ConsentPixel – Privacy · Verified

CIPA & Legal Risk

Microsoft Clarity and CIPA: What You Need to Know Before Installing It

CIPA Compliance for Websites: The Complete 2026 Guide

Microsoft Clarity is free, powerful, and installed on hundreds of thousands of websites. It is also a session-replay tool that records every keystroke, click, and scroll your visitors make — and transmits that data to Microsoft's servers in real time. Here is exactly what that means for your CIPA exposure in 2026.

By ConsentPixel Team June 3, 2026 11 min read Updated 2026
$5,000
Statutory damages per California visitor under CIPA — no proof of harm required
Nov 2025
Camplisson v. Adidas named Microsoft trackers as potential CIPA violations
1,500+
CIPA lawsuits filed in 18 months to Aug 2025 — SB 690 stalled until 2027
In This Article
  1. What Microsoft Clarity Actually Collects
  2. How CIPA Applies to Session-Replay Tools
  3. The Case Law: What Courts Have Actually Decided
  4. Your Real-World Risk Assessment
  5. How to Use Microsoft Clarity Without CIPA Exposure
  6. Frequently Asked Questions

Microsoft Clarity is one of the most widely installed tools on the web. It is free, has no data limits, and gives you heatmaps and session recordings that rival paid tools like Hotjar. That combination — zero cost, high value — has made it a default install for developers and marketers who want UX insights without a budget line.

What most of those installs have in common is that nobody asked a lawyer first. And in the current CIPA litigation environment, that matters.

This article is not here to tell you to uninstall Clarity. It is here to help you understand exactly what Clarity does, what the current case law says about tools like it, what your actual risk profile looks like, and what you need to do to use it without creating liability.

What Microsoft Clarity Actually Collects

Understanding the CIPA risk requires understanding what Clarity records — not at a marketing summary level, but technically. When Clarity loads on a page, a JavaScript snippet embeds in the visitor's browser and begins transmitting data to Microsoft's servers. Depending on your configuration, that data stream includes:

  • Mouse movements — every cursor position change, continuously tracked
  • Clicks and taps — element, coordinates, timestamp
  • Scroll depth and direction
  • Keystrokes — what the user types into form fields (masked by default for sensitive fields, but maskable settings are configurable)
  • Page navigation — URLs visited, time on page, navigation sequence
  • Rage clicks and dead clicks — behavioural signals Clarity detects and flags
  • Device and browser data — operating system, browser version, viewport size, IP address
  • Full session replays — the complete recorded session, playable from Clarity's dashboard

This data is transmitted in real time to clarity.ms — a Microsoft-controlled server — and is stored and made accessible through the Clarity dashboard. The word "real time" is important: the transmission happens as the visitor interacts with the page, not as a batch export at session end.

⚠️
Clarity's default masking does not cover everything. Clarity masks passwords and payment card fields by default (Masking Level 2). But at default settings it still captures other form inputs — email addresses, names, phone numbers, search queries — unless you explicitly set Masking Level 1 (mask everything). Most installs use the default. Most installs are therefore recording personally identifiable information even without the operator knowing.

How CIPA Applies to Session-Replay Tools

California's Invasion of Privacy Act was written in 1967 to protect people from telephone wiretapping. Over the last four years, plaintiff firms have systematically applied it to website tracking technologies — arguing that intercepting a visitor's browser communications in real time is the digital equivalent of wiretapping a phone call.

There are two distinct CIPA theories being used against session-replay tools, and it is important to understand both because they have different implications and different defences.

Theory 1 — Section 631 (Wiretapping)

Section 631 prohibits intentionally tapping or intercepting a wire communication without the consent of all parties. Applied to Clarity, plaintiffs argue that the script intercepts the visitor's "communication" with the website — their keystrokes, clicks, and form inputs — in real time and transmits it to a third party (Microsoft) without the visitor's knowledge or consent. The "third party" element is what makes this theory bite website operators: you cannot eavesdrop on your own conversation, but you can potentially be held liable for letting a third-party vendor eavesdrop on it.

Theory 2 — Section 638.51 (Pen Register)

Section 638.51 prohibits using a "pen register" — a device that captures outgoing addressing information — without a court order or user consent. Applied to tracking tools, plaintiffs argue that Clarity (and pixels like Microsoft Bing, Meta Pixel, TikTok) functions as a pen register by capturing the IP addresses, device identifiers, and URL sequences that constitute the "addressing" layer of a visitor's browser communications.

🚫
The pen register theory is gaining traction — and survived in Camplisson v. Adidas. The November 2025 ruling in Camplisson v. Adidas Am., Inc. (S.D. Cal., 2025 WL 3228949) refused to dismiss CIPA pen register claims against Adidas for using TikTok Pixel and Microsoft Bing trackers on its website. The court found the allegations plausible — that the trackers captured IP addresses, browser identifiers, and other addressing information without consent. This is the first significant ruling that names Microsoft tracking tools explicitly. Clarity is not identical to Bing tracking, but it collects substantially more data than a pixel does.

The Case Law: What Courts Have Actually Decided

The honest picture on CIPA and session-replay is that courts are genuinely split. Some cases have been dismissed. Others have survived through trial. The litigation is active, the outcomes are inconsistent, and no definitive ruling specifically covers Microsoft Clarity. Here is the relevant case landscape as of mid-2026:

Plaintiff Win

Camplisson v. Adidas Am., Inc. — S.D. Cal., Nov. 2025

Motion to dismiss denied. Court found that TikTok Pixel and Microsoft Bing trackers plausibly qualify as pen registers under CIPA §638.51. The ruling explicitly names Microsoft tools as potentially within scope — the most directly relevant precedent for Clarity users. Case proceeds to discovery.

Defendant Win

Popa v. Microsoft (Pet Supplies Plus) — 9th Circuit, 2025

Ninth Circuit affirmed dismissal of CIPA claims involving Microsoft Clarity specifically. Court found the complaint failed to plausibly allege harm or that Clarity's data capture constituted an interception of a "communication" as defined by the statute. An important defendant-side ruling — but on narrow grounds that leave the §638.51 pen register theory unresolved.

Defendant Win

Torres v. Prudential Financial — N.D. Cal., Apr. 2025

Summary judgment granted for defendant. Court held that session-replay data does not satisfy CIPA §631's real-time interception requirement because data becomes readable only after transmission when it has been stored and reassembled — not "in transit." A useful defence precedent for the §631 wiretap theory, but does not address §638.51 pen register claims.

Plaintiff Win

Saleh v. Nike — C.D. Cal., 2024

Motion to dismiss denied for session-replay CIPA claims. Court held that allegations of real-time keystroke and form-field capture by a third-party vendor were sufficient to survive dismissal. The ruling helped establish that the "aiding and abetting" theory — website operator enabling a third-party tool to intercept communications — is a viable path to trial.

Defendant Win

Augustine v. Great Wolf Resorts — S.D. Cal., July 2024

Court dismissed CIPA claims, holding that keystrokes, mouse clicks, pages viewed, and IP addresses are not "message content" in the way words of a text or email are — and therefore do not constitute intercepted communications under CIPA §631. Consistent with the earlier Yoon v. Lululemon (C.D. Cal., 2021) ruling on the same point.

Still Active

In re Zillow Group Session Replay Litigation — W.D. Wash.

Class action alleging Zillow and Microsoft engaged in illegal wiretapping via session-replay software (Microsoft Clarity) under CIPA and the Missouri Wiretap Act. Ongoing. The direct naming of Microsoft as a co-defendant is notable — it puts Clarity's data practices squarely at issue in active federal litigation.

💡
What the split means for you. Courts disagree on whether the §631 wiretap theory applies to session-replay. The §638.51 pen register theory is newer, less tested, and — as Camplisson shows — surviving motions to dismiss more consistently. The practical implication: you cannot rely on defendant-side wins to protect you. The litigation is active, the cost to defend is high regardless of outcome, and plaintiff firms are filing at industrial scale using automated scanners that flag pre-consent script fires.

Your Real-World Risk Assessment

The question that matters for most website operators is not "could I theoretically face a lawsuit?" — the answer to that is clearly yes. The question is "what is my actual risk profile?" That depends on three factors specific to your site.

Risk FactorLower RiskHigher Risk
California traffic volume Minimal California visitors High CA traffic — plaintiff firms scan high-traffic sites first
Pages where Clarity runs Marketing/blog pages only Checkout, login, or account pages — form input capture is highest-risk
Consent mechanism in place Clarity blocked until explicit consent granted Clarity fires on page load before consent banner is interacted with
Masking configuration Masking Level 1 (all text masked) Default or Level 3 — form field data captured
Privacy policy disclosure Clarity named explicitly with Microsoft as recipient Generic "we use analytics tools" language only
SB 690 status Stalled — no legislative relief until 2027 at earliest. Current law applies now.

The highest-risk profile is a site with California traffic running Clarity on checkout or account pages, loading the script before consent is established, with default masking settings. That is also the most common profile — because most Clarity installs are done without any of these considerations in mind.

The lowest-risk profile is a site where Clarity is consent-gated (does not load until the visitor explicitly accepts analytics tracking), never runs on checkout or logged-in pages, uses Level 1 masking, and discloses Clarity specifically in its privacy policy and consent banner. In that configuration, your exposure is genuinely low — you have the same consent defence that succeeded in multiple 2024 and 2025 dismissals.

Is Clarity firing before consent on your site?

ConsentPixel — Privacy · Verified scans your site the way a CIPA plaintiff firm would — fresh session, no cache — and shows you exactly which scripts fire before any consent is given.

Run Free Scan →

How to Use Microsoft Clarity Without CIPA Exposure

You do not need to uninstall Clarity. You need to install it correctly. The four-part approach below brings your Clarity deployment from high-risk to defensible — and each step has direct support in the case law that has favoured defendants.

1

Consent-gate Clarity — block it until explicit consent is given

This is the most important step and the one most Clarity installs skip entirely. Clarity must not load until the visitor has actively accepted analytics or session-replay tracking from your consent banner. The Clarity script tag should be registered with your consent management platform as a controlled analytics script. When a visitor declines or has not yet interacted with the banner, Clarity should not fire a single event. This directly addresses the pre-consent firing that plaintiff firms' automated scanners flag.

2

Never run Clarity on checkout, payment, or logged-in pages

Even with consent in place, running session-replay on pages where visitors enter payment details, shipping addresses, or account credentials is the highest-risk configuration. Exclude these pages from Clarity's capture scope using Clarity's URL exclusion settings. The sensitivity of data on these pages strengthens any plaintiff's argument for a reasonable expectation of privacy — and is specifically called out in CIPA litigation strategy by plaintiff firms like Kind Law and Swigart Law Group.

3

Set Clarity to Masking Level 1 — mask all user text

In your Clarity project settings under Masking, set the level to Strict (Mask All). This prevents Clarity from capturing any text a user types into any field. You lose some granularity in form interaction data, but you eliminate the keystroke and form-field capture that forms the core of most CIPA §631 wiretapping allegations. Heatmaps and click maps remain fully functional under any masking level.

4

Disclose Clarity specifically in your privacy policy and consent banner

Your consent banner's analytics category description should name Microsoft Clarity explicitly and state that it records session interactions. Your privacy policy should name Microsoft as a third-party data recipient with a link to Microsoft's own privacy documentation. Generic language ("we use analytics tools to improve user experience") has not reliably supported consent defences at the motion to dismiss stage. Specific disclosure — combined with a consent banner that technically blocks the script — is the combination that has succeeded.

💡
Consent banner alone is not enough — the script must be technically blocked. Courts and plaintiff firms distinguish between a consent banner that notifies visitors and one that actually prevents data collection. If Clarity fires on page load and your banner appears a second later, the data has already been transmitted to Microsoft before the visitor has seen or interacted with any consent mechanism. A banner that does not technically block script execution is a disclosure notice, not a consent mechanism.

Frequently Asked Questions

No court has issued a definitive ruling specifically on Microsoft Clarity and CIPA. However, the November 2025 Camplisson v. Adidas decision explicitly named Microsoft tracking tools as potentially violating CIPA's pen register prohibition — and the same legal theory applies to Clarity's session-replay functionality, which captures substantially more data than a pixel. The Ninth Circuit dismissed a Clarity-specific case in 2025 on narrow grounds, but left the pen register theory unresolved. The risk is real and the law is unsettled. Consent-gating Clarity before it loads is the prudent approach.
Microsoft Clarity records mouse movements, clicks, scrolls, keystrokes, form inputs, page interactions, and full session replays, transmitting this data in real time to Microsoft's servers. The keystroke and form-field capture is most legally exposed — particularly on checkout and account pages. Clarity's default masking (Level 2) protects passwords and payment fields but still captures email addresses, names, and other form inputs unless you set masking to Strict (Level 1).
CIPA provides for statutory damages of $5,000 per violation without requiring proof of actual harm. Plaintiff firms argue that each California visitor whose session was recorded without consent is a separate violation. There is no cap on class size. A site with 10,000 monthly California visitors could theoretically face $50 million in statutory exposure — which is why even uncertain cases generate settlement demands in the $25,000–$150,000 range that are often paid to avoid litigation costs.
A privacy policy mentioning Clarity provides some evidence of notice but is not a reliable standalone defence. CIPA requires consent — specifically, all-party consent to the interception. Courts have dismissed cases where plaintiffs actively interacted with a consent banner before the challenged tracking occurred. But a privacy policy that mentions Clarity buried in legal text, while Clarity fires on every page load before the visitor reads anything, has not consistently provided a defence at the pleading stage.
No. Checkout and logged-in account pages are the highest-risk areas for any session-replay tool. Even with consent in place, capturing form interactions on payment and account pages strengthens a plaintiff's argument for a reasonable expectation of privacy. Best practice is to exclude these pages from Clarity's recording scope using URL exclusions in your Clarity project settings — regardless of your consent setup.
SB 690 was a California bill that would have created a cure period and raised the standard for CIPA claims involving standard web tracking. It stalled in the California legislature in 2025 and will not take effect before 2027 at the earliest — if it passes at all. No legislative safe harbour exists under current law. The filing volume of CIPA claims has not slowed despite mixed judicial outcomes, because the statutory damages structure makes even uncertain cases worth filing for plaintiff firms operating at scale.

The bottom line: free does not mean risk-free

Microsoft Clarity is a genuinely useful tool — and you can use it legally. But it needs to be installed correctly: consent-gated before loading, excluded from checkout and account pages, set to strict masking, and disclosed specifically in your consent banner and privacy policy. Running it out of the box, loading on every page, recording form inputs before consent — that is the configuration plaintiff firms are scanning for.

ConsentPixel — Privacy · Verified blocks Clarity and every other session-replay script until the visitor's consent state is established. One script tag, no plugin, and your CIPA exposure drops to zero for pre-consent firing.

Scan My Site — Is Clarity Firing Before Consent?

Related Articles

Is Hotjar Illegal? What the CIPA Session Replay Lawsuits Mean for Your Site What is CIPA? The California Invasion of Privacy Act Explained for Website Owners in 2026 CCPA Compliance Checklist for Small Businesses in 2026 More articles in CIPA & Legal Risk →
CP
ConsentPixel Research Team
CIPA Litigation & Privacy Compliance Research
The ConsentPixel — Privacy · Verified research team tracks CIPA case filings, court decisions, and emerging plaintiff firm strategies to keep website owners informed. This article reflects publicly available case law and legal commentary as of June 2026 and does not constitute legal advice.
Scroll to Top