Analytics analytics_storage

Microsoft Clarity — consent fix

Microsoft Clarity (clarity.ms) loads before consent and starts session recording. _clck (1 year) and MUID (Microsoft User ID, 1 year) are set before consent. Clarity shares data with Microsoft Advertising.

Domains

  • clarity.ms
  • c.bing.com

Cookies

  • _clck
  • _clsk
  • MUID

Microsoft Clarity begins recording sessions immediately as soon as the page loads. It sets the cookies _clck (valid for 1 year) and MUID (Microsoft User ID, valid for 1 year). What makes the risk with Clarity particularly high compared to other analytics tools is that the collected data is shared with Microsoft Advertising by default. You are therefore transmitting personal data and user behaviour to an advertising network before your visitor has accepted the cookie banner. This is a direct violation of the GDPR.

Why Microsoft Clarity loads too early

Unlike many other tools, Microsoft Clarity does not have a native Consent API. You cannot instruct the script to pause and only start recording once consent is given.

If you load Clarity via Google Tag Manager (GTM) with a standard All Pages trigger, or if it is placed directly in the <head> of your website, the script will always start recording immediately, regardless of what the visitor selects in the cookie banner.

The Fix: Hard block Clarity via GTM

Because Clarity has no built-in pause mode, the only solution is to completely block the tag from loading until consent for statistics (analytics_storage) is granted. You use Google Tag Manager for this.

(Is your code not in GTM but hardcoded in the HTML? Remove it from there and implement Clarity via GTM, or use the specific auto-blocking feature of your CMP).

Add an Exception Trigger in GTM

Follow these steps in your GTM workspace to set up a watertight block:

  1. Open your Microsoft Clarity Tag.
  2. Scroll to the Triggering section.
  3. Click Add Exception.
  4. Click the + icon to create a new trigger.
  5. Choose the trigger type Custom Event.
  6. For Event name, enter .* and check the box for Use regex matching.
  7. Select Some Custom Events.
  8. Set the condition: Consent State — analytics_storage does not equal granted.
  9. Save the trigger as "Exception - No Analytics Consent" and add it to your Clarity Tag.

Important: To ensure that Clarity does start after the visitor grants consent in the banner, add an additional (second) trigger to your tag of the type Custom Event that listens for the consent_update event.

How to Verify the Fix

Use your browser's Network tab to prove that no recordings are made without consent.

  1. Open your website in an incognito window.
  2. Ignore the cookie banner completely (do not click anything).
  3. Open Developer Tools (F12) and navigate to the Network tab.
  4. Search for clarity.ms. There must be absolutely no scripts or data connections visible with this domain.

Not sure if the fix worked, or want to verify that no other scripts are leaking data? Run a free scan with ConsentChecker.eu for instant confirmation.

Sources

No CMP yet?

A Cookie Management Platform (CMP) handles consent automatically for Microsoft Clarity and other trackers — including the correct GTM integration.

Cookiebot → CookieYes → CookieFirst → Complianz → Borlabs Cookie → Enzuzo → ConsentOS →

Check your own site

Scan your website for free to see if Microsoft Clarity (or other trackers) loads before consent.

Start free scan →