Session replay integration
Hotjar on Shopify, made compliant
Session-replay and heatmap tool — records visitor sessions to identify UX issues.
Why consent applies to Hotjar
Session replay records mouse movement, clicks, scrolls, and form interactions — far more invasive than basic analytics. EU DPAs (notably the French CNIL and Italian Garante) have explicitly classified session-replay as requiring opt-in consent in the analytics category at minimum, and some treat it as marketing. Form-field redaction is mandatory regardless of consent — never record password or payment fields.
Cookies / scripts Hotjar sets
_hjSession_<id>_hjSessionUser_<id>_hjAbsoluteSessionInProgress
Step-by-step compliance setup
- 1
Block hotjar.js until analytics consent
Hotjar's tracker loads via `<script src="https://static.hotjar.com/c/hotjar-<id>.js">`. Block until the visitor accepts the analytics category — and ideally a separate session-replay sub-category if your banner offers one.
- 2
Configure form-field suppression in Hotjar
In the Hotjar dashboard, enable 'Suppress all input fields' globally and add CSS-class allowlist for fields that are safe to record. This is required regardless of consent — capturing PII from form fields is a separate GDPR violation from the consent question.
- 3
Disable Hotjar for opted-out visitors persistently
Hotjar's snippet sets a long-lived cookie (`_hjSessionUser_*`). When a visitor revokes consent, the cookie must be deleted and the tracker must not re-initialise on subsequent visits. A consent log helps prove this if challenged.
How Consentico handles Hotjar
Consentico classifies Hotjar as analytics by default but allows merchants to surface a separate 'session replay' sub-category for stricter posture. The script is blocked until consent, and the Hotjar cookies are cleared from the browser if consent is revoked.
- Default-deny before any tag fires
- Three-layer script blocking (createElement + MutationObserver + content-type)
- Audit-ready consent log
Related concepts
- GDPREU regulation governing how organisations process personal data of EU/EEA residents. Applies to any Shopify store with EU visitors.
- Consent (GDPR)Freely given, specific, informed, and unambiguous indication of agreement. No pre-checked boxes, no implied consent from continued browsing.
- Strictly necessary cookiesCookies essential to a service the user has explicitly requested. Exempt from consent requirements under ePrivacy.
Related integrations
Block Hotjar until consent — in five minutes.
Free for stores under 5,000 banner views per month. No code, no theme edits.