Hotjar is a popular customer experience tool to analyze your users’ browsing behavior. With analyzing behavior, statistical data is shared with Hotjar to either/and record video’s of browsing behavior, creating heatmaps and other behavioral analyses. With Hotjar you also get the possibility to have different direct feedback pop-ups on site.
Does Hotjar collect personal data?
A customer experience tool like Hotjar collects a wide range of data to profile users’ behavior. The profiling is done by connecting different datasets while analyzing the users’ behavior. GDPR strongly prohibits the profiling of personal data and the automated processes that follow. If one of these datasets is personal data, you will need clear consent at the first visit and an explicit explanation about profiling in your privacy policy and cookie descriptions in your cookie policy. Below you can find a suggested explanation by Hotjar self about their service.
Hotjar will collect personal data by default, but is there a way to configure Hotjar to be compliant with GDPR? Is their privacy policy about data usage, purpose, and sharing transparent enough? The answer is yes. You can use Hotjar before consent, and this is how!
Configuring Hotjar for GDPR
We will discuss the following:
- Configuring Hotjar’s dashboard for GDPR
- Signing a DPA with Hotjar
- Implementation with Tag Manager
Configuring Hotjar’s dashboard for GDPR
Hotjar’s compliance efforts have been above par compared to their competition. Making it quite easy to configure Hotjar for GDPR.
For heatmaps, recordings, and form analyses, you will need to suppress text and images if they contain personal data, or may contain personal data. In the latter case, think about recording the users’ email addresses when filling out a form, or a heatmap with your client’s data, because you have a portfolio on your website.
Go to the website you need to configure under Sites and Organizations and select the “Site settings” button on the right-hand side.
You will then be prompted with a list of possibilities to suppress data. Choose the ones as shown below, as a minimum!
For the feedback modules, you will need to ask consent, before using their feedback and collecting their data in conjunction with before mentioned profiled behavior.
With a video from Hotjar:
Data Retention and Data Requests
It’s good to know how a service provider collects and shares data with other parties. For Hotjar, this has been outlined straightforward in its data retention policy. For data requests from users, Hotjar has built a visitor lookup module to comply with the right to access and erase.
Signing a DPA with Hotjar
Because Hotjar will process data as a third party, it’s necessary to sign a DPA or Data Processing Agreement. The DPA states the responsibilities of Hotjar as a processor and you as the party responsible for the data collected.
This can be done online. Follow this link to read and sign the DPA when you agree to the agreement.
Deployment with Tag Manager
When you’re finished, you can deploy Hotjar with Tag Manager.
NB. Soon we will alter the wizard to check for a GDPR configuration of Hotjar to enable the script before consent. Until then, if you’re not using Tag Manager, you can deblock Hotjar from our blocklist by adding a function to your theme’s functions.php. Or with an MU plugin as can be read here:
For more about using Complianz and Tag Manager, please read this article.
If you configured Hotjar as described above, you can trigger Hotjar with the custom event cmplz_event_functional.
Sources
https://www.hotjar.com/privacy/gdpr-compliance
https://help.hotjar.com/hc/en-us/articles/115011639887-Data-Safety-Privacy-Security
https://www.hotjar.com/blog/hotjar-approach-privacy/
https://hotjar.eu1.echosign.com/public/esignWidget?wid=CBFCIBAA3AAABLblqZhCjoILOIpxMNAH4eKPkSw-y39xdm0RsZ7K3dsJAkGSQuQj-YRuGKg0usdY_XvKv-NQ*
We use Hotjar in order to better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behavior and their devices (in particular device’s IP address (captured and stored only in anonymized form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), preferred language used to display our website). Hotjar stores this information in a pseudonymized user profile. Neither Hotjar nor we will ever use this information to identify individual users or to match it with further data on an individual user. For further details, please see Hotjar’s privacy policy by clicking on this link.
You can opt-out to the creation of a user profile, Hotjar’s storing of data about your usage of our site and Hotjar’s use of tracking cookies on other websites by following this opt-out link.