Session recordings are appearing in your Hotjar dashboard for visitors who never accepted anything. That's the recording tool doing what its default install does — here's the fix.
Fresh incognito window, DevTools → Network, filter on hotjar, banner untouched. An ungated install loads static.hotjar.com/c/hotjar-XXXX.js with the page, pulls recorder modules from script.hotjar.com, and starts talking to Hotjar's ingestion endpoints (*.hotjar.com XHR/WebSocket traffic) right away. Application → Cookies shows _hjSession… cookies on first paint.
The confirming evidence is in your own Hotjar dashboard: recordings and heatmap samples exist for sessions where no one ever accepted the banner. In our 2026 scan of 1,478 small-business sites, Hotjar was firing before consent on 119 sites.
Not sure what's firing on your site? See every pre-consent tracker — free, 30 seconds.
Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.
Hotjar's install instructions put the snippet in <head>, and it initializes the moment it loads. Unless you deliberately wrap it, recording starts with the page — consent banner or not.
The Hotjar tag in Google Tag Manager fires on All Pages with no Consent settings, so the recorder starts as soon as the container loads.
Hotjar is filed under "functional" or an uncategorized bucket in your consent platform, or the auto-blocker doesn't recognize static.hotjar.com — so the script is allowed through before the visitor answers.
A platform integration toggle (site builders and some WordPress plugins offer one-click Hotjar) injects the snippet outside your CMP's control, in parallel with the copy you gated.
California's Invasion of Privacy Act (CIPA), Penal Code § 631, prohibits intercepting a communication without the consent of all parties. Since 2022, plaintiff firms have applied that decades-old wiretapping statute to websites — arguing that recording a visitor's clicks, scrolls, and form input and streaming them to a recording vendor before the visitor consents is an intercepted communication. Statutory damages under § 637.2 run up to $5,000 per violation, and plaintiffs argue each affected visitor session is a separate count, which is why even small sites receive demand letters. Similar all-party-consent statutes in Pennsylvania (WESCA), Florida (FSCA), and Massachusetts have produced parallel filings.
Session-recording tools sit at the center of the CIPA § 631 wave specifically because they capture the contents of an interaction — what a visitor typed and did — and transmit it to a third party in real time.
To be precise about what a network log can tell you: a tracker firing before consent is a technical finding — it establishes when a script transmitted data, not whether any law was broken. But timing is exactly what these claims are built on, which is why fixing the timing is the practical response.
*.hotjar.com before consent.// Only call this AFTER your CMP reports consent — never on initial load.
function loadHotjar(h,o,t,j,a,r){
h.hj=h.hj||function(){(h.hj.q=h.hj.q||[]).push(arguments)};
h._hjSettings={hjid:YOUR_HJID,hjsv:6};
a=o.getElementsByTagName('head')[0];
r=o.createElement('script');r.async=1;
r.src=t+h._hjSettings.hjid+j+h._hjSettings.hjsv;
a.appendChild(r);
}
// cmp.onConsent('analytics', () => loadHotjar(window,document,'https://static.hotjar.com/c/hotjar-','.js?sv='));Move the standard Hotjar snippet into a function and only call it from your CMP's consent callback.
Verify the fix in 30 seconds — free re-scan, no signup.
Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.
Hotjar's standard snippet initializes on page load by design, so unless you deliberately gate it — wrapping the snippet in a consent callback or requiring consent on the GTM tag — it records everyone. Category mismatches in the consent platform and duplicate installs via site-builder integrations are the other common causes.
Whether any recording violates CIPA is a legal question that depends on facts a scan can't decide — a pre-consent recording is a technical finding. But session-recording before consent is the central fact pattern of the CIPA § 631 lawsuit wave, with statutory damages up to $5,000 per violation argued per session, so it's the pattern most worth eliminating. Not legal advice.
Wrap the snippet in a function called only from your CMP's accept callback (or require consent on the GTM tag), turn on Hotjar's form-field suppression, remove duplicate installs, and verify with a free re-scan that nothing reaches *.hotjar.com before consent.