Hotjar’s approach to privacy
Editor's note: this blog post is no longer being updated. Please read about our current approach to privacy here.
In 2005, after spending 5 years in Law school, I submitted my legal doctorate thesis entitled ‘Privacy and Electronic communications’. Little did I know that this experience would deeply impact the decisions my team and I took when building Hotjar (the business and the product) nine years later.
Today we are proud to say that, since launching in 2014, we have taken important decisions that prove our commitment to Privacy, and we’ll continue to do so over the coming years. Our privacy track record is not tied to just legal requirements (such as the upcoming General Data Protection Regulation or ‘GDPR’). We believe we have a moral and ethical obligation to safeguard privacy. Being one of the most popular analytics and feedback tools on the market means we are not only responsible towards the thousands of sites that use Hotjar to better understand their users and improve the overall experience – but also to the millions of visitors that use these sites.
And because privacy and transparency are both important to us at Hotjar, we want to publicly share:
A. How Hotjar is different in our approach to privacy
1. A vision focused on overall experience – NOT specific users
Our vision at Hotjar is to ‘change the way digital experiences are built and improved’ by empowering teams to better understand their users and customers.
We are building a solution that teams can use to truly understand how a site or app is being used and more importantly why. Hotjar is NOT designed to show how a specific and identifiable person is using the site or app. The difference between these approaches is huge. While most of our competitors allow you to tag, identify and search for specific users, with Hotjar we allow our customers to understand their visitors’ experience and identify common issues and opportunities without making individual users identifiable.
To achieve this we do not believe our customers need to know who a specific individual is and what they are doing. To get actionable insights, it is enough to look at how people use a website or app as a whole.
2. Privacy by product design
In 2014 we planned and designed the Hotjar beta. Even at this stage it was already very clear that privacy was important to us. We did not want to collect data constantly – from every page and every user. The disruptive side of Hotjar was the fact that anonymous qualitative insights could be captured at a fraction of the price by getting insights ‘on demand’. In Hotjar speak we call these time-based reports ‘snapshots’.
Changed a page on your site? Get a new heatmap snapshot to understand how it’s being used. Changed the onboarding flow? Get a session replay snapshot of 100 visitors using it to understand how behavior has been impacted.
Shortly after launching Hotjar commercially (post-beta), we chose to respect the Do Not Track (DNT) header in browsers even though no other tools were doing so. In 2016 we also created an ‘opt-out’ page while continuing to support browsers’ DNT header. This means that anyone can visit the Hotjar site and click on a link in order to no longer be tracked anonymously. Given the way Hotjar is designed to work, we do not see this as an issue as we’re interested in ‘anonymized qualitative insights’ – which means the worst case scenario would be that collecting data would take a little longer.
We also chose to never show full or partial user IP addresses of site visitors anywhere within the Hotjar interface. Additionally, we anonymize all IP addresses stored in our database by removing the last octet.
Hotjar also allows its users to anonymize data in recordings by tagging HTML and fields within pages. In such cases, the data is suppressed client-side (the visitor’s browser) which means it never reaches our servers.
3. We’ve followed through – even when it hurt our business.
Building Hotjar in this way was not an easy decision. It’s very common that we receive requests to collect identifiable data about users. For this reason we do sometimes lose customers to other providers. Equally we’ve also said no to partnerships and integrations that don't align with our approach to privacy.
At times it’s been difficult to explain this – even to our own team. However looking at where we stand today, we’re glad we always took the Privacy high road.
B. Upcoming changes to Hotjar
While we feel we’ve made the right decisions to date, there’s still a lot we can improve on. For this reason, we’ll be making some changes over the coming months that further deepen our commitment to privacy.
1. Capturing and replaying keystroke data
Keystrokes occur when a site visitor types data into a field on a page. There has been some debate around the risks of capturing keystroke data for the purpose of session replay recordings. Rather than debate the details and level of risk, we feel some valid concerns have been brought forward and we welcome this as an opportunity for improvement.
Firstly, as of Tuesday the 28th November 2017, Hotjar recordings of sessions that originally loaded over HTTPS (an encrypted and secure web protocol) are now replayed within Hotjar over HTTPS.
Secondly, on the 12th of December we will also be making several changes to the way keystroke data can be collected and displayed in recordings:
- As a means to safeguarding your user data we will no longer automatically collect keystroke data from fields in recordings. If you have a specific need to visualize the actual characters being typed within a field, you will be required to proactively ‘allow’ these fields by adding an attribute in your site’s HTML code.
NOTE: Since this change will affect all sites currently using Hotjar you will be required to add these attributes ahead of the 12th of December if you want to avoid the interruption of data collection.
- As a fail safe precaution, we will restrict keystroke data collection on certain field types even if they are allowed. While Hotjar already has restrictions in place for password and credit card number fields, we are extending this to include more field types. Hotjar will also detect any potentially sensitive data entered into allowed fields and suppress that data (characters are shown with asterisks ‘*’ instead). We’ve included more details on this specific change in our documentation.
- For all new sites set up in Hotjar we will be changing the default setting for recordings so that keystroke data will not be recorded. The new default will suppress all keystroke data within the visitor’s browser so that none of this data is sent to Hotjar. Instead in Hotjar recordings you will see characters replaced with asterisks ‘*’. By changing this default setting we eliminate the risk of this data being collected in error and when it’s not really required.
- Only users with admin access to the site’s organization in Hotjar will be able to enable the capturing of keystroke data. This change allows organizations to limit the decision to collect keystroke data to specific individuals.
All the changes listed above are designed with your users’ privacy in mind. They will reduce the risk of potentially collecting and replaying personal user input data.
2. Anonymization of heatmaps and recordings (session replay)
- Automatically detect content within the HTML of the page that is considered to be personal or sensitive. This includes email addresses, credit card numbers and any sequence of multiple digits.
- Extend manual tagging of elements so data suppression also works on images in recordings and heatmaps.
- Give Hotjar users the ability to launch ‘point and click functionality’ making it easier to suppress data collection of specific elements.
More details about these changes will be announced over the coming weeks.
3. Compliance with GDPR
We recently announced and shared Hotjar’s GDPR compliance roadmap. We are fully committed to being compliant by May 2018.
Given our legacy of prioritizing privacy we welcome GDPR and see it as an opportunity to stand out in our commitment to the protection of privacy through the protection of user and customer personal data.
Our internal legal and operations staff continue to work with authorities and legal advisors in Malta and Germany to ensure compliance. If you have any questions about this topic, please don't hesitate to contact us at firstname.lastname@example.org.
How Hotjar is preparing for GDPR’ – a video message by Hotjar co-founder and Director of Product & Engineering Marc von Brockdorff
4. Privacy and security team
In just 3 years the Hotjar team has grown from 5 to more than 50 team members. As our team continues to grow, we want to ensure the decisions we take are always in line with our commitment to privacy and data protection. For this reason, early in 2018 we will be building a multi-disciplinary internal data protection and security team responsible for ensuring that we remain committed to our beliefs by setting and monitoring policies.
We have appointed an internal data protection officer and will also be hiring a dedicated security officer in Q2 2018.
We are committed to constantly developing our product in line with our commitment to privacy! While the changes I outlined above are a step in the right direction, we know there is more that can be done to act further on our commitment to the privacy and protection of user data. During 2018 we will be giving updates on progress made as well as announce the next planned milestones.
As usual we welcome your blunt and direct feedback. You can reach out to the Hotjar team with queries and questions on email@example.com or for legal requests and suggestions contact us on firstname.lastname@example.org.
Dr. David Darmanin
Hotjar CEO and Founder