Learn / Blog / Article

Back to blog

Our approach to privacy (2019 and beyond)

TL;DR: as Hotjar's CEO, I’m writing this article to talk openly about what we’ve learned around privacy, mistakes we’ve made, and how this is changing the way we are building Hotjar going forward.

Behind the scenes

Last updated

9 Sep 2021

From its very first day in 2014, Hotjar was designed with privacy of the end user in mind. We believed that looking at how people use a website as a whole was enough to get actionable insight, and set out to build a tool that could only collect anonymized behavioral data.

In those pre-GDPR days, we chose not to build functionality that would allow customers to see user IP addresses or assign other parameters and attributes to data within Hotjar, out of concern that some of it could be misused. For example, that people would watch a recording of somebody abandoning a shopping cart, find their email address, and message them to solicit a purchase.

In 2018, the General Data Protection Regulation (GDPR) was introduced into EU law, finally giving the industry a framework of how data can be collected and processed. We welcomed this legislation and the underlying principles of ‘Privacy by Design’ and ‘Privacy by Default’. At that point, we looked back and realized we had made the right call to not collect user IP addresses and block personal data (such as user IDs and emails) from being introduced into Hotjar, both of which had been common practices in the industry at that point.

But in completely blocking our customers from adding data to Hotjar, and forcing them to use our consent mechanism in feedback tools, we also went one step too far. We took away our customers’ ability to responsibly collect the data they needed and gave ourselves the power to dictate exactly what they could or could not do instead.

In doing so, we also blocked customers from passing data to Hotjar that would allow their users to request the deletion of personal data. Yes, the ability to pass a custom ID can be potentially mis-used, but it can also be used for good and even, in this example, to further safeguard users’ privacy—but our approach did not allow for it.

*

We know all this because YOU, our customers, have been telling us in customer interviews, through our feature-request page, and when talking to our Support team.

We have learned that you (as do we) have increasingly specific, sophisticated needs when it comes to understanding the behavior of your website visitors—and also the behavior of registered users or existing customers whose data and consent you already collect and safely store. There are many things Hotjar could help you do (e.g. investigate a bug, a ticket, or review a specific behavior of certain customer segments) to really improve your website experience, but we have basically prevented you from doing any of it.

It’s time for us to practice what we preach: listen to feedback and mature our product to give you, our customers, what you need. We want to shift that responsibility right back to where it belongs and give you the tools, control, and decision-power you need to best improve your users’ experience, while keeping privacy at the core of what we do.

Upcoming changes to Hotjar

In November 2019, we will start rolling out Hotjar’s Identify API (our first API), which allows customers who enable it to pass user attributes into their Hotjar account.

(It's important to note upfront that this feature will be optional to use, and customers who use Hotjar precisely because it allows them to understand user behavior without identifying individuals will continue to be able to do so. We know the importance of managing personal information with respect to privacy law, and a bit further on I’ll detail the steps we’ll ask customers to take to be sure they’re being compliant.)

As a Hotjar customer using the Identify API, you will be able to send information you already have about your website visitors (attributes such as spend, customer since, user ID, etc.) into Hotjar, and use it across your account for more advanced targeting and/or more granular filtering and segmentation—which will make it faster for you to find insights from the customer segments you’re interested in.

Actions such as ‘reviewing Hotjar Recordings to analyze the behavior of users on your product landing pages who made a purchase in the last 7 days, having arrived from a specific social campaign’ or ‘showing a Hotjar Survey to non-paying customers from the UK’ will now become possible in Hotjar.

The Identify API is disabled by default, making it easy to avoid accidentally capturing personal information until you have handled privacy concerns appropriately. For more details, read our technical documentation.

Protecting end-user privacy with an acceptable use policy and a DPA

We are aware that an API like this one can still be used in unintended ways. And since safeguarding privacy is a moral and ethical priority for our team, and will always remain so, we will limit usage to customers on our business plan who agree to a Data Processing Agreement (DPA) before being allowed to use the Identify API.

We also have clear guidelines in place for our acceptable use policy, which continues to state that all data collected and processed with Hotjar must solely be used by the site or app owner and not shared with third parties, unless explicit consent has been received from all data parties.

🔥 As a Hotjar user, it’s important that you understand your responsibilities as a Data Controller when it comes to processing personal data. Read more about processing personal data in Hotjar here.

Our continued commitment to privacy

As the leading and most popular platform on the market, used on over 500,000 websites in 180+ countries, we believe we don’t just have a responsibility to give our users and customers the tools they need to create better user experiences—we also have the responsibility to offer tools and methods to safeguard data so that trust between website owners, prospects, and customers can be assured and maintained.

After the rollout of our API Identify function, Hotjar will still be committed to maintaining the same level of user anonymization by default, honoring Do Not Track (DNT) headers, and allowing people to opt out of being tracked.

We intend to keep developing Hotjar in line with our commitment to privacy and the needs of our customers. While the changes I outlined above are another step in the right direction, we know there is more that can be done: during 2020, we will be giving updates on progress made as well as announcing the next planned milestones.

As usual, we welcome your feedback. You can reach out to the Hotjar team with queries and questions on [email protected], or contact us on [email protected] for legal requests and suggestions.