heatmap
Microsoft Clarity

no opt-out possible

data processing services & kategorisierung
microsoft clarity logo
Microsoft Clarity

Microsoft Clarity is a heatmap. Heatmaps are used to analyze user behavior on your website.

Content of this article

What is Microsoft Clarity?

Microsoft Clarity is a heatmap that allows you to record and analyze the behavior of users on your website.  This allows you to learn which areas of your website are particularly in focus and where the weak points are.

Why is Microsoft Clarity used?

As a website operator, it is of course important for you to know how your users use the website. Which images or text passages receive special attention and which do not. How are changes received by users? Which sections of text are particularly interesting for users? You may be able to answer these questions with Microsoft Clarity.

 

You can use the heatmap to identify areas that users spend a long time on, but you can also record entire sessions and view them afterwards. You can then use the findings to optimize your website.

 

From a data protection point of view, however, this sounds very tricky, since a lot of personal data is collected and the user is closely monitored. How you can still use Microsoft Clarity, you will learn in the rest of the article.

What data is processed?

The data that Microsoft Clarity processes from the users of your website are the following:

  • IP-Adresse
  • Location
  • Browser information
  • Display resolution
  • Language settings
  • Visited Website/Subpages
  • Date/Tine of access to the website
  • Clicks, scrolls, mouse movements

Microsoft Clarity itself states that it will never sell users’ data to third parties. Also, no personal data is disclosed.

 

Microsoft stores the data in the Azure Cloud and itself states that Microsoft or Clarity has access to this data. According to Microsoft, the Do-Not-Track (DNT) option is not currently supported. What is particularly tricky is that Microsoft says that users do not have the option to decide not to be recorded.

Looking for a specific service?

In our service knowledge base you will find comprehensive information on individual services – clearly arranged and digital!

 

Expert knowledge and pro tips on top 😉

data processing services

Legal foundation for the processing

The basis for the processing of the data results from the GDPR in combination with the TTDSG, whereby the GDPR takes precedence should there ever be a collision.

 

The GDPR regulates the processing of personal data and the TTDSG focuses on access to the end device, e.g. the use of cookies.

When is there a requirement for consent?

Personal Data

The processing of personal data is only permitted if at least one of the letters of Art. 6 (1) GDPR is fulfilled. The two important letters are the following:

 

  1. Die betroffene Person hat ihre Einwilligung erteilt (lit. a)
  2. The processing is necessary to protect your legitimate interest (lit. f)

Cookies

According to Art. 25 (1) TTDSG, consent is required if cookies are set that are not technically absolutely necessary.

 

It should be noted that this means not only the well-known small text files and pixels, but all technologies that allow to find out, link or infer a user, a user agent or device.

 

Thus, all information elements that enable the identification of a person are subject to consent.

The requirements for exemption from consent

To ensure consent-free use, the following conditions would need to be met:

 

  1. Conclusion of a processing contract with the processor
  2. No use of cookies or similar profiling techniques
  3. Processing of personal data exclusively in Europe
  4. The processor does not use the obtained data for its own purposes
  5. The processor does not link or enrich the data across different websites
  6. Possibility of opting out or revoking as well as detailed information about the collection of personal data in the privacy statement
  7. IP anonymization (“Privacy by Default”)
  8. Automatic opt-out for Do-Not-Track settings in the browser
  9. Proof of points 1-8 carried out by the website operator
desktop icon

IP address

Note that the IP address is generally a personal data. If you want to prevent personal data from being transmitted, you must always ensure that the IP address is disguised.

legal icon

Server location

As long as it is not clear whether/that data is collected from a secure server location, compatibility with the GDPR is difficult.

desktop icon

Company headquarters

In the case of American companies or their subsidiaries, the fact that it is an American company must also be taken into account. Since the ruling on the Privacy Shield, American companies belong to an insecure third country.

Why is Microsoft Clarity subject to consent?

  • The concept of Microsoft Clarity is based on the tracking of users
  • Cookies are set
  • Since this results in access to the user’s device, consent is required in accordance with the TTDSG.
  • The IP address is processed
  • Further personal data are processed and stored
  • Do-Not-Track is not supported
  • Opt-out is not possible

Thus, there are violations of the above points 2, 3, 6, 7, 8 and 9. Freedom from consent cannot be established.

 

DISCLAIMER: This does not mean that the points not mentioned are fulfilled.

 

That Microsoft Clarity requires consent should be clear by the nature of the service. The fact that there is apparently no possibility to opt out makes the whole thing extremely difficult. Although there are options on the part of the user to prevent the service, but that is of course not enough.

Conclusion on the privacy-compliant use of Microsoft Clarity

Under these conditions, we must unfortunately advise against the use of Microsoft Clarity. Currently, there is no way to use the service in a privacy-compliant manner. Above all, the lack of an opt-out is a death blow.

 

To be able to use the tool, at least the following things should be clarified:

  • Possibility of opting out
  • Do-Not-Track must be considered
  • Data storage not in the United States

Cookiebox recommendation: Select an alternative provider.

microsoft clarity logo

Any questions?

Then feel free to call us. We will help you with questions about our product and features or generally about all data protection topics:

fragen icon

Du wünschst weitere Infos zum Privacy Hub oder unseren Beratungsleistungen?

jörg ter beek portrait

Jörg ter Beek

Managing Director, Head of Sales & Partnerships

Want more information about the Privacy Hub or our consulting services?

jörg ter beek portrait

Jörg ter Beek

Managing Director, Head of Sales & Partnerships