How do I make Hotjar CIPA compliant?

Gate Hotjar behind a consent management platform so it does not load or transmit data until the visitor opts in. Do NOT load the Hotjar tracking snippet on page load. Gate it behind your CMP so it only initializes after the visitor consents to analytics/session recording.

CIPA § 631 Risk

Is Hotjar legal in California?

Q: Is Hotjar legal in California?

Hotjar is legal to use, but running it without obtaining prior visitor consent can expose a business to claims under California's wiretapping statute (CIPA § 631), which plaintiffs have applied to session-replay and tracking tools. Gating Hotjar behind a consent management platform addresses the risk.

Session Replay & Heatmaps · Updated 2026

Hotjar records full session replays — mouse movement, scrolling, clicks, and form input — plus heatmaps of visitor behavior. Using it is perfectly legal — but running Hotjar before a visitor consents is what creates exposure under California's wiretapping law.

Is this tracker on your site? Find out free in 30 seconds.

Real browser scan with evidence capture. No signup required to see results.

Why Hotjar can trigger CIPA claims

California's Invasion of Privacy Act (CIPA), Penal Code § 631, prohibits intercepting communications without all-party consent. Since 2022, a wave of plaintiff-firm litigation has applied this decades-old wiretapping statute to website session-replay, chat, and pixel tools — arguing that capturing a visitor's clicks, keystrokes, and form input without consent is an unlawful interception. Hotjar records full session replays (mouse, scroll, clicks, and form input), which California courts have treated as wiretapping under CIPA § 631 when done without consent.

Statutory damages run up to $5,000 per violation, and plaintiffs argue each affected visitor session is a separate count — which is why even small sites receive demand letters.

Real-world enforcement

In a landmark action, the California Attorney General reached a $1.2M settlement with Sephora over its use of tracking technologies without honoring consumer privacy choices. Private CIPA suits over session-replay and chat tools have named retailers, healthcare providers, and SaaS companies alike. The common thread: trackers firing before the visitor had any chance to opt out.

How to make Hotjar compliant

Do NOT load the Hotjar tracking snippet on page load. Gate it behind your CMP so it only initializes after the visitor consents to analytics/session recording.
In Hotjar, enable form field suppression so input contents are never captured even when recording is allowed (Settings → Suppression).
If you use GTM, set the Hotjar tag to require consent before firing.
Re-scan with 'Verify fix' to confirm no requests go to *.hotjar.com before consent.

Consent-gating snippet

// Only call this AFTER your CMP reports consent — never on initial load.
function loadHotjar(h,o,t,j,a,r){
  h.hj=h.hj||function(){(h.hj.q=h.hj.q||[]).push(arguments)};
  h._hjSettings={hjid:YOUR_HJID,hjsv:6};
  a=o.getElementsByTagName('head')[0];
  r=o.createElement('script');r.async=1;
  r.src=t+h._hjSettings.hjid+j+h._hjSettings.hjsv;
  a.appendChild(r);
}
// cmp.onConsent('analytics', () => loadHotjar(window,document,'https://static.hotjar.com/c/hotjar-','.js?sv='));

Move the standard Hotjar snippet into a function and only call it from your CMP's consent callback.

Hotjar's official privacy/consent documentation →

Check your own site

RegSentry runs a real browser against your site, watches exactly when Hotjar (and every other tracker) first contacts a third-party server, and captures the evidence — including whether it intercepts keystrokes typed into your forms.

Is this tracker on your site? Find out free in 30 seconds.

Real browser scan with evidence capture. No signup required to see results.

← See all tracker compliance guides