Microsoft Clarity is a free behavioural analytics tool that records session replays, generates heatmaps, and tracks user interactions on websites. It is also a tool that sets non-essential cookies in visitors' browsers. Since 31 October 2025, Clarity has enforced consent signal requirements for all page visits originating from the European Economic Area (EEA), the United Kingdom, and Switzerland. If your website serves visitors in any of these regions and you have not implemented a consent mechanism, Clarity's most useful features are already running in a restricted mode.
What Is Microsoft Clarity Consent Mode?
Clarity Consent Mode is a configuration that prevents the tool from setting cookies or collecting full session data until a visitor explicitly grants permission. When enabled, Clarity sits idle on page load. It does not write cookies, does not link page views into sessions, and does not record user journeys. Only after receiving a valid consent signal - typically passed by a consent management platform or a custom script - does Clarity activate its full tracking capabilities.
This is not optional for websites with European traffic. Consent Mode is now enabled by default for all users originating from the EEA, UK, and Switzerland. If Clarity does not receive a consent signal, it falls back to a limited no-consent mode: each page view is treated as a separate session from a new visitor, session replays break across pages, and funnel tracking becomes unusable.
Why Consent Is Required for Clarity
Clarity collects detailed behavioural data: mouse movements, scroll depth, click patterns, navigation paths, and form interactions. Under Article 5(3) of the ePrivacy Directive, storing or accessing information on a user's device requires prior, informed consent unless the cookie is strictly necessary for a service the user has requested. Analytics cookies do not meet that exception.
The GDPR reinforces this. Article 6(1)(a) requires a lawful basis for processing personal data, and for behavioural tracking, that basis is explicit opt-in consent. Recital 32 makes the standard clear: silence, pre-ticked boxes, and inactivity do not count. The visitor must take a deliberate action - clicking an "Accept" button on a cookie banner, for example - before Clarity may begin tracking.
Relying on legitimate interest for Clarity is risky and unlikely to hold up under scrutiny. European data protection authorities have consistently ruled that analytics tracking requires consent, not legitimate interest. The French CNIL fined SHEIN EUR 150 million in September 2025 for placing cookies before obtaining user permission - and that included analytics cookies, not just advertising ones.
Cookies Set by Microsoft Clarity
Clarity uses a mix of first-party and third-party cookies to maintain sessions and identify returning visitors. All of them fall into the analytics category and require consent before being set.
| Cookie | Type | Duration | Purpose |
|---|---|---|---|
_clck | First-party | 1 year | Stores a unique user ID and site preferences. Recognises returning visitors across sessions. |
_clsk | First-party | 1 day | Groups multiple page views into a single session recording. |
CLID | Third-party | 1 year | Identifies the first time Clarity encountered this browser across any Clarity-enabled site. |
ANONCHK | Third-party | 10 minutes | Checks whether a browser ID (MUID) is transferred to another Microsoft cookie. Always set to 0 for Clarity. |
MR | Third-party | 7 days | Signals Microsoft whether to refresh the MUID cookie used for analytics and advertising. |
MUID | Third-party | 1 year | Microsoft user identifier shared across Microsoft domains for analytics and ad tracking. |
Without consent, none of these cookies are set. The _clck and _clsk cookies are the critical ones for Clarity's core functionality - without them, each page view appears as a separate visitor, making session replays and journey analysis impossible.
How ConsentV2 Replaces the Old API
Microsoft has deprecated the original window.clarity('consent', true) call. The replacement is ConsentV2, which provides granular control over two storage types: ad_storage and analytics_storage. This mirrors the approach used by Google Consent Mode v2, making it easier to manage consent signals consistently across both platforms.
The syntax is straightforward:
window.clarity('consentv2', {
ad_Storage: 'granted',
analytics_Storage: 'granted'
});If a visitor declines cookies, no call is needed - Clarity remains in no-consent mode by default. If a visitor later revokes consent, calling ConsentV2 with 'denied' values tells Clarity to delete existing cookies, end the current session, and restart tracking in restricted mode.
What Happens Under Each Consent State
| Consent State | Cookies Set | Session Stitching | Session Replays | Heatmaps |
|---|---|---|---|---|
| Both granted | Yes (_clck, _clsk, third-party) | Yes | Full | Full |
| Analytics granted, ads denied | First-party only (_clck, _clsk) | Yes | Full | Full |
| Both denied / no signal | None | No | Per-page only | Per-page only |
The distinction between ad_storage and analytics_storage matters if you also run Microsoft Ads or Universal Event Tracking (UET). Granting analytics but denying ads allows Clarity to track sessions while keeping advertising cookies blocked.
Implementing Consent Mode Step by Step
The setup involves two parts: configuring Clarity to hold off on cookies by default, and then passing the consent signal at the right moment.
Step 1 - Disable Cookies by Default
In your Clarity project dashboard, go to Settings > Setup. Under Advanced Settings, toggle Cookies off. This prevents Clarity from setting any cookies when the tracking script first loads. Clarity will still execute and collect basic page-level data, but without session continuity.
Step 2 - Pass Consent After Banner Interaction
When a visitor accepts non-essential cookies through your cookie banner, fire the ConsentV2 call. If you use a CMP, the integration typically handles this automatically. For custom implementations, listen for your banner's consent event:
window.addEventListener('consentGranted', function() {
window.clarity('consentv2', {
ad_Storage: 'granted',
analytics_Storage: 'granted'
});
});Step 3 - Handle Consent Withdrawal
If a visitor changes their mind and revokes consent, pass the denied state:
window.clarity('consentv2', {
ad_Storage: 'denied',
analytics_Storage: 'denied'
});Clarity will delete its cookies, terminate the session, and revert to restricted mode. This is a GDPR Article 7 requirement: withdrawing consent must be as easy as giving it.
Step 4 - Verify the Implementation
Open your browser's developer tools and run this in the console:
clarity('metadata', function(d, upgrade, consent) {
console.log('consentStatus:', consent);
}, false, true, true);Before accepting cookies, the consentStatus object should show both values as DENIED. After accepting, both should flip to GRANTED. Check the Application tab in DevTools to confirm that _clck and _clsk cookies appear only after consent.
Microsoft Clarity vs Google Consent Mode
Both Clarity and Google now require consent signals before full analytics tracking, but the mechanisms differ. Google Consent Mode v2 uses a tag-level configuration through Google Tag Manager, adjusting the behaviour of multiple Google services (Analytics, Ads, Floodlight) based on consent categories. Clarity's ConsentV2 is simpler - a single JavaScript call controls Clarity's behaviour directly.
If your site uses both tools, you need to handle consent signals for each independently. A CMP that supports both protocols can fire the appropriate calls based on the visitor's choices. Kukie.io's Google Consent Mode v2 integration and Microsoft UET Consent Mode integration handle this automatically, passing the correct signals to each platform based on the consent categories your visitors select.
Common Implementation Mistakes
Several pitfalls trip up site owners when setting up Clarity Consent Mode.
Forgetting to disable cookies in Clarity's dashboard. If the toggle remains on, Clarity sets cookies on page load regardless of your JavaScript implementation. The dashboard setting must come first.
Using the deprecated V1 API. The old window.clarity('consent', true) still works for now, but Microsoft has flagged it for removal. New implementations should use ConsentV2 exclusively.
Not handling the CLID cookie. Because CLID is an HTTP-only cookie, calling window.clarity('consent', false) does not remove it from the browser. The ConsentV2 API handles this more reliably, but it is worth checking during testing.
Limiting consent enforcement to EU visitors only. Microsoft's current enforcement covers the EEA, UK, and Switzerland, but the company has signalled that requirements may extend to other regions. Implementing consent globally is the safer approach and avoids maintaining separate logic for different geographies.
What Happens Without Consent Mode
If your site receives traffic from the EEA, UK, or Switzerland and you have not implemented a consent mechanism, Clarity operates in permanent restricted mode for those visitors. Session recordings are fragmented. Heatmaps show only single-page data. Funnel tracking breaks entirely. You are effectively blind to how European visitors navigate your site.
There is also a compliance risk. Setting analytics cookies without consent violates both the ePrivacy Directive and the GDPR. European regulators have grown increasingly aggressive about cookie enforcement. In September 2025, France's CNIL issued EUR 150 million and EUR 325 million fines to SHEIN and Google respectively, both related to cookie consent failures. These were not edge cases - they involved exactly the kind of pre-consent cookie placement that a misconfigured Clarity setup would produce.
Frequently Asked Questions
Does Microsoft Clarity set cookies without consent?
Not if Consent Mode is properly configured. With cookies disabled in the Clarity dashboard and ConsentV2 implemented, Clarity waits for a valid consent signal before setting any cookies. Without consent, it operates in a restricted mode with no persistent cookies.
What is the difference between Clarity ConsentV2 and Google Consent Mode v2?
Clarity ConsentV2 is a JavaScript API specific to Microsoft Clarity that controls whether Clarity sets cookies and tracks sessions. Google Consent Mode v2 is a broader framework that adjusts the behaviour of multiple Google services. Both use ad_storage and analytics_storage parameters, but they are separate implementations that must be configured independently.
Can I use Microsoft Clarity without a cookie banner?
Only if your website does not serve visitors from the EEA, UK, or Switzerland. For sites with European traffic, a cookie banner or other consent mechanism is mandatory before Clarity can set cookies and track full sessions.
Which Clarity cookies require GDPR consent?
All of them. The first-party cookies _clck and _clsk, along with third-party cookies CLID, ANONCHK, MR, and MUID, are classified as non-essential analytics cookies. Under the ePrivacy Directive and GDPR, they require explicit opt-in consent before being placed on a visitor's device.
What data does Clarity collect without cookies?
In no-consent mode, Clarity still collects basic page-level data such as page views and anonymous interaction signals. It cannot link page views into sessions, track returning visitors, or produce continuous session recordings. Each page is treated as a separate visit from a new user.
Is the old clarity consent API still supported?
The V1 call window.clarity('consent', true) still functions but is officially deprecated. Microsoft recommends migrating to ConsentV2, which offers separate control over ad_storage and analytics_storage. The V1 API may be removed in a future update.
How do I test whether Clarity Consent Mode is working correctly?
Open your browser's developer tools, go to the Application tab, and check for _clck and _clsk cookies. Before accepting cookies on your banner, these should not appear. After accepting, they should be set. You can also run clarity('metadata', ...) in the console to inspect the consentStatus object.
Set Up Clarity Consent Mode the Right Way
If your site uses Microsoft Clarity and receives any traffic from the EEA, UK, or Switzerland, consent mode is not optional. Kukie.io detects Clarity cookies during scans, categorises them correctly, and passes ConsentV2 signals automatically based on visitor choices.
