ON THIS PAGE
- What Is Microsoft Clarity?
- What Data Does Microsoft Clarity Collect?
- Microsoft Clarity and the GDPR
- Is Microsoft Clarity GDPR-Compliant?
- Does Microsoft Clarity Use Cookies?
- Built-in Privacy Features in Microsoft Clarity
- How to Use Session Replay and Cookies Lawfully: A Step-by-step Guide
- Final Thoughts
- Frequently Asked Questions
Microsoft Clarity can be used to improve your website’s user experience through session replays, heatmaps, and user behavior analytics. Clarity's functionality relies on cookies to link page views and sessions, enabling features like session recordings and funnel tracking.
However, it is important to understand Microsoft Clarity’s GDPR compliance. In the European Union, UK, and other countries, websites must comply with data privacy laws, such as the General Data Protection Regulation (GDPR) and the eprivacy Directive. These regulations require explicit user consent before dropping cookies on their devices.
Cookie consent management is essential for Microsoft Clarity users who want to use session replay and cookies lawfully.
This guide explains whether Microsoft Clarity is GDPR-compliant, how to configure Clarity, and use session replay and Microsoft Clarity cookies lawfully.
What Is Microsoft Clarity?
Microsoft Clarity is a powerful behavioral analytics tool that helps website owners track user behavior on their websites, understand session data, and enhance user experience.
Microsoft Clarity provides insights through:
- Session Replay
Allows you to see real-time user navigation patterns of user interactions. - Heatmaps
Allows visualization of where users click, scroll, or hover. - Insights & Filters
Allows the identification of rage clicks, dead clicks, and common paths.
What Data Does Microsoft Clarity Collect?
Microsoft Clarity does not require users to input personal data such as names, emails or other Personally Identifiable Information.
Clarity processes these data types:
- User interactions
Mouse movements, scrolling behavior, click, scroll, or hover. - Session details
Entry and exit pages, time spent on site, navigation patterns. - Device data
Devise and browser type, screen resolution, operating system. - Form fields
Input data (hidden by default). - Geolocation
Location of a website user (anonymized by default).
Unlike Google Analytics, Clarity emphasizes visual behavior analysis. However, it collects behavioral and technical data that can still be considered personal data under GDPR.
Microsoft Clarity and the GDPR
The General Data Protection Regulation (GDPR) is the EU’s data privacy law that regulates the collection, storage, usage, and sharing of personal data.
The GDPR has an extraterritorial scope: the law applies to organizations located outside the EU that collect or process personal data of individuals within the EU. The GDPR applies even if the organization doesn't have a physical presence in the EU.
The GDPR sets strict data privacy requirements. Organizations must:
- Have a legitimate interest in collecting Personal Information of individuals.
- Obtain explicit, informed consent before placing non-essential cookies on users’ devices.
- Clearly inform users about what data is collected and how it’s used.
- Do not share Personal Information with third parties unless you have an explicit consent.
- Allow users to opt out consent easily.
Failure to comply can result in hefty fines of up to €20 million, or 4% of your company’s global annual revenue— whichever is higher.
Is Microsoft Clarity GDPR-Compliant?
Yes, Microsoft Clarity is GDPR-compliant, but you must configure it correctly.
With the help of Microsoft Clarity cookies, Clarity collects personal data such as user device info, screen resolution, mouse movements, clicks, or session recordings with anonymized content.
Microsoft Clarity offers numerous privacy features that help to comply with the GDPR, but it does not automatically ensure compliance. By default, Clarity masks sensitive data like real names, passwords, or credit card numbers. However, the user is responsible for configuring Microsoft Clarity to be GDPR-compliant, meaning that no personally identifiable information (PII) is captured.
To stay compliant, website publishers must implement Clarity’s Consent API, which facilitates collecting and managing user consent.
Does Microsoft Clarity Use Cookies?
Yes. Microsoft Clarity uses cookies, session storage, and other website trackers to identify returning users, measure engagement and performance, and to deliver accurate heatmap and session data.
These cookies are not strictly necessary cookies. Thus, websites must obtain prior consent before setting them on users’ devices.
Need a website cookie checker? CookieScript website checker has a full set of functionalities, which you can try for free!
Built-in Privacy Features in Microsoft Clarity
Microsoft Clarity includes several built-in privacy features designed to reduce the collection or exposure of Personally Identifiable Information (PII) and help website owners comply with privacy laws. These features are:
- Automatic Masking of Sensitive Data
Clarity automatically hides text input fields containing sensitive data, such as passwords, credit card numbers, and social security numbers. You can manually add more fields to be masked using CSS selectors. - IP address anonymization
Clarity uses partial or obfuscated IP addresses for geolocation purposes without identifying individuals. It does not store complete IP addresses. - Masking modes
You can select between relaxed, balanced (default) or strict—depending on your privacy needs. - No User Fingerprinting
Microsoft Clarity does not use fingerprinting to track users. Instead, it relies on website cookies for user session identification. Before dropping cookies, Microsoft Clarity explains to users what data it is planning to collect and asks for Cookie Consent. Users have a real choice to accept or reject these cookies. - Do Not Track (DNT) Support
Clarity respects the browser's Do Not Track (DNT) signal. If a user has DNT enabled, Clarity will not track that session. - CMP Integration
Microsoft Clarity is compatible with Consent Management Platform (CMPs) like CookieScript that support delayed script loading based on consent categories. Only selected cookies (e.g. analytics or targeting) will be loaded. Microsoft Clarity can be configured to only run after a user gives consent using a CMP. - Bot detection
Filters out traffic from known bots. - Role-based access control
Allows access control based on user roles. - IP blocking
Excludes specific IP addresses. - Custom Masking Rules
You can set custom masking rules for specific elements (like email or chat fields, or user-generated content areas) to prevent personal data collection. - Data Encryption
Microsoft Clarity secures data using Azure infrastructure encryption. - Data Retention Limits
Microsoft Clarity limits session data storage for a specified time (by default, 30 days). This helps reduce long-term privacy risks and aligns with data minimization principles under GDPR. - No Keystroke Logging
Clarity does not record keystrokes in a way that could reveal typed content. Instead, it tracks element interaction without capturing actual text unless specifically configured otherwise.
While these features go a long way in ensuring privacy, you must still manage cookie consent. Use CookieScript CMP to create and deliver privacy laws-compliant Cookie Banner and get Cookie Consent.
How to Use Session Replay and Cookies Lawfully: A Step-by-step Guide
Here is a step-by-step guide on how to use Microsoft Clarity GDPR-compliantly:
1. Update Your Privacy Policy
Your Privacy Policy should clearly state that you use Microsoft Clarity. Be transparent about:
- What kind of data it collects.
- The purpose of using Clarity (behavioral analytics).
- The legal basis (consent) for using it.
- Who is the data processor? (Microsoft Ireland Operations Ltd.)
- How users can opt out of using Clarity?
- Reference to the EU–US Data Privacy Framework.
- Provide a link to Microsoft’s privacy statement.
2. Configure privacy settings within Clarity
Major data privacy features are built-in by default in Microsoft Clarity. However, you still must make some selections and configure additional settings.
Configure privacy settings within Clarity following the principle of data minimization:
- Choose balanced or strict masking modes.
- Disable tracking on sensitive pages (e.g. login, payment, dashboard).
- Manually mask any additional sensitive fields your website uses.
- Exclude internal traffic using IP blocking.
- Review your settings regularly to adjust site updates.
3. Use a Consent Management Platform (CMP)
A GDPR-compliant CMP like CookieScript blocks Clarity scripts by default until users give consent.
Choose a CMP like CookieScript that allows you to:
- Create a GDPR-compliant Cookie Banner that fits your website’s design.
- Detect the user's location (geo-targeting) and display the appropriate cookie banner, based on local privacy laws.
- Provide a cookie banner that allows users to select specific categories (e.g. Analytics, Performance, etc.).
- Record user consent logs and store them securely.
- Offer an easy way for users to manage or withdraw Cookie Consent
4. Enable users to opt out of their consent anytime
GDPR requires that websites provide users an option to withdraw consent as easily as they gave it. To comply with the GDPR, perform these steps:
- Provide a persistent “Cookie settings” link, where users could easily change their consent.
- Select a CMP that allows easy options to withdraw consent.
- Stop all Clarity tracking once users withdraw consent.
5. Keep documentation up to date
First, add privacy and legal documents directly to your cookie banner.
Second, keep documentation up to date. The documents should explain:
- Why do you use Microsoft Clarity?
- What data categories do you collect?
- The legal basis for using Clarity (consent).
- How long do you keep the data (up to 12 months)?
- What security measures do you use?
6. Respect User Rights
Under GDPR, users have the right to:
- Access their data.
- Request deletion or correction.
- Object to or restrict processing.
Make sure your website can handle these requests in time. Document your Clarity data collection and response to user rights accordingly. You must respond to requests within 30 days.
Final Thoughts
Microsoft Clarity is a powerful analytics tool, but it must be used responsibly. It is GDPR-compliant, but you must configure it correctly. Microsoft Clarity has many privacy features that help to comply with the GDPR, but it does not automatically ensure compliance. By default, Clarity masks sensitive data. However, the user is responsible for configuring Microsoft Clarity to be GDPR-compliant, meaning that no Personally Identifiable Information (PII) is captured.
Use Microsoft Clarity GDPR-compliantly: transparently disclose that you use Clarity, properly manage cookies, and configure Clarity to protect personal data. By properly configuring Microsoft Clarity you can stay compliant and enhance the user experience of your website.
If you're already using a CMP like CookieScript, it can detect if the user has given consent for analytics cookies and you use Clarity lawfully.
If not- start using one. CookieScript offers seamless integration with Microsoft Clarity, helping you meet all GDPR Cookie Consent requirements with minimal effort.
In Spring 2025, CookieScript received its fourth consecutive G2 badge as the Best Consent Management Platform.
Frequently Asked Questions
What is Microsoft Clarity?
Microsoft Clarity is a powerful behavioral analytics tool that helps website owners track user behavior on their websites, understand session data, and enhance user experience. When used with a CMP like CookieScript, Microsoft Clarity is GDPR-compliant.
Is Microsoft Clarity secure?
Yes. Microsoft Clarity has many built-in privacy features, but it must be configured correctly. It uses encryption to protect personal data, automatically masks sensitive data, uses IP address anonymization, supports Do Not Track (DNT), and other security measures. It can be integrated with CMPs like CookieScript to deliver a cookie banner and get cookie consent.
Is Microsoft Clarity GDPR-compliant?
Yes, Microsoft Clarity is GDPR-compliant, but you must configure it correctly. Microsoft Clarity has many privacy features that help to comply with the GDPR, but it does not automatically ensure compliance. The user is responsible for configuring Microsoft Clarity to be GDPR-compliant, meaning that no personally identifiable information (PII) is captured.
Does Microsoft Clarity use cookies?
Yes. Microsoft Clarity uses cookies, session storage, and other website trackers to identify returning users, measure engagement and performance, and deliver accurate heatmap and session data. These cookies are not strictly necessary cookies. Thus, websites must obtain prior consent before setting them on users’ devices. Use CookieScript to deliver a cookie banner and grant cookie consent.
Can I use Clarity with Google Consent Mode v2?
You can use both Microsoft Clarity and Consent Mode v2, but they do not integrate directly. Consent Mode v2 only integrates with Google services like GA4 and Ads. To manage Clarity, you need to use the Clarity Consent API or a CMP like CookieScript that supports both. When using a CMP, you can collect user consent for Google tools and Clarity tracking through separate but related mechanisms.
Do you need user consent when using Microsoft Clarity?
Yes. Microsoft Clarity collects some personal data that is not essential for website functionality. Under GDPR, this means you must obtain explicit and freely given consent prior to Clarity activation.