Free scan
Hotjar · troubleshooting

Hotjar records before consent

Session recordings are appearing in your Hotjar dashboard for visitors who never accepted anything. That's the recording tool doing what its default install does — here's the fix.

What it looks like

Fresh incognito window, DevTools → Network, filter on hotjar, banner untouched. An ungated install loads static.hotjar.com/c/hotjar-XXXX.js with the page, pulls recorder modules from script.hotjar.com, and starts talking to Hotjar's ingestion endpoints (*.hotjar.com XHR/WebSocket traffic) right away. Application → Cookies shows _hjSession… cookies on first paint.

The confirming evidence is in your own Hotjar dashboard: recordings and heatmap samples exist for sessions where no one ever accepted the banner. In our 2026 scan of 1,478 small-business sites, Hotjar was firing before consent on 119 sites.

DevTools → Network — fresh incognito, banner untouched:
GET static.hotjar.com/c/hotjar-1234567.js ← loads with the page
GET script.hotjar.com/modules.….js ← recorder modules pulled immediately
Cookie: _hjSessionUser_… ← set before any banner click

Not sure what's firing on your site? See every pre-consent tracker — free, 30 seconds.

Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.

Why it happens

1. The standard snippet runs on page load by design

Hotjar's install instructions put the snippet in <head>, and it initializes the moment it loads. Unless you deliberately wrap it, recording starts with the page — consent banner or not.

2. GTM tag with no consent requirement

The Hotjar tag in Google Tag Manager fires on All Pages with no Consent settings, so the recorder starts as soon as the container loads.

3. CMP category mismatch

Hotjar is filed under "functional" or an uncategorized bucket in your consent platform, or the auto-blocker doesn't recognize static.hotjar.com — so the script is allowed through before the visitor answers.

4. Injected by a site-builder integration

A platform integration toggle (site builders and some WordPress plugins offer one-click Hotjar) injects the snippet outside your CMP's control, in parallel with the copy you gated.

The risk context

California's Invasion of Privacy Act (CIPA), Penal Code § 631, prohibits intercepting a communication without the consent of all parties. Since 2022, plaintiff firms have applied that decades-old wiretapping statute to websites — arguing that recording a visitor's clicks, scrolls, and form input and streaming them to a recording vendor before the visitor consents is an intercepted communication. Statutory damages under § 637.2 run up to $5,000 per violation, and plaintiffs argue each affected visitor session is a separate count, which is why even small sites receive demand letters. Similar all-party-consent statutes in Pennsylvania (WESCA), Florida (FSCA), and Massachusetts have produced parallel filings.

Session-recording tools sit at the center of the CIPA § 631 wave specifically because they capture the contents of an interaction — what a visitor typed and did — and transmit it to a third party in real time.

To be precise about what a network log can tell you: a tracker firing before consent is a technical finding — it establishes when a script transmitted data, not whether any law was broken. But timing is exactly what these claims are built on, which is why fixing the timing is the practical response.

How to fix it

  1. Do not load the Hotjar snippet on page load. Wrap it in a function and call it only from your CMP's consent callback — see the snippet below.
  2. In Hotjar, enable form-field suppression so input contents are never captured even when recording is allowed (Settings → Suppression).
  3. If Hotjar runs through GTM, set the tag's Consent settings to require analytics consent instead.
  4. Check for a second install via a platform integration and disable it, so only the gated copy exists.
  5. Re-scan to confirm no requests go to *.hotjar.com before consent.

Consent-gating snippet

// Only call this AFTER your CMP reports consent — never on initial load.
function loadHotjar(h,o,t,j,a,r){
  h.hj=h.hj||function(){(h.hj.q=h.hj.q||[]).push(arguments)};
  h._hjSettings={hjid:YOUR_HJID,hjsv:6};
  a=o.getElementsByTagName('head')[0];
  r=o.createElement('script');r.async=1;
  r.src=t+h._hjSettings.hjid+j+h._hjSettings.hjsv;
  a.appendChild(r);
}
// cmp.onConsent('analytics', () => loadHotjar(window,document,'https://static.hotjar.com/c/hotjar-','.js?sv='));

Move the standard Hotjar snippet into a function and only call it from your CMP's consent callback.

Verify the fix in 30 seconds — free re-scan, no signup.

Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.

Common questions

Why is Hotjar recording visitors who didn't consent?

Hotjar's standard snippet initializes on page load by design, so unless you deliberately gate it — wrapping the snippet in a consent callback or requiring consent on the GTM tag — it records everyone. Category mismatches in the consent platform and duplicate installs via site-builder integrations are the other common causes.

Is recording sessions before consent a CIPA violation?

Whether any recording violates CIPA is a legal question that depends on facts a scan can't decide — a pre-consent recording is a technical finding. But session-recording before consent is the central fact pattern of the CIPA § 631 lawsuit wave, with statutory damages up to $5,000 per violation argued per session, so it's the pattern most worth eliminating. Not legal advice.

How do I make Hotjar wait for consent?

Wrap the snippet in a function called only from your CMP's accept callback (or require consent on the GTM tag), turn on Hotjar's form-field suppression, remove duplicate installs, and verify with a free re-scan that nothing reaches *.hotjar.com before consent.

Related

Hotjar compliance guideSession replay & CIPA riskMicrosoft Clarity compliance guideConsent banner not blocking trackers
Monitor my site ($99/mo) Estimate my exposure