage consent type. The tag will remain blocked until the visitor accepts analytics cookies through your banner.
Using Script Blocking
If you load Hotjar directly without a tag manager, change the script's type attribute from text/javascript to text/plain. This prevents the browser from executing the code. Your cookie consent platform can then switch the type back to text/javascript once consent is granted, or inject the script dynamically through a consent callback.
Hotjar, Heatmaps, and the UK Position
The UK GDPR and the Privacy and Electronic Communications Regulations (PECR) mirror the EU position on analytics cookies. The ICO's guidance classifies heatmap and session recording tools as non-essential, requiring opt-in consent.
The UK Data Use and Access Act, which received Royal Assent in 2025, introduces limited exemptions for certain analytics cookies. These exemptions apply to basic audience measurement that does not profile individuals across sites. Hotjar's session recordings, which capture granular behavioural data tied to a persistent user identifier, are unlikely to qualify for this exemption. Until the ICO publishes updated guidance on the new exemptions, treating Hotjar as consent-required remains the safest approach.
Common Mistakes with Hotjar Consent
Three errors appear repeatedly when auditing sites that use Hotjar.
The first is categorising Hotjar cookies as "functional" rather than "analytics" or "performance" in the cookie banner. This misleads visitors and may constitute a dark pattern under regulatory guidance. Hotjar cookies do not enable any visitor-facing functionality.
The second is loading the Hotjar snippet in the page source without any consent gate. Even if a cookie banner is present, placing the script tag directly in the HTML means cookies are set before the visitor interacts with the banner. The CNIL and other DPAs have fined for exactly this pattern.
The third is failing to mention session recordings in the cookie policy. Your cookie policy should describe not just the cookies but the processing activities they support. Recording a visitor's screen interactions is a distinct processing activity that deserves specific disclosure.
Frequently Asked Questions
Are Hotjar cookies first-party or third-party?
Hotjar cookies are first-party. The tracking code sets them on your domain (including subdomains), so browsers and cookie scanners attribute them to your site rather than to hotjar.com.
Can I use Hotjar without consent under legitimate interest?
No. Article 5(3) of the ePrivacy Directive requires consent for storing non-essential information on a user's device. This applies regardless of the GDPR legal basis you rely on. Hotjar's cookies are not strictly necessary, so consent is required.
Does Hotjar record passwords and credit card numbers?
Hotjar suppresses keystrokes by default, which means typed text in input fields does not reach Hotjar's servers. Sensitive data displayed on screen may still appear in recordings unless you apply manual suppression using Hotjar's CSS classes.
How long do Hotjar cookies last?
The main user cookie (_hjSessionUser) persists for 365 days. Session-level cookies such as _hjSession and _hjAbsoluteSessionInProgress expire after 30 minutes of inactivity.
Do I need a data processing agreement to use Hotjar?
Yes. Under GDPR Article 28, you must have a signed DPA with Hotjar before processing any visitor data. Hotjar provides a standard DPA with EU and UK Standard Contractual Clauses in your account settings.
Should I classify Hotjar cookies as analytics or functional?
Hotjar cookies belong in the analytics or performance category. They do not provide any visitor-facing functionality. Classifying them as functional is misleading and may attract regulatory scrutiny.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
