The Short Answer: Is Hotjar Illegal?

Hotjar is not illegal. It is a legitimate, widely used UX research tool trusted by over 1.3 million websites. There is no law that bans session replay software outright. Hotjar itself has not been sued, is not under any enforcement action, and operates a legal business.

But here's the distinction that's generating thousands of lawsuits: the way most websites deploy Hotjar is illegal under California law.

The California Invasion of Privacy Act (CIPA) prohibits the interception of communications without prior consent. When Hotjar fires on a visitor's page load — before any consent banner is acknowledged — it immediately begins transmitting that visitor's keystrokes, mouse movements, clicks, and page interactions to Hotjar's servers. Under CIPA's Section 631, that transmission to a third-party server, without the visitor's prior knowledge and agreement, is what courts have treated as illegal wiretapping.

⚖️ The Legal Distinction
Hotjar the product: Legal.

Hotjar loading on page load before consent: Potential CIPA violation — $5,000 per affected California visitor.

Hotjar loading only after a visitor clicks Accept on a compliant consent banner: Legal.

The lawsuits are filed against website operators — businesses like yours — not against Hotjar the company. You installed the tool. You are the one who chose to let it fire before consent. That's why you're the defendant.

How CIPA Applies to Session Replay Tools

To understand the legal theory, you need to understand what Hotjar actually does at a technical level — because the lawsuit logic follows directly from the technical mechanics.

What happens when Hotjar fires

When a visitor lands on a page with Hotjar's tracking script installed, several things happen immediately and simultaneously:

  1. The Hotjar script initialises in the visitor's browser
  2. It begins capturing mouse movements, clicks, scroll depth, and keystrokes — including text typed into form fields
  3. This data is transmitted in real time to Hotjar's servers — a third party that is neither the visitor nor you
  4. Hotjar reconstructs this data into a replayable video of the visitor's session

Step 3 is where CIPA exposure arises. The data doesn't sit on your servers — it goes directly to Hotjar's. Under CIPA Section 631's "third-party eavesdropper" theory, you have allowed a third party to intercept your visitor's communications while they are in transit. California is a two-party consent state — both parties to a communication must consent to recording. Your visitor did not.

⚠️ The Form Field Problem
By default, Hotjar captures keystrokes across all input fields — including text boxes where visitors type sensitive information like names, email addresses, passwords, and medical symptoms. Even if Hotjar is configured to suppress certain fields, the fact that it could capture that data, and that the visitor had no knowledge of it, is the core of the CIPA claim. Courts have found this particularly egregious on healthcare, financial, and e-commerce sites.

Why "I have a privacy policy" isn't enough

The most common misconception website owners have is that mentioning Hotjar in their privacy policy satisfies CIPA. It doesn't — and multiple courts have said so explicitly.

CIPA requires prior consent, not passive disclosure. Prior consent means the visitor knew, before any interception occurred, and actively agreed to it. A privacy policy link in your footer — however detailed — does not constitute active, prior, knowing consent. Courts have found that visitors cannot meaningfully consent to something buried in a policy document they never read, written in legal language they don't understand, describing a data practice they had no reason to anticipate.

The Actual Cases: What Courts Have Decided

The honest answer on Hotjar CIPA litigation is that the case law is genuinely split. Defendants have won. Plaintiffs have won. The outcome depends heavily on how the tool was deployed, what the specific consent setup looked like, and which court and judge the case lands in front of.

Here is the real picture from the most significant decisions:

Torres v. Prudential Financial, Inc.
N.D. Cal. — April 2025
Defendant Win
The court granted summary judgment in favour of the defendant, concluding that session replay software does not satisfy CIPA Section 631's "in transit" requirement. The reasoning: user click, keystroke, and mouse movement data only becomes readable after transmission, once the software has stored and reassembled it — not during the transmission itself. Therefore, the data was not "intercepted in transit" within the statute's meaning.
Takeaway for website owners: This is the strongest defendant-side precedent. But it's one district court decision — not binding nationally, and other judges have ruled differently.
Licea v. Caraway Home Inc.
C.D. Cal. — 2023–2024
Plaintiff Survived Dismissal
One of the most-cited session replay cases. Scott Ferrell of Pacific Trial Attorneys filed on behalf of a visitor who alleged that Caraway's use of session replay software violated CIPA by capturing and recording website interactions without consent. The court allowed the case to proceed, rejecting the defendant's motion to dismiss. The case is a direct template for how plaintiff firms construct Hotjar-style CIPA claims.
Takeaway for website owners: This is the case that plaintiff firms cite in demand letters. The key factor that distinguished it was the absence of any meaningful prior consent mechanism.
Williams v. DDR Media, LLC
N.D. Cal. — November 2024
Defendant Win
The court granted summary judgment to DDR Media after finding that the plaintiff failed to establish the session replay vendor could read the captured data "in transit." The decision reinforced the argument that session replay data reconstruction happens after transmission, not during it — consistent with Torres v. Prudential.
Takeaway for website owners: Two Northern District California decisions now support the "not in transit" defence. But this defence is fact-dependent and requires expensive litigation to assert.
Saleh v. Nike
C.D. Cal. — 2023
Plaintiff Survived Dismissal
CIPA claims against Nike for use of session replay tools survived a motion to dismiss. The court found the plaintiff had adequately alleged that the recording of keystrokes and mouse movements constituted interception of confidential communications under Section 631.
Takeaway for website owners: Even large brands with sophisticated legal teams couldn't get the case dismissed at pleading stage. The cost of defending to this point alone runs into six figures.
📊 The Real Pattern
Courts are split on whether session replay data is intercepted "in transit." But the split doesn't help you as much as you might think. Even defendants who ultimately won spent significant legal fees reaching that outcome. And the split means plaintiffs can keep filing — the next judge might rule differently. Prevention is far cheaper than winning.
Free Scan · No Account Required

Is Hotjar firing on your site before consent?

Scan your website in 10 seconds. We detect exactly when Hotjar, FullStory, Clarity and other session replay tools fire relative to your consent banner — and tell you if you have exposure.

Scan My Website Free → No sign-up required. Results in seconds.

Who Is Filing These Lawsuits — and How They Find You

Understanding who is behind CIPA session replay litigation matters because it changes how you think about risk. This isn't random government enforcement. It's a small number of highly organised plaintiff law firms running a volume-based business model.

3
Primary plaintiff firms account for the vast majority of CIPA session replay demand letters: Pacific Trial Attorneys (Scott J. Ferrell), Swigart Law Group, and Kind Law. These firms operate automated detection pipelines — they don't manually browse websites looking for Hotjar.

How they detect you: automated scanning

The detection method is entirely automated and surprisingly simple. Plaintiff firms use services like BuiltWith to pull lists of every website running Hotjar, FullStory, or Microsoft Clarity. BuiltWith tracks technology installations across millions of websites — it's the same service we recommend for your outbound prospecting.

Once they have the list, their process looks like this:

  1. Automated browser visits the target website with no cookies set
  2. Script checks whether Hotjar fires on page load — before any banner interaction
  3. If it does, the network request to Hotjar's servers is logged as evidence of pre-consent interception
  4. A demand letter is generated and sent to the website operator

The entire process from detection to demand letter can take days. By the time you receive the letter, they already have timestamped technical evidence of the violation. Roughly 80% of targets settle at the demand letter stage — typically for $10,000 to $75,000 — rather than face the cost and uncertainty of litigation. This is what makes the model so profitable.

🚨 You May Already Be on a List
If your website has had Hotjar or another session replay tool installed without a blocking consent mechanism at any point, and you have California traffic, your domain may already exist in a plaintiff firm's database. The demand letter may simply not have arrived yet. This is not hypothetical — Jackson Walker attorneys report receiving new CIPA inquiry calls weekly from businesses that have received demand letters.

Section 631 vs Section 638.51: The Two Legal Theories

In 2025 and 2026, plaintiff firms evolved their legal strategy in a way that makes CIPA cases significantly harder to defend. Where earlier cases relied solely on Section 631 (wiretapping), plaintiffs now routinely stack a second claim under Section 638.51 (pen registers).

Feature Section 631 — Wiretapping Section 638.51 — Pen Register
What it covers Content of communications — keystrokes, typed text, mouse movements Metadata — IP addresses, routing info, device identifiers
Applied to Hotjar Recording of what a visitor types and does on your page Capturing visitor IP and device data sent to Hotjar servers
Key defence Data not intercepted "in transit" (Torres, Williams) Courts split on whether IP addresses are "outgoing communications"
Current trend Defendants winning more on this theory in NorCal federal courts Plaintiffs pivoting heavily to this after 631 dismissals
Damages $5,000 per violation $5,000 per violation

The strategic value of stacking both claims is clear: even if a court dismisses the Section 631 claim on the "not in transit" theory, the Section 638.51 pen register claim may survive — keeping the case alive and settlement pressure high. Camplisson v. Adidas (November 2025) established that tracking pixels can qualify as pen register devices under Section 638.51, extending the same theory to session replay tools.

How to Use Hotjar Legally in 2026

Hotjar is a genuinely useful tool and you don't need to remove it. What you need is a compliant implementation. Here's the exact setup required:

1

Block Hotjar from firing on page load

Your consent management platform must technically prevent Hotjar's script from executing until consent is obtained. This is not a delay — the script must not load at all. Most standard tag managers can do this if configured correctly, but many default setups fire all tags immediately. Verify your implementation fires Hotjar only after a consent event is triggered.

2

Name Hotjar specifically in your consent disclosure

Your consent banner must identify Hotjar by name in the disclosure the visitor sees before clicking Accept. Vague references to "analytics tools" or "third-party services" are insufficient. Courts have found that consent to unspecified third parties is not meaningful prior consent under CIPA.

3

Log every consent event with a timestamp

If you ever receive a CIPA demand letter, your primary defence is proof that the plaintiff consented before Hotjar fired. You need a consent log: a timestamped, visitor-linked record showing when each user consented, what they consented to, and which version of the disclosure they saw. Without this log, you cannot assert the consent defence.

4

Never run Hotjar on checkout or sensitive pages

Even with consent obtained, avoid running session replay on checkout flows, account creation pages, medical intake forms, and any page where visitors enter sensitive personal data. The risk-to-value ratio is poor, and form field data captured by session replay on these pages creates significant additional exposure under CMIA and other statutes beyond CIPA.

5

Configure Hotjar's own privacy settings

Within Hotjar's settings, enable automatic masking of all input fields and suppress recording on sensitive page patterns. This is not a substitute for consent-gating — it's an additional layer. Hotjar's own documentation recommends masking input fields; courts look unfavourably on operators who didn't take even the basic in-tool precautions.

✅ The Compliant Setup in Plain English
Visitor lands on your site → Hotjar is blocked → Consent banner appears, naming Hotjar → Visitor clicks Accept → Hotjar loads and begins recording → Consent event is logged with timestamp and disclosure version. That's it. That sequence is defensible under CIPA.

Frequently Asked Questions

Hotjar is not illegal — but deploying it without prior visitor consent is a potential CIPA violation. CIPA Section 631 prohibits the interception of communications without prior consent from all parties. When Hotjar fires before a visitor has consented, it transmits that visitor's keystrokes and interactions to a third-party server without their knowledge. That is what courts have treated as illegal wiretapping — not the tool itself, but the pre-consent deployment. The fix is a consent management platform that blocks Hotjar from loading until consent is obtained.

CIPA lawsuits are filed against the website operators who deploy Hotjar — not against Hotjar the company. Hotjar is the tool; you are the operator who chose to deploy it without consent. Cases like Licea v. Caraway Home Inc. and Saleh v. Nike targeted the website operator for using session replay software without a compliant consent implementation. Hotjar the business operates legally and is not an enforcement target.

No — courts have repeatedly and explicitly rejected this argument. A privacy policy, even one that names Hotjar, does not constitute prior consent under CIPA. CIPA requires affirmative, knowing consent before interception occurs. That means the visitor must actively agree before Hotjar fires. A passive disclosure buried in a privacy policy the visitor never read does not meet this standard. You need a consent management platform that technically blocks Hotjar until the visitor clicks Accept on a properly disclosed consent interface.

Section 631 targets the interception of communication content — the keystrokes, typed text, and mouse movements Hotjar captures. Some courts have dismissed Section 631 claims on the theory that session replay data is not intercepted "in transit" (Torres v. Prudential, April 2025). Section 638.51 targets pen register devices — tools that capture routing metadata like IP addresses. Plaintiff firms now routinely stack both claims. Even if Section 631 is dismissed, the Section 638.51 claim may survive, keeping settlement pressure alive. Camplisson v. Adidas (November 2025) extended the pen register theory to tracking pixels, reinforcing its viability against session replay tools.

Do not ignore it and do not respond directly without legal counsel. These letters assert $5,000 per affected visitor and are legally serious documents. Your immediate steps: (1) Hire a California privacy attorney — preferably one with CIPA litigation experience — before responding; (2) Preserve all technical records showing your consent setup at the time of the alleged violation; (3) Gather any consent logs you have; (4) Do not disable or change your Hotjar implementation in ways that could look like evidence destruction; (5) Assess your California traffic volume during the period in question, as this affects aggregate exposure. Most cases settle — how you respond in the first two weeks significantly affects the settlement amount.

Yes. CIPA's jurisdiction is based on the location of your visitors, not the location of your business. If California residents visit your website — and for any website with meaningful U.S. traffic, they almost certainly do — you have CIPA exposure. Businesses based in New York, Texas, the UK, and elsewhere have all received CIPA demand letters and faced litigation. With approximately 39 million California residents representing 12% of the U.S. population, CIPA is effectively a national compliance requirement for any U.S.-facing website.

The Bottom Line on Hotjar and CIPA

Hotjar is not your enemy. The lawsuit risk is not about the tool — it's about the millisecond it fires relative to your visitor's consent. The case law is split, defendants have won, and the legal landscape is genuinely evolving. But "you might win in court" is a poor risk management strategy when the fix takes under 10 minutes.

A consent management platform that blocks Hotjar until prior consent is obtained, names it specifically in the disclosure, and logs every consent event with a timestamp is all you need. That implementation is defensible. The demand letter goes nowhere. And you still get all the UX data Hotjar provides — just from consenting users, which is arguably better data anyway.

The question isn't whether to use Hotjar. The question is whether you've built the 10 minutes of infrastructure that makes using it legal.

ConsentPixel — Privacy · Verified

Make Hotjar compliant in under 10 minutes

ConsentPixel — Privacy · Verified blocks session replay tools until consent is obtained, logs every consent event with a timestamp, and keeps Hotjar working for consenting visitors. One script tag. No developer required.

Start Free Trial — No Card Required → 14-day free trial · Works with Hotjar, FullStory, Clarity, and 40+ tools