Analytics analytics_storage

Hotjar — consent fix

Hotjar (static.hotjar.com/c/hotjar-XXXXX.js) loads before consent and immediately starts session recording. _hjid (1 year) and _hjSessionUser tracking cookies are set before consent. Session recordings may contain personal data (form inputs, scroll patterns).

Domains

  • hotjar.com
  • static.hotjar.com
  • script.hotjar.com
  • vc.hotjar.io
  • vars.hotjar.com

Cookies

  • _hjSessionUser
  • _hjSession
  • _hjid
  • _hjFirstSeen

Hotjar immediately starts recording visitor sessions and places tracking cookies (such as _hjid, valid for 1 year) as soon as your website loads. Because these session recordings capture details about how a visitor navigates, clicks, and fills out forms, you are processing personal data. If this happens before the visitor has consented to statistics cookies, you are violating the GDPR.

Why Hotjar loads too early

Hotjar is usually loaded via Google Tag Manager (GTM) or as a direct script in the <head> of the website. The problem is that the script does not inherently "wait". If you simply leave the GTM trigger set to All Pages, Hotjar begins filming the session right away, before the visitor has even had a chance to see the cookie banner.

The Fix: Only start Hotjar after consent

To make Hotjar GDPR-compliant, you must prevent the script from loading as long as there is no consent for statistics (analytics_storage). The most robust method is via Google Tag Manager.

1. Use an Exception Trigger in GTM (Recommended)

Follow these exact steps in your GTM workspace to set up a hard block:

  1. Open your Hotjar Tracking Code Tag.
  2. Scroll to the Triggering section.
  3. Click Add Exception.
  4. Click the + icon to create a new trigger.
  5. Choose the trigger type Custom Event.
  6. For Event name, enter .* and check the box for Use regex matching.
  7. Select Some Custom Events.
  8. Set the condition: Consent State — analytics_storage does not equal granted.
  9. Save the trigger as "Exception - No Analytics Consent" and publish your GTM container.

2. The Hotjar Consent API (Extra security)

Is your Hotjar script hardcoded in the HTML and are you not using GTM? Then you can use Hotjar's native Consent API. However, you must ensure your specific Cookie Management Platform (CMP) correctly triggers this API.

You can control Hotjar's status with the following lines of code (which you link to your CMP's events):

// No consent:
hj('consent', false);

// Consent granted:
hj('consent', true);

How to Verify the Fix

Use your browser's Network tab to see if Hotjar actually stops recording.

  1. Open your website in an incognito window.
  2. Ignore the cookie banner (do not click anything).
  3. Open Developer Tools (F12) and navigate to the Network tab.
  4. Search for hotjar. There should be no scripts loading from static.hotjar.com, and crucially: there must be no data connections to vc.hotjar.io (the recording endpoint) visible.

Not sure if the fix worked, or want to verify that no other scripts are leaking data? Run a free scan with ConsentChecker.eu for instant confirmation.

Sources

No CMP yet?

A Cookie Management Platform (CMP) handles consent automatically for Hotjar and other trackers — including the correct GTM integration.

Cookiebot → CookieYes → CookieFirst → Complianz → Borlabs Cookie → Enzuzo → ConsentOS →

Check your own site

Scan your website for free to see if Hotjar (or other trackers) loads before consent.

Start free scan →