Microsoft Clarity and GDPR: Privacy Compliance Guide
Session recordings and heatmaps capture user behavior in detail — which immediately raises GDPR questions. Is Microsoft Clarity compliant? What data does it collect? Do you need cookie consent? This guide covers everything you need to know to use Clarity legally in the EU and beyond.
Is Microsoft Clarity GDPR Compliant?
The short answer: Clarity can be used in a GDPR-compliant way, but it's not automatically compliant just by installing it. Like any analytics tool that sets cookies and processes user behavior data, you need to configure it properly and handle consent correctly.
Microsoft provides the infrastructure for compliance — automatic content masking, a Data Processing Agreement, and configurable tracking options. But the responsibility for proper implementation falls on you as the data controller.
What Data Does Clarity Collect?
Understanding exactly what Clarity tracks is essential for your privacy policy and Data Protection Impact Assessment (DPIA). Here's a breakdown:
Data Clarity collects automatically
- Mouse movements and clicks: Position, timing, and element clicked
- Scroll behavior: Scroll depth, scroll speed, direction changes
- Page content: DOM structure for session replay rendering (with masking applied)
- Device information: Browser type, OS, screen resolution, viewport size
- Session metadata: Page URLs visited, referrer, session duration, timestamps
- Cookies: First-party cookies for session identification (
_clck,_clsk) - IP address: Used for geolocation, then discarded (not stored)
Data Clarity does NOT collect
- Keystroke content in input fields (masked by default)
- Stored IP addresses (used for geo lookup, then dropped)
- Cross-site tracking data
- Data from pages where the Clarity script isn't installed
Tip: Clarity's IP handling is a significant advantage over some competitors. Since IP addresses are used only for geolocation and never stored, you reduce your data processing footprint. However, the temporary processing of IP addresses still counts as personal data processing under GDPR.
Cookie Consent: Yes, You Need It
Clarity sets first-party cookies that are not strictly necessary for your website to function. Under GDPR (and the ePrivacy Directive), this means you need informed consent from EU visitors before loading the Clarity tracking script.
Clarity's cookies
| Cookie | Purpose | Duration |
|---|---|---|
_clck | Unique user identifier | 12 months |
_clsk | Session identifier | 1 day |
CLID | Microsoft Clarity user identifier (if sharing with Bing) | 12 months |
ANONCHK | Indicates if MUID is transferred to ANID (Bing integration) | Session |
MR | Used to collect info for analytics | Session |
SM | Used in synchronizing the MUID across Microsoft domains | Session |
How to implement consent correctly
- Don't load Clarity before consent: The Clarity JavaScript snippet should only fire after the user accepts analytics/performance cookies in your consent banner.
- Categorize properly: In your Cookie Management Platform (CMP), classify Clarity cookies under "Analytics" or "Performance" — not "Necessary."
- Provide opt-out: Users must be able to withdraw consent at any time, which should stop Clarity tracking and delete its cookies.
Most CMPs (Cookiebot, OneTrust, CookieYes) support conditional script loading. Here's a typical implementation with a consent manager:
<!-- Only loads when analytics consent is given -->
<script type="text/plain" data-cookieconsent="statistics">
(function(c,l,a,r,i,t,y){
// Clarity tracking code
})(window, document, "clarity", "script", "YOUR_PROJECT_ID");
</script>Content Masking: Protecting Sensitive Data
Clarity automatically masks all user input fields in session recordings. When you watch a replay, text typed into forms appears as asterisks. This is a strong default, but you may need to go further.
Default masking (Balanced mode)
Clarity's default "Balanced" masking mode masks:
- All
<input>and<textarea>content - Email addresses detected in text
- Numbers that look like phone numbers or IDs
Strict masking mode
For sites handling sensitive data (healthcare, finance, legal), switch to "Strict" mode in Clarity Settings. This masks all text content on the page, showing only page structure and user interactions. You can still see where users click and scroll, but no readable text appears in recordings.
Custom masking with CSS classes
For fine-grained control, add specific CSS classes to elements you want to mask or unmask:
<!-- Force mask this element -->
<div class="clarity-mask">Sensitive content here</div>
<!-- Prevent masking (use carefully) -->
<div class="clarity-unmask">Public content</div>Tip: When in doubt, use Strict mode. You lose some context in session recordings, but you eliminate the risk of accidentally capturing personal data. Start strict, then selectively unmask elements you know are safe.
Data Processing Agreement (DPA)
GDPR requires a Data Processing Agreement between you (the controller) and Microsoft (the processor). Microsoft covers this through their Online Services Terms and Data Processing Addendum, which applies to all Microsoft services including Clarity.
Key points covered by Microsoft's DPA:
- Data processing scope: Microsoft processes data only as instructed by you and for the purposes of providing the Clarity service.
- Sub-processors: Microsoft lists approved sub-processors and notifies of changes.
- Data deletion: Data is retained for a limited period and can be deleted by removing the project.
- International transfers: Covered by Standard Contractual Clauses (SCCs) for EU-to-US transfers.
- Security measures: Microsoft implements technical and organizational measures appropriate to the risk.
You don't need to sign a separate DPA for Clarity — it's included in Microsoft's standard terms when you create an account. However, keep a record of this for your GDPR documentation.
Privacy Policy Requirements
Your website's privacy policy must disclose the use of Clarity. At minimum, include:
- What you use: "We use Microsoft Clarity to understand how users interact with our website."
- What data is collected: "Clarity records mouse movements, clicks, scroll behavior, and page interactions."
- Purpose: "This data helps us improve our website's usability and user experience."
- Cookies: List the specific Clarity cookies and their purposes.
- Data processor: "Data is processed by Microsoft Corporation."
- Masking: "Sensitive content such as form inputs is automatically masked."
- Link to Microsoft's privacy statement: Include a link for transparency.
Clarity vs. Other Tools: Privacy Comparison
| Feature | Microsoft Clarity | Hotjar | PostHog (Cloud) |
|---|---|---|---|
| IP Storage | Not stored | Not stored | Configurable |
| Auto Content Masking | Yes (3 modes) | Yes | Configurable |
| DPA Available | Yes (standard terms) | Yes | Yes |
| EU Data Residency | No (US processing) | EU option available | EU option available |
| Self-Hosting Option | No | No | Yes |
| Cookie-less Mode | No | No | Yes (limited) |
| Price | Free | Free tier + paid | Free tier + paid |
Clarity's main privacy limitation is the lack of an EU data residency option. Data is processed on Microsoft's infrastructure, which includes US-based servers. This is covered legally by Standard Contractual Clauses, but some organizations with strict data sovereignty requirements may need to evaluate this.
Practical GDPR Compliance Checklist
Use this checklist to ensure your Clarity implementation is GDPR compliant:
- Cookie consent banner implemented — Clarity loads only after user consent
- Clarity cookies categorized as "Analytics" in your CMP
- Content masking mode reviewed and set appropriately (Balanced or Strict)
- Sensitive page elements manually masked with
clarity-maskclass where needed - Privacy policy updated to mention Clarity, its data collection, and cookies
- Microsoft's DPA/Online Services Terms documented in your records
- DPIA conducted if processing high-risk data (healthcare, finance)
- Bing data sharing disabled in Clarity settings if not needed
- Data retention period reviewed in Clarity project settings
- User opt-out mechanism works correctly (stops tracking + deletes cookies)
Disabling Bing Data Sharing
By default, Clarity can share data with Microsoft Advertising (Bing) for improved ad targeting. If you don't use Bing Ads, disable this in Clarity Settings under "Data sharing." This reduces the scope of data processing and simplifies your GDPR position — fewer purposes means a simpler privacy policy and less risk.
Handling Data Subject Requests
Under GDPR, users can request access to, deletion of, or restriction of their personal data. For Clarity data:
- Access requests: Clarity doesn't provide a way to look up an individual user's data by email or name. Since Clarity uses anonymous session IDs, connecting a specific person to their recordings requires additional identifiers you would need to provide.
- Deletion requests: You can delete an entire Clarity project's data, but not individual user recordings. Document this limitation in your DPIA.
- Restriction: You can stop tracking specific pages or user segments using Clarity's configuration options.
Stop analyzing Clarity data manually
ClarityInsights sends you AI-powered weekly reports with per-page analysis, frustration signals, and prioritized recommendations.
Join the Waitlist