Microsoft Clarity and privacy

Are you using Clarity? Are you collecting the appropriate consent from your visitors?

More and more websites are making use of Microsoft's session recording tool Clarity. Many websites are unfortunately using it without obtaining the correct consent from the people whose data it's collecting.

For many years, I've made use of another tool with clients that offers similar functionality to Clarity - Hotjar.

Hotjar is a European based company and takes privacy seriously. They made explicit promises that the data collected would remain in the EU, and that it would never be sold to third parties.

The data collected about the visitors to your website is not exploited.

This makes the consent required for Hotjar quite straight-forward. It is analytics. The data would be used to analyse the use of the website and to help improve it.

A bit of Clarity

Clarity, Microsoft's competing product to Hotjar, is a free tool.

Well, it's free in the same sense as products such as Facebook, Snapchat and TikTok are free. Instead of paying for using it with money, you pay for Clarity with data.

With Facebook, Snapchat and TikTok, you pay by sharing your data as a user. In the case of Clarity, the organisation that deploys the tool on their website pays for Clarity with your data.

Google Analytics is also free. Yes, there is a paid version, but the vast majority of Google Analytics users are using the product without paying a fee. Similarly to Clarity, some "payment" is effectively made through sharing data collected with Google.

There's a big difference, though.

The difference is that Google Analytics has settings and consent management that means it is possible to restrict Google from connecting the data collected from your site (or app) with other data that Google may have collected about your visitor or user.

Microsoft isn't very transparent about how the data collected is (potentially) shared with and used by other parts of Microsoft.

Subsection, paragraph, clause

Buried in the terms and conditions for Clarity is section 4.4 (c) (iii).

"Microsoft may use the Personal Data it collects in connection with the Offering for any purpose in accordance with the Microsoft Privacy Statement, including to provide the Offering; improve Microsoft’s products and services, including reporting and performance analysis; and create user profiles for purposes that include advertising. Microsoft may also use nonpersonal data it collects in connection with the Offering to provide and improve Microsoft’s products and services."

The key part of that clause is: "create user profiles for purposes that include advertising."

Microsoft claims the right to profile your visitors when you choose to use Clarity on your website. There's no opt out. It's take it or leave it. Section 4.4 (d) says that it's your responsibility (as the organisation deploying Clarity on their website) to make sure you've obtained the appropriate consent from visitors before gathering data with Clarity.

Microsoft really isn't helping you here.

Cookie consent banners

Websites generally have a consent question when you visit them. A "cookie banner" they are often called. The consent requested is usually split up into a few categories.

The most straight-forward set of categories are

• Necessary - which you can't opt out of,
• Functional - to support features on the website that aren't necessary but enhance your experience,
• Analytics - to gather data to analyse the use of the website and improve it,
• Marketing - to use the data collected from your visit to the website for marketing activities.

Of course, websites slice and dice these categories in numerous ways. Some media websites have a horrendous set of categories and even bring the rather dubious "legitimate interest" into the mix.

It's not unusual for me to audit a website and find that they are placing Clarity under the consent category for analytics. Which on the surface of things makes sense as this is where you would place tool such as Hotjar, Google Analytics, Matomo (which can also perform session recording) and so on.

Marketing, just to clarify.

But Clarity doesn't just do analytics. As mentioned, the sharing of data with Microsoft, and the subsequent use of that data by Microsoft, is implicit in the terms and conditions of use. This puts Clarity firmly in the marketing consent category and not analytics.

There is a Cookie consent setting in Clarity that will instruct Clarity to wait until consent is received before it sets any cookies in your visitor's browser. This setting does not stop Clarity from running, and it does not over-ride Section 4.4 (c) (iii).

The sample wording that Microsoft suggests for a sitewide disclosure and privacy policy also fails to address the awkwardness of their right to profile your visitors for advertising purposes.

I've seen websites - one example is Nelly.com - that are running clarity without cookies, presumably thinking that no further consent under GDPR is required. I disagree.

The data retention help section explains that Clarity only retains data for between 30 days and 13 months (depending on the data). It also goes on to say that after this period of time, data on Clarity servers including backups will be deleted and cannot be recovered.

It fails to mention anything about data that might have been shared with other parts of Microsoft and used for profiling, as per the rights it lays out in the terms and conditions.

The Clarity help pages also fail to highlight that if you are using Microsoft Advertising UET (Universal event tracking) then Clarity is enabled by default. As using UET requires Microsoft's consent mode to be implemented, this default probably doesn't create any additional headaches.

Check your consent

The downside of this is that you are likely to have lower levels of consent than for analytics. The upside of this is you are fully respecting the privacy choices of your visitor. 👏

For some organisations - such as public sector organisations - classifying Clarity as something that needs marketing consent could mean that the tool is not permitted to be deployed.

I've noticed municipalities here in Sweden using Clarity - one example is Örnsköldsvik Municipality - and not obtaining what I consider to be the correct consent.

Clarity is being incorrectly activated when analytics consent is given. I suspect this is down to ignorance than a deliberate attempt to mislead people. It nevertheless highlights how something "free" might not be quite as cost-free as it seems.

None of your business

It only takes NOYB to notice what is happening, or an individual to report you, and suddenly your organisation could find itself in front of the data protection regulators in your country and facing a hefty fine!

James Royal-Lawson - Senior digital advisor · Designer · Digital analyst · Economist · Podcaster

Microsoft Clarity - Free Heatmaps & Session Recordings

Clarity is a free user behavior analytics tool that helps you understand how users are interacting with your website through session replays and heatmaps.

Microsoft Clarity

Hotjar: Website Heatmaps & Behavior Analytics Tools

The next best thing to sitting beside someone browsing your site. See where they click, ask what they think, and learn why they drop off. Get started for free.

Hotjar - Privacy Policy

Read Hotjar’s Privacy Policy, which applies to personal data processed by Hotjar in our business (including on our websites and other online or offline offerings).

Privacy Policy

Clarity Cookie Consent

How to manage cookie consent

Microsoft LearnAlekhyaSasi

Sample wording for Clarity Site and Privacy Policy Disclosure

Sample wording for Disclosure on Clarity’s Site and Privacy Policy.

Microsoft LearnAlekhyaSasi

Data retention

Understand Clarity Data retention policy.

Microsoft LearnAlekhyaSasi

NOYB enforces your right to privacy everyday

Noyb - European Center for Digital Rights is a non-profit organization based in Vienna, Austria.

noyb.eu