Heat maps, session recordings, and the "legitimate interest" grey area

Session-recording tools (Hotjar, FullStory, LogRocket, Microsoft Clarity, Mouseflow, Smartlook) have a vendor pitch that goes: “Our data collection qualifies as legitimate interest under GDPR Article 6(1)(f). You can deploy without a consent banner.” This pitch is wrong about EU law in three independent ways. The tools themselves are not the problem; the deployment pattern is.

Why legitimate interest fails for recording

First failure: ePrivacy 5(3). The recording-script load involves storage on the user’s terminal equipment. ePrivacy 5(3) requires consent for any non-essential storage. GDPR Article 6 governs what happens to data after collection; it cannot displace 5(3) at the collection step. The EDPB has explicitly rejected the “legitimate interest for cookie storage” argument multiple times.

Second failure: balancing test. Article 6(1)(f) requires that the controller’s legitimate interest is not overridden by the interests or fundamental rights of the data subject. The EDPB’s Guidelines on Article 6(1)(f) state that fine-grained behavioral profiling — which session recording is — generally fails the balancing test for marketing-derived legitimate interests. The user’s reasonable expectations on a transactional or informational website do not include their cursor being filmed.

Third failure: special-category data exposure. Session recordings routinely capture form-input fields. Even with vendor input-masking turned on, the mask is regex-based and routinely misses sensitive inputs (health intake forms, financial application forms, ID upload pages). Article 9 GDPR forbids legitimate interest as a lawful basis for special-category data processing. The risk of inadvertent Article 9 data capture is high enough that legitimate interest is not a defensible deployment posture.

What the regulators have actually said

• CNIL (France): 2020 guidelines on cookies and trackers explicitly named session-recording and heatmap tools as requiring consent. CNIL has sanctioned several mid-sized French sites for deploying Hotjar without consent (2022–2024 enforcement actions).
• Garante (Italy): 2021 cookie guidelines aligned. The Garante has specifically targeted Italian e-commerce sites using Smartlook and Mouseflow without consent.
• Datatilsynet (Norway): 2023 position paper on session-recording tools, holding that the “legitimate interest” argument fails the balancing test for behavioral profiling.
• Bavarian DPA (Germany): Repeated guidance treating session-recording cookies as analytics-tier consent obligations.
• ICO (UK): Post-Brexit, ICO has retained the broadly aligned position. Recording tools require consent under PECR.

The convergence is consistent. The EU DPAs have not split on this question. Vendors that claim a different jurisdictional consensus are selling marketing copy, not legal analysis.

What input masking does and does not solve

Every major session-recording vendor offers input masking — a regex-based filter that masks form fields matching patterns like password, email, credit card. Vendors pitch this as the “privacy-respecting” mode. It is not a consent workaround. Masking addresses one risk (literal PII capture inside form fields) and not the others:

• The recording still captures cursor paths, scroll patterns, click sequences, page navigation. This behavioral profile is personal data per recital 30.
• The masking regex is imperfect. Forms with non-standard input names (a health intake form’s “diagnosis” field, an application’s “condition” field) are captured unredacted.
• The vendor still receives the masked PII visit; the masking is client-side. A vendor breach or vendor data subpoena exposes the raw stream.
• The recording is associated with a session identifier the vendor can correlate across sessions if the same identifier persists in localStorage.

The deployment pattern that actually works

Session recording is not banned in the EU. It is consent-gated. The compliant deployment pattern:

1. Load the recording script post-consent only. Atype="text/plain" attribute on the script tag at first render, flipped to text/javascript after the user clicks accept on the analytics category. Every major CMP supports this.
2. Enable input masking even with consent. Defense-in-depth. Consent does not entitle the controller to special-category data.
3. Document the legal basis as Article 6(1)(a) consent. Not legitimate interest. Vendor templates and policy generators often default to legitimate interest; override.
4. Add the recording tool to the cookie policy and subprocessors page.The vendor is processing personal data on the controller’s behalf. Article 13/14 transparency requires disclosure.
5. Honor reject and delete requests. Recordings created under consent are deletable on Article 17 request. The vendor must support this and you must wire your support process to forward the requests.

Veracly’s flag

Veracly’s trackers database tags Hotjar, FullStory, LogRocket, Microsoft Clarity, Mouseflow, Smartlook, Inspectlet, and Crazy Egg as high-severity tracking categories with a session-recording subtype. Every scan flags them when they fire pre-consent and includes a jurisdictional note pointing at the EDPB and the relevant national-DPA enforcement decisions. The vendor pitch does not override the scan finding.

See also: Tracking pixel audit · Cookies, localStorage, IndexedDB consent